ARP Spoofing

An often very effective, but old attack on an internal network is ARP Spoofing, otherwise known as ARP Poisoning. It is a type of Man-In-The-Middle attack (MITM) in which a hacker compromises a user by intercepting traffic between his computer and the target of his requests, whether it be a website or another computer in a network. Most often the requests will travel through a router, or gateway, which will aid in directing the packets to the targets.

In an ARP Poisoning attack an attacker impersonates the MAC address of the internal router to the target, while at the same time impersonating the IP of the victim to the router, thereby intercepting requests and responses between the user and the gateway. The attacker can then modify the data frames, drop the frames, or steal the data embedded in them. These sorts of attacks can be used to steal credentials, conduct phishing attacks, and steal important files and data.

ARP Spoofing takes advantage of the weak security of plain-text protocols such as HTTP, FTP, or telnet. However, these sorts of attacks are not as effective today as they were in the past due to the increasing encryption between communications and improved protocols. Nevertheless, understanding these attacks is still valuable. You learn not only about how the ARP protocol works, but gain a greater understanding of how MITM attacks work.

Here I will teach you how to conduct a basic APR poisoning attack.

What is the ARP Protocol and how does it work?

The ARP Protocol works by retrieving the MAC address of a computer with an IP address a user wants to make a connection with. Each local network has an ARP table where IP’s are stored together with it’s associated MAC address. The user sends a request to the IP through the network switch or router and through DNS finds the computer with the IP the user wants to communicate with. The ARP cache may already have the MAC of the target and if so, will retrieve the MAC and send a response to user 1 with the MAC info. Then the packet will finally be sent to the target now that the MAC is discovered.

If the MAC is not in the ARP tables, then the user will send a request to all of the devices in the local network, asking for a MAC of ff:ff:ff:ff:ff:ff until the computer with the appropriate IP responds to the request. Then the target will respond with the IP and MAC, followed again by the user sending the data packet.

How can a hacker attack this protocol?

ARP protocols are not very secure by nature. Therefore an attacker can very easily find a way to get inside and compromise the communications between a user and the gateway. What he can do is place himself between the communication of his target and the host. He does this by mimicking the MAC address of the gateway server so that the communication from the target flows through his machine. The attacker also mimics the IP of the target to the gateway in order for data frames coming to the target will also get intercepted.

Once an attacker is able to compromise these communications he can do such things as modify data frames, collect user credentials, send or drop packets as he wishes, and even conduct denial of service attacks.

Tools commonly used by attackers in this instance are Arpspoof, Ettercap, Cain & Abel, Arpoison, and Wireshark.

Here I will show you how you can use Ettercap and Wireshark to conduct an attack.

Ettercap is a tool that analyzes network traffic through a computer, but also has the functionality to perform MITM attacks. If you have Kali Linux it should already come pre-installed on your system. However, if you do not have it you can install it using ‘sudo apt-get install ettercap-common ettercap-graphical’ on Debian, Mint, or Ubuntu. It also has a text-only interface that you can install with ‘sudo apt-get install ettercap-text-only’. On Fedora or similar distributions, you can use ‘sudo yum install ettercap-gtk’ to install.

Wireshark is a tool for analyzing data packets sent through a network. If you do not have it you can install it with ‘sudo apt-get install wireshark’ or ‘sudo yum install wireshark’.

The first thing you want to do is fire up a Windows virtual machine which will be the target of our attack. You can also try this on another computer in your local network as well.

Let’s take note of IP and MAC information on the target using ‘ipconfig,’ ‘getmac,’ and ‘arp -a.’ Also, take note of the MAC address of the router at 192.168.0.1.

Now let’s note the information from our attacking machine, paying particular attention to the MAC (see 'ether').

Now what we want to do is open up Ettercap.

Now let’s open up the Ettercap GUI and what we are going to do is select the network interface you will use, make sure the ‘Sniffing at startup’ option is on, and then click the check button.

Then we click the 3 dots button and scan for hosts.

Once our hosts are discovered we must select our targets to impersonate. Click on the same button as in the last step and select Hosts List this time.

Select the IP of your target and set it to Target 1. Then find the IP of your router or gateway and set it to Target 2.

Now we start the attack by clicking ‘ARP Poisoning…’.

If you have Wireshark installed on your target, you can confirm that the router MAC has changed for the target by capturing the traffic on the network interface you are using. The sender MAC is now the MAC address of our attacking machine.

You can also go into Powershell or a terminal and enter ‘arp -a’ again and you now notice the change in the MAC of the router. The MAC of the router has been successfully impersonated with the MAC of our attacking machine.

Now that we have confirmed the attack is working so far, let’s now open Wireshark on our own computer and begin capturing and analyzing the traffic from our interface, in my case it is wlan0.

I have setup a makeshift admin dashboard page on pythonanywhere.com so you can see how dangerous this attack can be.

On the target machine I will now attempt to login to my dashboard admin page with the credentials ‘csforza : password123’.

We successfully logged in now.

If the packets sent are not encrypted then we can find very useful information about our target. In this example, we are not logging in to an https:// protocol address, just a basic http:// website. If we open up Wireshark on our attacking machine, we can see the target making an attempt to login to our template admin page and, more importantly, discover the credentials he used to login.

Clearly displayed on the screen are the credentials the target used to successfully login. We now have very compromising information on our target!

We can also see the results in the Ettercap GUI as well

We have now successfully conducted an ARP Spoofing attack.