CSCD434 - Spring 2011 ARP Poisoning Lab Tools needed:

Wireshark Ettercap NG Ghex (Gnome Hex Editor) File2cable

Installation
In terminal type : sudo apt-get install ghex irpas

ghex installs Gnome Hex Editor irpas installs several network utilities, well be using file2cable

Manual Arp poisoning Step 1

Check out the victim machines arp cache to verify that the mac address that points to the gateway is actually the gateways mac address. (if nothing is there ping the gateway to force an arp broadcast) Commands: Arp a this will show you the arp cache

Ping <gateway IP> this will update the arp cache as well as test your IP stack and ping the gateway

Step 2
Before we can begin crafting our packets we need to first have all the mac addresses and IP address (in hex) for each machine. Pinging each machine and analyzing the traffic in wireshark will give you all of this information.

Step 3
After we have gathered all the required information its now time to capture a ARP reply packet and save that to a file. This packet will be edited with our spoofed information then put on the wire as a unicast packet to our victim and gateway. Pinging a machine should cause an ARP request/reply sequence to happen. Once you see a ARP reply in wireshark you can stop wireshark.

Exporting the reply packet can be down by right clicking the Frame header and exporting the packet. The final packet size should be 60 bytes.

Step 4 Now we need to change some of the data in our packet. Our goal is to tell the victim machine that the layer 2 path to the gateway is our machine. We are simultaneously telling the gateway that the layer 2 path to our victim machine is our machine. The we enable IP forwarding which sends the packets onto their correct destination once captured by our attacker machine. Once we finished crafting both packets we will use a program which puts them onto the wire and send them as a unicast to their respective victims. Command: File2cable I <interface> -f <file> this puts the packet into the network.

Step 5
Now that the packets have been put on the wire with file2cable we should be able to look at our victim machines arp cache and see where it thinks its gateway is located. As you can see by the screenshot below our victims gateway is our attacker machines MAC address.

Arp poisoning using Ettercap NG Step 1

Start Ettercap-NG, which is the GUI version of the ettercap tool. (Click Applications Internet ettercap)

Step 2
Click on Sniff Select Unified sniffing.

The Ettercap Input Window opens. Select the interface to sniff from (Usually Eth0) Click OK

Step 3
From the Top Menu, click on Host Scan for Hosts

Step 4
To view the available hosts, from the top menu click Host Host List

Step 5
From the Host List Tab, Select the IP address of the default gateway. Click on the Add to Target 1 Button.

Step 6
Next Select the victim machine's IP address. (Select IP of partner's machine). Click on the Add to Target 2 button.

Step 7
From the Top Menu, Click on Mitm Arp poisoning. The Optional parameters window will open, select Sniff remote connections.

Step 8
From the Top Menu, click on Start Start sniffing.

Step 7
The victim's traffic is now flowing through the attacker's machine. Verify that traffic is flowing through attacker machine with Wireshark (Use Arp filter). Question: How would you defend against it? Answer should be a couple of Paragraphs.

(OPTIONAL)DNS Spoofing

Step 1
We will customize our DNS spoofing configuration file: (/usr/local/share/ettercap/etter.dns) Open a terminal window. Type sudo nano /usr/share/ettercap/ettercap.dns Add the following entry in the file: *.com A 147.187.134.7

Press Ctrl X to Exit. Press Y to save changes to file.

Step 2
Restart ettercap NG. Redo steps 1 through 11.

Step 3
Once traffic is flowing through the attacker's machine, from the Top Menu,: Click on Plugins Manage Plugins.

Step 4
Double Click on dns_spoof to activate the plugin. (Notice the asterisk once filter is activated)

Step 5
From the victim machine, attempt to visit any .com website. All .com traffic from the victim machine should be redirected to penguin.ewu.edu