ARP poisoning also known as ARP Spoofing is an attack on the network which allows the attacker to intercept network communication between the target computer and the network. This concept is called MAN-IN-THE-MIDDLE attack and it makes it easy to steal sensitive data like username and passwords, bank data etc.
The man in the middle attack can occur because the attacker modified the ARP table to change the ARP mapping to a malicious attackers computer MAC addresss.
In this post I will be showing you how ARP poisoning is performed and how we can protect against it.
To understand more about ARP, please click here.
Address resolution Protocol or ARP for short is used to resolve an IP address to a MAC address.
There is a table maintained for monitoring and resolving the IP addresses. It is called an ARP table
Without wasting much of your time, lets begin
What is needed
This lesson will be done from a virtual machine for training purposes. In real life it is actually done on physical routers and real computers
- A router
- Kali Linux (it is expected that the user should have basic knowledge of Kali)
- A windows VM. This will be our target machine
Steps:1. Start up your Kali Linux. I will be running mine from a virtual machine
2. Start up a command terminal3. Set IP forwarding. This is a process used to determine which path a packet should be sent through.The process uses routing information to make decisions and is designed to send a packet over multiple networks.
4. We will use the following command
echo “1” > /proc/sys/net/ipv4/ip_forward
5. We need to identify the default gateway of the router of interest. This is actually the one we are connected to. Note that the default gateway will have to be shared with the target computer before this exploit can succeed.
6. Type the following commandip route
as you can see in the screen shot that the command had echoed out the default gateway to be 192.168.255.2
7. We need to know the network interface on which we are going to launch our attack from.
8. Type the following commandifconfig
This will list all interfaces on Kali Linux. The active interface is always on top. So the network interface is eth0 on IP: 192.168.255.129 as seen in the screen shot below
9. Now the IP of my target machine is 192.168.255.128 (It’s a windows Machine)
Its now time to start the attackTHe format of the ARP poisoning attache is stated below
arpspoof -i [network interface type] -t [Target machine] -r [Default gateway]
Lets now fill in the data……
10. To perform ARP poisoning or spoofing type the following commandarpspoof -i eth0 -t 192.168.255.128 -r 192.168.255.2
11. The screenshot seen above shows that the spoofing or poisoning has been successfully started.
The concept established here is that the ARP table has been tampered with such that an ARP broadcast will be sent to the target machine informing it that the that the MAC address of the router has changed to a different MAC address which is the machine running the ARP poisoning (which of course is the Hackers Machine).This poisoning must be a repeated loop and has to continue like that for the attacker to have the traffic of the target machine redirected through to his machine. Once it stops the victim (target machine would be re-routed to the original/normal router.
By this method a tool can be used to read the network traffic passing from the target machine. Now if the data been browsed is not encrypted using https, the victim is screwed.
12. Now that the poisoning is running let us now attempt to read the traffic passing though from the target (victims) machine. We will be using WIRESHARK to perform this.
13 Open a terminal on Kali and type Wireshark. This will launch the application. Ignore the error and click ok
14. Wireshark will require you to select the interface you want to sniff traffic from. We will select the interface we used during out ARP poisoning which is eth0. Double click on the eth0 interface option and the capturing begins
15. You can see from wireshark’s capture that the ARP protocol has started the broadcast
16. Now lets go to our target (victims) machine, the windows virtual machine to use the browser and see if we can capture the data the victim is sending over the network.
I have deliberately chosen to browse from a test site owned by accunetix, a security solutions company.
I will be using a fake login as follows:
Username: Olutayo
Password: Hacked123
Once entered, I click on the login button
Note that I am sending my login credentials over an unencrypted network.
17. Now lets check to see what we have captured from out wireshark.
Right click on the packet captured, click on follow, click on TCP stream
18. You can see from the screenshot below that the credentials I entered while browsing on the target machine has been harvested.
This method of attack is extremely silent thus the victim will never be aware of what is going on. However, you can guard against it by taking the following tips carefully.
Click here to read on how to protect yourself from ARP Poisoning
I hope you enjoyed this post. Please leave a comment behind for any enquiries
Leave a Reply