Tuesday, November 24, 2009

Arp cache poisoning with arpspoof

Don't think for a second that since you are on a switched network you are now safe from eaves droppers. Well in some way you are right, with regards to the traditional hub which would broadcast all traffic to all nodes connected to it.

However thereis a "hack" that would allow one to eaves drop or become the man in the middle on network connections if they so desire.

The tool used here is called arpspoof and is distributed in the dsniff package of tools.

Diving deeper into the packet realm of things, what is happening is that we are constantly sending the victim computer ARP answers telling him that the MAC address belonging to the IP of the gateway machine (router) is our MAC address. The victim computer will eventually believe us and make a wrong entry in his ARP cache table (you can confirm this with the command, arp -a). Next time the victim wants to send an IP packet to the gateway he sends the ethernet frame to our MAC address so actually we get the IP packet. We do the same thing with the gateway machine just the other way round.

Demo: Refer (http://su2.info/doc/arpspoof.php)

In order to tell the victim host that now we (our MAC address) are the one belonging to the IP of the gateway enter the following command:
# arpspoof -t victim gateway

In a seperate shell we start the matching command to fool gateway to belive we are victim.
# arpspoof -t gateway victim

Don't forget to enable IP forwarding on your host so that the traffic goes through your host. Otherwise victim will loose connectivity.
# echo 1 > /proc/sys/net/ipv4/ip_forward

Now fire up your favorite sniffer/packet analyzer, tcpdump or wireshark and go trouble shoot those network issues that you just couldnt seem to figure out without seeing those darn packets.

references/Good reading:

No comments:

Post a Comment