I'm sure you've already heard about ARP Poisoning or ARP Spoofing. But do you really know what it is? Let's start by seeing together what APR means
ARP - ADDRESS RESOLUTION PROTOCOL
The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link-layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address. Absolutely every network device that needs to communicate on the network broadcast ARP queries in the network to find out other machines MAC addresses.
When one machine needs to communicate with another, it looks up its ARP table. If the MAC address doesn't exist in the table, the ARP_request is broadcasted over the network. Every machine connected will compare this IP address to MAC address. If one of the machines present in the network identifies this address, then it will respond to the ARP_request with its IP and the associated MAC address. The requesting computer will store the address key and value in its ARP table and the communication can take place.
WHAT IS ARP POISONING ?
In IT networking, ARP Poisoning, also known as ARP Spoofing or ARP Poison Routing, is a technique by which an attacker sends spoofed Address Resolution Protocol (ARP) messages onto a local area network. ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic. Often the attack is used as an opening for other attacks, such as a denial of service, a man in the middle, or session hijacking attacks.
Basically the purpose of ARP Poisoning is to exploit the lack of authentication in the ARP protocol by sending spoofed ARP messages onto the network. Furthermore, ARP Poisoning attacks can be run very easily from a compromised machine connected to the network or directly from the attacker's machine if this one has been able to connect himself directly to the targeted network.
ARP packets can be forged to send data to the attacker’s machine.
- ARP spoofing constructs a large number of forged ARP request and reply packets to overload the switch.
- The switch is set in forwarding mode and after the ARP table is flooded with spoofed ARP responses, the attackers can sniff all network packets.
- Attackers flood a target computer ARP cache with forged entries, which is also known as poisoning.
- ARP poisoning uses Man-in-the-Middle access to poison the network.
WHAT IS MITM - MAN-IN-THE-MIDDLE ?
A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other. In this case, the victims think that they are communicating with each other, but in reality, the attacker is controlling the communication. A MITM attack can succeed only when the attacker impersonates each endpoint sufficiently well to satisfy their expectations.
ANATOMY OF AN ARP SPOOFING ATTACK
Before to move further and in order to perform this simulation of ARP Poisoning attack you will need the following tools:
- Kali Linux / Parrot / BlackArch or any other Linux OS
- Ettercap Tool
Let's move on to practice if you still have trouble to understand the principle, putting an ARP Poisoning attack into practice will help you better understand how it works and its possibilities.
IDENTIFY YOUR IP ADDRESS
First of all, you will need to find out what it the IP address of your machine onto the network. The easy way to find it out it's to open your terminal and use the below commands.
As you can see highlighted in the above screenshot, presently my machine is registered onto the network with the IP address 192.168.1.102.
If Ettercap is not yet installed on your system, you can install it right away using the below commands. Ettercap is available in several versions and formats. Recent source releases and binary packages are described in the download page page of the software.
sudo apt install ettercap
sudo pacman -S ettercap
In case if you get any error while installing the package, try the command below and repeat the previous commands.
sudo pacman -Rs ettercap
yum install ettercap
zypper install ettercap
sudo dnf install ettercap
Now that Ettercap is already installed in your machine, we will tweak a little bit of the configuration file of Ettercap to optimize the results provided by the tool.
sudo nano /etc/ettercap/etter.conf
The ec_uid and ec_gid lines must be set to 0 in order for the program service to work on behalf of the superuser:
[privs] ec_uid = 0 # nobody is the default ec_gid = 0 # nobody is the default
Next you need to find and uncomment these two lines:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
They are used to redirect SSL connections to regular HTTP, if possible. Then save the changes and the program is ready to work.
The program can work in several modes - with a graphical interface, without and as a service. We will consider work in the graphical interface. To run a program with a GTK interface, use the -G option:
sudo -E ettercap -G
We use the
-E option for
sudo to save all of our user's environment variables.
ARP poisoning Attack using Ettercap
This attack anatomy allows us to force the target computer to send packets to us instead to send it to the router.
Let us get to the point and execute the Ettercap ARP Poisoning Attack In Ettercap, click on Sniff > Unified Sniffing and in the new popup select your network interface referenced in the below screenshot by wlp2s0.
It's now the time to scan the network and list the devices currently connected. In order to do it, simply click hosts > scan for hosts. It will start scanning the whole network for the alive hosts. Once the scan is done, click again the hosts > hosts list to see the list of the hosts available in the network.
Important: This list also includes the default gateway address so we have to be careful when we select the targets.
We will select the targets from our list of hosts. In a MITM attack, the attacker intercepts the network and sniffs the packets. In our man-in-the-middle scenario, our target machine is 192.168.1.104 and our router is 192.168.1.1. In Ettercap, just click to target 1 and select add to target 1. Repeat the same with target 2 and select add to target 2.
Believe me or not, we can say you done the most difficult part already !!
Let start the funny part, click Mitm > ARP poisoning and click OK. Thereafter, check the option Sniff remote connections and click OK.
Click start > start sniffing. This will start ARP poisoning in the network which means we have enabled our network card in promiscuous mode and now the local traffic can be sniffed.
Note: We have allowed only HTTP sniffing with Ettercap, so don’t expect HTTPS packets to be sniffed with this process. From this simple example, if our victim logged into some websites we will get the output into our Ettercap console.
The program is now sending packets to the network, with a request for 192.168.1.104 to update the ARP cache and replace the MAC address of the router with yours. The attack is started and successfully executed. You can open the View -> Connections menu and see the active connections for the target device.
If a packet is sent through the network without encryption method, then we can view the transmitted information by clicking on the connection row. The informations sent are displayed on the left side, and the informations received are displayed on the right.
Any sensitive information, such as the data passed through a login form, a registration form, a contact form, etc ... as long they are not encrypted, can be parsed by the attacker examining the content of every rows and them values.