Tuesday, October 16, 2007

Arp Poisoning

One of the myths surrounding a switched environment is that it prevents packet sniffing. Well it really doesn’t. Anyone can put there network card into promiscuous mode and grabbing packets off the wire, and if you really need to sniff the traffic it is still entirely possible using Arp Spoofing. All you really need is a tool such as Ettercap.

Firstly, lets cover a few basics.

What is ARP?
ARP is the Address Resolution Protocol. It is used to translate IP Addresses to MAC Address (Physical Address). ARP basically works by a computer sending a query out to its broadcast domain asking who has a certain MAC address. When the IP address with that MAC Address receives such a packet it replies with its MAC Address and the requesting computer will log the response in its ARP cache. The ARP cache can be viewed by typing arp –a from the command-line, and an output similar to that below:

Interface: --- 0x5
Internet Address Physical Address Type 00-0b-cd-ef-2c-ff dynamic 00-0e-7f-ef-b5-8d dynamic

What is ARP Spoofing?
How ARP Spoofing works is by an attacker PC sending out fake ARP responses to victim PC’s stating that they are someone else, the victim PC then updates their ARP cache to direct traffic to the attacker. Upon receiving the traffic the attacker will log, read, or adjust the packets and then forward them onto the destination.

My favourite tool for arp spoofing is the Ettercap which can be used under Windows or Linux. Ettercap provides a GUI which can be lauched from the command-line using ettercap –G or it can be run from the command-line entirely. I’ll cover the command-line usage as the GUI is very intuitive and simple to use. The switches I list below are for my Linux box but windows switches will probably be the same.

Basic Sniffing
To watch traffic passing by on the network use:

ettercap –Tzq –i eth0

This will put ettercap into text mode, it will not arp scan the network and will be quiet. Only interesting traffic will be displayed as it passes and it will listen on interface eth0.

To sniff traffic between 2 hosts the attacker can run the following command from his Linux box:

ettercap -i eth0 –T –M arp /victim_ip_A/ /victim_ip_B/

The –i switch is telling ettercap to use a specific interface, in this case eth0, the –T switch is telling ettercap to use the Text interface and the –M switch is telling ettercap to use the Man-in-Middle-Mode (MITM). The rest is self-explanatory

Multiple hosts can be sniffed say between a gateway and the targets by using a command such as:

ettercap –i eth0 –T –M arp / / /

If traffic to a certain port, in this case Telnet, is to be captured the command would look like:

ettercap –i eth0 –T –M arp / / /

To sniff traffic between all hosts on the network:

ettercap –T –M arp // //

BEWARE – depending on the size of the network, this may cause dropped packets and performance issues.
There are many other switches available to use, they can be viewed by checking out the man page for Ettercap (man ettercap) or by viewing the help file (ettercap -–help).

Ettercap is capable of:
• sniffing HTTPS
• Injecting traffic
• OS fingerprinting

Logging The Output
To log the output of Ettercap you can use the following:

-L This will log both the packet detail (filename.ecp) and the info (filename.eci)

-l This will log only info (filename.eci)

-w Write output to a pcap file (viewable with Wireshark)

The syntax to log the output would be:

ettercap –T –L filename –qM arp /ip_address_A/ /ip_address_B/

Other useful options
-P use plugin (to view plugins use ettercap –TQ press p to view the plugin menu)
-c Compress the output (gzip)

Viewing The Output
The output from Ettercap can be viewed using Etterlog, Wireshark or sent to the screen (toggle screen output on and off using the space bar)

Fun With Ettercap
So we have seen here how Ettercap can be used to perform MITM attacks and capture traffic between 2 hosts. Obviously this traffic can be parsed for juicy info. You could run Dsniff on the same PC and LAN card to run the traffic through that. You could run Driftnet to view any pictures that are passing the interface, or you could use one of the many plugins to send the visited URL’s to your browser, to find promiscuous NICs or to perform many other useful activities.

For more info take a look at the links below:



noOneSpecial said...

Hello SynJunkie,

I couldn't find any other way howto contact you. There is no email address to contact you (or I'm blind). I find your blog very usefull and interesting! I'm also interested in security in the network world. I'm writing a tool that does perform some of the network attacks (it does 5 atm). Would you be interested in testing it or whatever ? Its a java program I've wrote using the jpcap library. You can contact me at : mateusz-matusiak@wp.pl

With Kind Regards

SynJunkie said...

I'll drop you an emai next weekl Matt. Thanks for comment.