ARP-spoofing.

Oleg Petukhov, lawyer in the field of international law and personal data protection, information security specialist security, protection of information and personal data.
Telegram channel: https://t.me/protectioninformation Telegram Group: https://t.me/informationprotection1 Website: https://legascom.ru Email: online@legascom.ru #informationprotection #informationsecurity
ARP spoofing (ARP Cache poisoning) is an attack used to listen to a network built on switches.
ARP (English Address Resolution Protocol) is a low-level protocol used in computer networks designed to determine the address of the link layer at a known network layer address.
The essence of this attack is as follows. The attacker sends false ARP packets in order to convince the victim's computer that the listening computer is the final destination. Next, packets from the victim's computer are intercepted and forwarded to the real recipient, the sender's MAC address is substituted in them so that the reply packets also go through the listening computer. The listening computer becomes a "gateway" for the victim's traffic, and the attackers get the opportunity to listen to the traffic by carrying out a man-in-the-middle attack.
It is worth noting that if you try to listen to the traffic of several actively communicating computers and, accordingly, the resulting overflow of the APR tables may overload and, as a result, the network may crash. This, among other things, is fraught with the detection of an attack.
It is also worth noting that this attack can only be implemented if you have access to a local network. In other words, an attacker located outside the local network will not be able to perform ARP Spoofing. To implement this attack, he will first have to take control of one of the machines located on the corporate LAN, and only then from this machine he will have to poison the ARP cache. You must admit, this is not the easiest way to implement an attack.
Let's do a little practical work on the implementation of ARP spoofing.
So, what will be our initial data?
There are several computers connected to the switch. We need to intercept the traffic that is transmitted between these machines. If we use the tcpdump utility described earlier, we can only see packets coming from or to our machine. Agree, it's not very informative. In order to listen to traffic going to other hosts, we need to "poison" the ARP cache. To solve this problem, we will need special sniffers.
In our example, we will use the ettercap utility. This application has editions for both Windows and *nix platforms.
Interception can be carried out in as many as three ways. And if we are not particularly interested in the standard MAC and IP options, then ARP poisoning based sniffing is exactly the function that we need. At the same time, no effort is required to apply it: the whole setup boils down to specifying the listening machines in destination and source.
Being an intermediary, you can not only intercept network packets, but also, using ettercap's tools, delete or even modify them. Separately, it is worth noting the function of intercepting passwords using encrypted SSH1, SSH2, and SSL/HTTPS protocols. To use it, you need to run a program with special filters (for example, for ssh like this: ettercap -F etter.filter.ssh).
Now, actually, practice. In order to listen to the traffic exchanged between machines 192.168.1.2 and 192.168.1.254, run the following command:
root@kali : # ettercap -T -M arp -L log /192.168.1.2/ /192.168.1.254/
The options mean:
-T – use the text (console) interface;
-M arp - use the ARP-spoofing module to perform the attack;
-L log - write the interception log to files named log.*.
The arguments specify the IP addresses of the machines against which the ARP-spoofing attack is to be performed.
The result of this utility is displayed on the screen and written to a text file. To stop logging, press q.
It is highly undesirable to interrupt the utility in other ways (for example, Ctrl-Z), since then the ARP tables of those two machines will remain poisoned. And since the ettercap intermediary program will no longer function, the connection between the hosts will disappear, which will look very suspicious.
You can use the etterlog utility to view the intercepted traffic. The log file is named log.eci by default.
This is how, for example, intercepted credentials to an email mailbox using the POP 3 protocol might look like.
etterlog log.eci
etterlog NG-0.7.3 copyright 2001-2004 ALoR & NaGA
Log file version : NG-0.7.3
Timestamp : Thu Jan 21 12:23:11 2012
Type : LOG_INFO
1698 tcp OS fingerprint
7587 mac vendor fingerprint
2183 known services
==================================================
IP address : 192.168.15.2
MAC address : 00:04:75:75:46:B1
...
MANUFACTURER : Sohoware
DISTANCE : 0
TYPE : LAN host
FINGERPRINT :
OPERATING SYSTEM : UNKNOWN
PORT : TCP 110 | pop-3 []
ACCOUNT : user
/ password
(192.168.15.2)
==================================================
Let's also consider how this utility works with a graphical interface. To do this, run the command
ettercap –G
Then we should choose the type of traffic interception Unified or Bridged. The first one performs simple traffic interception, while the second one is designed to interfere with the traffic transmission process. Let's choose unified. Next, specify the network interface used. You can specify both wired and wireless options.
Then we need to decide who we want to intercept traffic from. To do this, scan the network for active nodes. To start scanning, select Hosts, then Scan for hosts. We get a list of active nodes with IP and MAC addresses. Select the desired node and click Add To Target 1. There is also an Add To Target 2 button in this window. If we want to intercept only traffic between two specific nodes from the list, we need to specify the second node and click Add To Target 2. And if we want to intercept all traffic for this node, then we don't need to select the second node.
Then we start the scan by pressing Start, Start Sniffing. Next, we complete the ARP poisoning process by selecting MITM / ARP Poisoning. The Sniff Remote Connections option must be enabled.
Then you can intercept traffic in Wireshark, similar to how we did it earlier.
After collecting packets in Ettercap, you must disable ARP poison by pressing Start/Stop sniffing.
An attacker, once on the network, can carry out a man-in-the-middle, MitM attack, that is, try to become an intermediary between legitimate nodes. Using MitM, you can implement many different attacks related not only to listening, but also to modifying incoming traffic. But in the context of the topic, we will implement password interception, at the same time getting acquainted with a couple more useful utilities from Kali Linux.
So, let's assume that we know which nodes are currently active on the network. Since the attacker's machine acts as an intermediary, first we need to allow the forwarding of IP packets (ip forwarding). This can be done as follows:
echo 1 > /proc/sys/net/ipv4/ip_forward
Now you need to perform ARP spoofing (that is, the substitution of MAC addresses for certain IP addresses). The attacker's machine will mediate between the default gateway and the local network. If the gateway address is 192.168.1.1 and our address is 192.168.1.100, then we need to do the following to replace it.
arpspoof –t 192.168.1.1 192.168.1.100
The arpspoof utility is designed to replace MAC addresses.
For ARP spoofing to work correctly, it is necessary to make a substitution in the opposite direction.
arpspoof –t 192.168.1.100 192.168.1.1
Next, we need to start intercepting traffic. However, unlike the previous examples, here we will intercept, or rather display, not all traffic, but only passwords from various applications. To do this, we will use the dsniff utility.
root@kali:~# dsniff
---------------
05/21/00 10:49:10 bob -> unix-server (ftp)
USER bob
PASS dontlook
---------------
05/21/00 10:53:22 karen -> lax-cisco (telnet)
karen
supersecret
---------------
05/21/00 11:01:11 karen -> lax-cisco (snmp)
[version 1]
private
As a result of our work, we intercepted several passwords.
Dsniff allows you to intercept passwords sent using HTTP, POST data, HTTP Basic and Digest authentications, FTP, IRC, POP, IMAP, SMTP, NTLMv1/v2 (HTTP, SMB, LDAP, etc.).
To prevent ARP-spoofing, you can use the arpwatch utility. This utility allows you to detect an attack, but it must be run on both machines under attack, otherwise the attacker may try to carry out a unilateral attack. In addition, arpwatch only captures the attack, but does not prevent it. Additional scenarios and event handlers need to be developed to prevent this.
One possible protection method is to use static ARP. The ARP table can be generated manually, thus it becomes not vulnerable to ARP attacks. To do this, add the necessary MAC addresses to the table.
If you disable the use of ARP on network interfaces, then only those systems will be available, (1) whose MAC addresses are added to the ARP table of our node and (2) our MAC address is added to the ARP tables of nodes
with which traffic is exchanged.
If you do not disable the use of ARP on network interfaces, the statically set MAC address takes precedence. If the MAC address for an IP address is not specified, an ARP request is used.
Other methods of combating ARP-spoofing are the use of encryption, as well as the use of virtual local area networks (VLANs).
The attacker's computer can use ARP-spoofing against the victim's computer only if they are on the same link layer network. If they are separated by a router, an attack is not possible (an attack on the router is possible, but this is a completely different matter).
VLANs help to segment a network − to turn one network into many isolated fragments at the link level, which are interconnected by a router. An ARP-spoofing attack is only possible between computers on the same VLAN. In the most extreme case, when there are only two computers in each VLAN: the computer itself and the router, an ARP−spoofing attack becomes impossible in principle. Unfortunately, such a network organization is very demanding on router resources and is rarely used.
One of the main reasons for the unpopularity of this protection method is the need for VLAN switches, as well as the need to spend time on additional network equipment settings.