arp poison lab 2011
TRANSCRIPT
-
8/2/2019 Arp Poison Lab 2011
1/17
CSCD434 - Spring 2011
ARP Poisoning Lab
Tools needed:Wireshark
Ettercap NGGhex (Gnome Hex Editor)
File2cable
InstallationIn terminal type :
sudo apt-get install ghex irpas
ghex installs Gnome Hex Editor
irpas installs several network utilities, well be using file2cable
Manual Arp poisoning
Step 1Check out the victim machines arp cache to verify that the mac address that points to the
gateway is actually the gateways mac address. (if nothing is there ping the gateway to force anarp broadcast)
Commands:
Arp a this will show you the arp cache
Ping this will update the arp cache as well as test your IP stack and ping the
gateway
-
8/2/2019 Arp Poison Lab 2011
2/17
Step 2Before we can begin crafting our packets we need to first have all the mac addresses and IP
address (in hex) for each machine. Pinging each machine and analyzing the traffic in wireshark
will give you all of this information.
Step 3After we have gathered all the required information its now time to capture a ARP reply packet
and save that to a file. This packet will be edited with our spoofed information then put on the
wire as a unicast packet to our victim and gateway. Pinging a machine should cause an ARP
request/reply sequence to happen. Once you see a ARP reply in wireshark you can stop
wireshark.
-
8/2/2019 Arp Poison Lab 2011
3/17
Exporting the reply packet can be down by right clicking the Frame header and exporting the
packet. The final packet size should be 60 bytes.
Step 4
Now we need to change some of the data in our packet. Our goal is to tell the victim machine
that the layer 2 path to the gateway is our machine. We are simultaneously telling the gateway
that the layer 2 path to our victim machine is our machine. The we enable IP forwarding which
sends the packets onto their correct destination once captured by our attacker machine.
Once we finished crafting both packets we will use a program which puts them onto the wire and
send them as a unicast to their respective victims.
Command:
File2cable I -f this puts the packet into the network.
-
8/2/2019 Arp Poison Lab 2011
4/17
-
8/2/2019 Arp Poison Lab 2011
5/17
Step 5Now that the packets have been put on the wire with file2cable we should be able to look at our
victim machines arp cache and see where it thinks its gateway is located. As you can see by the
screenshot below our victims gateway is our attacker machines MAC address.
-
8/2/2019 Arp Poison Lab 2011
6/17
Arp poisoning using Ettercap NG
Step 1Start Ettercap-NG, which is the GUI version of the ettercap tool.
(Click Applications Internet ettercap)
-
8/2/2019 Arp Poison Lab 2011
7/17
Step 2Click on Sniff Select Unified sniffing.
-
8/2/2019 Arp Poison Lab 2011
8/17
The Ettercap Input Window opens.
Select the interface to sniff from (Usually Eth0)Click OK
Step 3From the Top Menu, click on Host Scan for Hosts
-
8/2/2019 Arp Poison Lab 2011
9/17
Step 4To view the available hosts, from the top menu click Host Host List
-
8/2/2019 Arp Poison Lab 2011
10/17
Step 5
From the Host List Tab, Select the IP address of the default gateway.Click on the Add to Target 1 Button.
-
8/2/2019 Arp Poison Lab 2011
11/17
Step 6Next Select the victim machine's IP address. (Select IP of partner's machine).Click on the Add to Target 2 button.
-
8/2/2019 Arp Poison Lab 2011
12/17
Step 7From the Top Menu, Click on Mitm Arp poisoning.
The Optional parameters window will open, select Sniff remote connections.
Step 8From the Top Menu, click on Start Start sniffing.
-
8/2/2019 Arp Poison Lab 2011
13/17
-
8/2/2019 Arp Poison Lab 2011
14/17
Step 7The victim's traffic is now flowing through the attacker's machine. Verify that traffic is
flowing through attacker machine with Wireshark (Use Arp filter).
Question: How would you defend against it?
Answer should be a couple of Paragraphs.
(OPTIONAL)DNS Spoofing
Step 1We will customize our DNS spoofing configuration file:(/usr/local/share/ettercap/etter.dns)
Open a terminal window. Type sudo nano /usr/share/ettercap/ettercap.dns
Add the following entry in the file:*.com A 147.187.134.7
-
8/2/2019 Arp Poison Lab 2011
15/17
-
8/2/2019 Arp Poison Lab 2011
16/17
Press Ctrl X to Exit. Press Y to save changes to file.
Step 2Restart ettercap NG. Redo steps 1 through 11.
Step 3Once traffic is flowing through the attacker's machine, from the Top Menu,:Click on Plugins Manage Plugins.
Step 4Double Click on dns_spoof to activate the plugin. (Notice the asterisk once filter is
activated)
-
8/2/2019 Arp Poison Lab 2011
17/17
Step 5From the victim machine, attempt to visit any .com website.
All .com traffic from the victim machine should be redirected to penguin.ewu.edu