An often very effective, but an old attack on an internal network is ARP Spoofing, otherwise known as ARP Poisoning. It is a type of Man-In-The-Middle attack (MITM) in which a hacker compromises a user by intercepting traffic between his computer and the target of his requests, whether it be a website or another computer in a network. Most often the requests will travel through a router, or gateway, which will aid in directing the packets to the targets.
In an ARP Poisoning attack, an attacker impersonates the MAC address of the internal router to the target, while at the same time impersonating the IP of the victim to the router, thereby enabling himself to intercept requests and responses between the user and the gateway. The attacker can then modify the data frames, drop the frames, or steal the data embedded in them. These attacks are used to steal credentials, conduct phishing attacks, and steal important files and data.
ARP Spoofing takes advantage of the weak security of plain-text protocols such as HTTP, FTP, or Telnet. However, these sorts of attacks are not as effective today as they were in the past due to the increasing encryption between communications and improved protocols. Nevertheless, understanding these attacks is still valuable. You learn not only about how the ARP protocol works, but gain a greater understanding of how MITM attacks work.
Here I will teach you how to conduct a basic APR poisoning attack.
The ARP Protocol works by retrieving the MAC address of a computer a user wants to make a connection with on the local network. Each local network has an ARP table where IP’s are stored together with it’s associated MAC address. The user sends a request to the IP through the network switch or router and through DNS finds the computer with the IP the user wants to communicate with. The ARP cache may already have the MAC of the target and if so, will retrieve the MAC and send a response to user 1 with the MAC info. Then the packet will finally be sent to the target now that the MAC is discovered.
If the MAC is not in the ARP tables, then the user will send a request to all of the devices in the local network, asking for a MAC of ff:ff:ff:ff:ff:ff until the computer with the appropriate IP responds to the request. Then the target will respond with the IP and MAC, followed again by the user sending the data packet.
ARP protocols are not very secure by nature. As it only works using the IPv4, 32-bit IP standard, it does not bother to check the authenticity of an incoming response to a sent ARP request packet. Therefore an attacker can very easily find a way to get inside and compromise the communications between a user and the gateway. What he can do is place himself between the communication of his target and the host. He does this by mimicking the MAC address of the gateway server so that to the target he appears to be the IP of the router. The attacker also mimics the IP of the target to the gateway. By placing himself in the middle of the communications between the target and the gateway, the hacker is now able to intercept the communications between the two.
Once an attacker can compromise these communications he can do such things as modify data frames, collect user credentials, send or drop packets as he wishes, and even conduct denial of service attacks.
Tools commonly used by attackers in this instance are Arpspoof, Ettercap, Cain & Abel, Arpoison, and Wireshark.
Here I will show you how you can use Ettercap and Wireshark to conduct an attack.
Ettercap is a tool that analyzes network traffic through a computer but also has the functionality to perform MITM attacks. If you have Kali Linux it should already come pre-installed on your system. However, if you do not have it you can install it using ‘sudo apt-get install ettercap-common ettercap-graphical’ on Debian, Mint, or Ubuntu. It also has a text-only interface that you can install with ‘sudo apt-get install ettercap-text-only’. On Fedora or similar distributions, you can use ‘sudo yum install ettercap-gtk’ to install.
Wireshark is a tool for analyzing data packets sent through a network. If you do not have it you can install it with ‘sudo apt-get install wireshark’ or ‘sudo yum install wireshark’.
The first thing you want to do is fire up a Windows virtual machine which will be the target of our attack. You can also try this on another VM or computer in your local network if you wish.
Let’s take note of IP and MAC information on the target using ‘ipconfig,’ ‘getmac,’ and ‘arp -a.’ Also, take note of the MAC address of the router at 192.168.0.1.
