The ARP (Address Resolution Protocol) is used to find the MAC address of any IP address that you are trying to reach on your local network, it’s a simple protocol and vulnerable to an attack called ARP poisoning (or ARP spoofing).
ARP poisoning is an attack where we send fake ARP reply packets on the network. There are two possible attacks:
- MITM (Man in the middle): the attacker will send an ARP reply with its own MAC address and the IP address of a legitimate host, server or router. When the victim receives the ARP reply it will update its ARP table. When it tries to reach the legitimate device, the IP packets will end up at the attacker.
- DOS (Denial of Service): the attacker will send many ARP replies with the MAC address of a legitimate server. All devices in the network will update their ARP tables and all IP packets in the network will be sent to the server, overloading it with traffic.
In this lesson we’ll take a look at a MITM attack performed through ARP poisoning, to demonstrate this we’ll use the following topology:
Above we have a switch that connects two computers and a router, which is used for Internet access. The computer on the left side is a Windows computer with a user browsing the Internet, the computer on the top is our attacker.
Traffic Pattern without ARP Poisoning
Let’s take a look at the MAC addresses and ARP tables of the host on the left side (192.168.1.1) and the router:
C:\Users\host1>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : vmware
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
Physical Address. . . . . . . . . : 00-50-56-8E-5E-33
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::e8b4:ac21:751f:fa34%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, October 6, 2015 1:46:34 AM
Lease Expires . . . . . . . . . . : Wednesday, October 7, 2015 2:02:04 AM
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DHCPv6 IAID . . . . . . . . . . . : 251678806
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-13-64-E8-00-50-56-8E-5E-33
DNS Servers . . . . . . . . . . . : 8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled
Above you can see the MAC address and IP address of the host on the left side, this is a Windows 8 computer. The default gateway is 192.168.1.254 (R1). Here’s the ARP table:
C:\Users\host1>arp -a
Interface: 192.168.1.1 --- 0xc
Internet Address Physical Address Type
192.168.1.254 00-22-90-35-64-8a dynamic
The output above is the IP address and MAC address of the router. We can verify the MAC address of the router like this:
R1#show interfaces FastEthernet 0/0 | include bia
Hardware is Gt96k FE, address is 0022.9035.648a (bia 0022.9035.648a)
And here’s the ARP table of the router with an entry for the host on the left side:
R1#show ip arp | include 192.168.1.1
Internet 192.168.1.1 8 0050.568e.5e33 ARPA FastEthernet0/0
This is how it should be, our traffic pattern looks like this:
Now let’s see what happens when we perform an ARP poisoning attack…
Traffic Pattern with ARP Poisoning
There are a number of tools you can use for ARP poisoning, I decided to use Kali which is a great Linux distribution with plenty of security tools. Kali comes with an application called Ettercap which offers a couple of MITM (Man in the Middle) attacks.
Do yourself a favor and never try ARP poisoning on any production network, you should always use a lab environment to test any security tools. There are methods to detect ARP poisoning which we will cover in the DAI (Dynamic ARP Inspection) lesson.
I will launch Ettercap on the host with IP address 192.168.1.2. Before we launch Ettercap, there’s a couple of configuration changes we have to make. First open the etter.conf file:
# vim /etc/ettercap/etter.conf
Now change the “ec_uid” and “ec_gid” values to 0:
[privs]
ec_uid = 0
ec_gid = 0
These values allow Ettercap to get root access which is required to open network sockets. Also make sure that you have the following two rules in your etter.conf file:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
The lines above are required so that Kali will forward IP packets. After saving your changes you can start Ettercap:
# ettercap -G
You will be greeted with the following screen:
Open the “Sniff” menu and select “Unified sniffing”:
Select your interface and click “OK”:
Now open the “Hosts” menu and select “Hosts list”:
It should show you the following screen:
Above you can see our host (192.168.1.1) and our router (192.168.1.254), we can ignore the IPv6 address. Now open the “Mitm” menu and select ARP poisoning:
Select the “Sniff remote connections” option. This means that Ettercap will send ARP replies to the host and the router:
Once you have clicked OK, Ettercap will start sending ARP replies. This is what it looks like in Wireshark:
Above you can see the ARP reply that it sent towards the host, the sender MAC address is of the attacker and the sender IP address is from the router. Here’s the ARP reply that it sends to the router:
Above we see the sender MAC address which is the attacker and the sender IP address is the host.
Once our host and router receives these ARP replies, they will update their ARP tables:
C:\Users\host1>arp -a
Interface: 192.168.1.1 --- 0xc
Internet Address Physical Address Type
192.168.1.254 00-50-56-8e-ee-89 dynamicR1#show ip arp | include 192.168.1.1
Internet 192.168.1.1 0 0050.568e.ee89 ARPA FastEthernet0/0
Above you see the MAC address of the attacker in both entries in the ARP tables. We can verify the MAC address of the attacker with the ifconfig command:
# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:50:56:8e:ee:89
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:fe8e:ee89/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:342507 errors:0 dropped:0 overruns:0 frame:0
TX packets:340164 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:309578070 (295.2 MiB) TX bytes:303335663 (289.2 MiB)
Our traffic pattern now looks like this:
Our MITM attack is successful, all traffic now flows through the attacker’s computer. It’s up to your imagination what kind of bad stuff you want to do now…let me give you an example, Kali has an application called “driftnet” that shows you all images that are requested. Let’s start it on the attacker’s computer:
# driftnet -i eth0
On the victim’s computer I visited Cisco.com and opened a few pages, here’s what driftnet shows us:
Above you see a nice overview with some of the images on the Cisco website. This is a fun example but there are also applications that let you capture authentication information for protocols like FTP, POP3, etc.
Conclusion
ARP poisoning is something you definitely don’t want to see on your network. How do we stop or prevent this? You can use static ARP entries on certain devices or you can use DAI (Dynamic ARP Inspection) which is a feature on Cisco Catalyst switches that detects and mitigates ARP poisoning. This is something I will show you in the next lesson.
Want to take a look at the wireshark captures from Ettercap?
ARP Poisoning PCAP file
ARP Poisoning PCAP file
I hope you enjoyed this lesson, if you have any questions feel free to leave a comment.
No comments:
Post a Comment