ARP Poisoning

Programs:
Nemesis, Ettercap, Cain & Abel

What happens if we want to capture traffic from a machine and we are not connected directly? (figure 1)?


Figure 1: Testing scenario

What is the ARP protocol?

The ARP protocol [1] [2] (Address Resolution Protocol) is responsible for converting IP addresses to MAC addresses so that the packet is passed correctly to the next hop on the same subnetwork.

Alice wants to send a packet to Bob, but as she does not know what Bob’s MAC address is, first she sends an ARP request (see figure 2).

Figure 2: ARP request

Only Bob responds to Alice’s request sending Alice his MAC address (see figure 3)

Figure 3: Bob’s response to Alice’s ARP request

Alice is going to save the MAC address in an ARP table, overwriting older entries if they exist. Alice only needs to send the packet putting Bob’s MAC information in the headers.

ARP poisoning.

Catherine wants to capture the traffic generated between Alice and Bob, so she tries “poisoning“ the ARP tables. To this end she sends a modified ARP packet to Alice telling her that Bob’s IP belongs to Catherine’s MAC address while at the same time she sends another to Bob indicating that Alice’s IP also belongs to Catherine’s MAC address (see figure 4)

Figure 4. ARP poisoning.

Now the traffic generated between Alice and Bob will go through Catherine, as you can see in figure 5, Catherine must send malicious packets periodically to update the network

Figure 5. Route of traffic between Alice and Bob.

This attack can also be used to carry out a denial of service (DoS). Catherine simply injects ARP packages with a non-existent MAC address which never responds to the victim.

Attacking

We can attack from Windows or Linux. We carry out this attack in the scenario detailed in figure 1, where Catherine wants to get the traffic between the Internet and Alice

To get the data between Alice and the Internet, Catherine modifies Alice‘s ARP tables and the router so that the traffic goes through Catherine. How does she do this? Simply by telling Alice that the router’s MAC address is Catherine’s MAC address and telling router that Alice’s MAC address is Catherine’s MAC address.

Using Linux

In this paper, two applications are explained, Nemesis [3] and Ettercap [4] (It is true there are more applications, but in this article we will only select two)

First, if Catherine wants to capture the traffic, she has to forward the packets, so this command is used:

$ echo 1 > /proc/sys/net/ipv4/ip_forward

Also Catherine has to have her firewall well configured.

Nemesis

To change Alice’s and the router’s ARP tables using the Nemesis application, Catherine executes the following command as an administrator.

$ nemesis arp -v -d eth0 -H 00:11:22:33:44:55 -S 192.168.1.1 -D 192.168.1.2 ; nemesis arp -v -d eth0 -H 00:11:22:33:44:55 -S 192.168.1.2 -D 192.168.1.1

When Alice captures the traffic through her interface, she can see the data between Alice and the Internet.

If Catherine wants to keep Alice’s and the router’s ARP tables, she can execute a short script in bash for that:

#!/bin/bash
while [ 1 ]
do
nemesis arp -v -d eth0 -H 00:11:22:33:44:55 -S 192.168.1.1 -D 192.168.1.2 ; nemesis arp -v -d eth0 -H 00:11:22:33:44:55 -S 192.168.1.2 -D 192.168.1.1
done

Ettercap

Ettercap is a powerful tool which allows us to carry out a lot of different attacks. In this article we will only comment on how to carry out an ARP poisoning attack.

Catherine runs the following command as an administrator to make this attack:

$ ettercap -i eth0 -T -M arp /192.168.1.1-2/

She can also use Ettercap using its interface running this command:

$ ettercap -G

A window appears like the one shown in figure 6.

Figure 6. Welcome Ettercap screen

Then Catherine prepares the application by selecting “Sniff” –> “Unified sniffing” and selecting the network interface where she is going to carry out the attack, them she personalises the appearance of Ettercap to use the application more comfortably:

Hosts –> Host lists

View –> Connections

View –> Profiles

View –> Statistics

After that, she starts to capture by selecting “Start” –> “Start Sniffing”.

If Catherine wants to know what computers are on the network, she will select “Hosts” –> “Scan for Hosts” or she can execute this command:

$ nmap -sP 192.168.1.0/24

Now if Catherine goes to the “Profiles” tab she will see the computers on the network and pressing the button “Convert to Host List” she can export this list to the “Host list” tab.

Finally Catherine selects “Mitm” –> “ARP Poisoning” and starts the attack, and she can now see all connections that come through her machine on the “Connections” tab.

Using Windows.

To carry out this attack with Windows Cain & Abel [5] is a good option, but it is possible to use Nemesis and Ettercap as well.

Cain & Abel

When Catherine has downloaded and installed Cain & Abel, she starts to capture traffic in her interface and in the “Sniffer” tab she presses the right button, selects the “Scan MAC Adresses” option and looks for computers on the subnetwork. When Catherine knows the possible computers, she goes to the bottom “ARP” tab and presses the button to start the attack. She only has to add the host (router and Alice) by pressing add button (+) and selecting the IPs 192.168.1.1 y 192.168.1.2.

Solution

A solution is using an IDS (like Snort [8]) to detect this kind of attack, but if you have a small network you can use applications for your OS to detect these attacks:

A solution is using an IDS (like Snort [8]) to detect this kind of attack, but if you have a small network you can use applications for your OS to detect these attacks:

Windows:
DecaffeinatID [6]
Linux:
Arpwatch [7]

You can manually add static MAC address to your computer, but to do this for a lot of computers might be impracticable.
We can enable (if possible) “Port Security” options, also known as Port Binding” o “Mac Binding”, on our routers or switches, where only one MAC is available for each port.

Bibliography

[1] Address Resolution Protocol (Wikipedia) (October 2009). Abailable at: http://en.wikipedia.org/wiki/Address_Resolution_Protocol

[2]RFC 0826 (October 2009). Abailable at: http://www.ietf.org/rfc/rfc0826.txt

[3] Nemesis (October 2009). Abailable at: http://nemesis.sourceforge.net/

[4] Ettercap (October 2009). Abailable at: http://ettercap.sourceforge.net/

[5] Cain & Abel (October 2009). http://www.oxid.it/cain.html

[6] DecaffeinatID (October 2009). Abailable at: http://www.irongeek.com/i.php?page=security/decaffeinatid-simple-ids-arpwatch-for-windows

[7] Arpwatch (October 2009). Abailable at: http://ee.lbl.gov/

[8] Snort (October 2009). Abailable at: http://www.snort.org/

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Follow

Get every new post delivered to your Inbox.

%d bloggers like this: