ARPSpoofingTutorial

(thehardway)

TheideabehindARPspoofingistotrickatargetcomputersARPcachecausingittosendall thetrafficthroughanattackingmachinebeforereturningbacktothetargetcomputer.Sniffingthe networkactivitywithwiresharkwhiletheattackisinprogressallowsyoutoviewalltheinformation andcontentthatthetargetcomputerisviewing.(i.e.passwords,accountinformation,visitedsites,etc.) IsuggestyoureaduponARPspoofingmorebeforecontinuingonwiththismanualmethodofARP spoofing. ThislinkgivesaniceexplanationonARP,whatitisandwhatitisusedfor. http://www.oxid.it/downloads/aprintro.swf ThisentiretutorialisraninBacktrack2stablerelease.Itisavailablefordownloadforfreefrom followinglink. http://www.remoteexploit.org/backtrack_download_old.html

GettinganARPreplypacket:
ThefirststepwouldbetocaptureasimpleARPreplypackettouseasatemplateincreatingaspoofed ARPreplypacketthatwewillbesendingtothetargetcomputer. 1AOpenwiresharkandstartsniffing.TodothisinBacktrack2simplytypewireshark,intotherun box.

BIsuggestusingthefollowingsettingsforyournetworkcardwhilecapturingtoavoidconfusion.

2Pingasite,i.e.google.com,andwaitforwiresharktocaptureanARPreply.Youshouldseethe packetthatishighlightedinthepicturebelowinwiresharkscapture.

3Withthepacketshownabovehighlightedinwireshark,selectFrame2,fromthesecondwindow andExportSelectedPacketBytes,byrightclickingopenspaceinthethirdwindow.

Editingthepacket:
NowthatwehaveaARPreplypackettouseasatemplatewecanedititinahexeditortospecifythe needsforourattack. 4OpenthesavedARPreplypacketwiththehexeditorbytypingthefollowingcommandintothe terminal. h x dit -b" a eo t eARP r pl p c e y us v d ee nm f h e y ak t o a e " b=bufferstheentirefileinmemory,muchfaster,enablesinsertinganddeleting

5Beforeeditingthepacketwemustobtainthetargetcomputer,attackingcomputer,andthegateway's IP'sandMACaddress.Inordertofindthisinformationwepingthetargetcomputerandgateway. Observethescreenshotbelowandopenupatexteditorortheoldfashionpieceofpapertowritedown thehighlightedinformationforeasyaccesslateron.

Tofindyourattackingcomputer'sIPandMACaddresssimplytypethefollowingcommandintothe terminalandrecordtheIPandMACaddress. ifc nfi o g 6NowthatwehavetheneededinformationwecaneditourARPreplypacket.Gobacktothehex editorandwiresharkandopenthemtowhereyoucanseetheneededinformationcomfortablylike picturedbelow.Alsobesuretohavetheinformationrecordedfromstep5handyandattheready.

7ThefirstfieldsthatneedtobeeditedaretheDestinationandSourceMACaddress's.This informationisdisplayedinthesecondwindowinwiresharkundertheEthernetII,dropdownwhile theARPreplypacketishighlightedfromthefirstwindow.Forourattackthedestinationwillbethe targetcomputer'sMACaddressandthesourcewillbeourattackingcomputer'sMACaddress.Clicking onthefieldsinwiresharkwillhighlightthecorrespondinginformationgiveninhexbythepacketinthe thirdwindow.Allofthisinformationisalsoshowninthepictureabove. 8NowthatyoucanseewherethedestinationMACaddressisinthehexeditoryouchangeittothe targetcomputer'sMACaddress.Thechangeswillbecoloredinaskybluecolor.

9SelecttheSource,fieldinwiresharktoseewhereitislocatedinyourhexeditor.Changethatto yourattackingcomputer'sMACaddress.

10ThenextfieldsthatweneedtoeditarelocatedintheAddressResolutionProtocol(reply),drop downinthesecondwindowofwireshark.

11WeneedtochangetheSenderMACaddress,toourattackingcomputer'sMACaddressinthehex editor.

12WenowneedtochangetheTargetMACaddress,toourtargetcomputer'sMACaddress.

13WenowneedtochangetheTargetIPaddress,tothetargetcomputer'sIPaddress.Howeverwe arenowdealingwithnumericvaluesoftheIPinsteadofthehexcodeoftheMACaddress's.Youcan seethatthetargetIPaddressofthepacketisdirectlyafterthetargetMACaddressfieldinthehex editor.

ObservingthehighlightedfieldintheabovepictureyoucanseethatC0A8010Aishexfor

192.168.1.10.NowknowingthistheonlyvaluewemustchangeisthelastfieldoftheIPaddress. Inordertofindthehexvalueofthetargetcomputer'sIPyoucanusethebuiltinGalculator,to convertit.ItislocatedintheUtilities,taboftheKDEstartmenu.Changetheviewtoscientificand inputthelastfieldofthetargetcomputer'sIPaddress.

NowallyouneedtodoisclickthegreyedHEXareaintheGalculator.Thiswillconvertyour numericvaluetohex.

Nowthatyouhavethelastfieldofthetargetcomputer'sIPaddressinhexyoucaninputitintothehex editor.

14Wecannowsavethispacketandtestit.Savethepacketandintheterminaltypethefollowing command. fil 2 a e-i eh -f ap_t g t e c bl t 0 r ar e i=networkcardinterface f=fileofpacket(inthiscasearp_target) Executethecommandtwiceforsafemeasure.IfyounowgointothetargetcomputerandviewitsARP cacheyouwillseethatthegatewayandtheattackingcomputerhavethesamephysicaladdress.Ifyou constructedthepacketcorrectlyyoushouldseesomethingsimilartothepicturebelowonthetarget computer.

15Thenextstepwillbetocreateourspoofedgatewaypacket.Wecancopyourpacketwemadefor thetargetcomputeranduseitasatemplateforbuildingthisgatewaypacketbytypingthefollowing commandintotheterminal.

c ap_t g ta p_ at w y p r ar e r g e a arp_targetwasthenameofthepacketwefirstcreatedandwecopiedittoanewfilewiththe namearp_gateway 16Openthenewlycreatedarp_gatewaypacketwiththehexeditor. h x dit -bap_ at w y ee r g e a b=bufferstheentirefileinmemory,muchfaster,enablesinsertinganddeleting 17Firstwewillchangethedestinationfieldtothegateway'sMACaddress.

18Nextwechangethesourcefieldtoourattackingcomputer'sMACaddress,butluckilyforusitis alreadyfiledincorrectlyfrominputingitinourarp_targetpacket. 19WewillnoweditthesenderMACaddressfieldtobeourattackingcomputer'sMACaddress,once againluckyforusitisalreadyfilledincorrectlyfromourpreviouspacket. 20ThesenderIPaddressifthefieldwewanttospoof,soweenterintheIPofthetargetcomputerin thisfield.

21WenowwanttochangethetargetMACaddressfieldtotheattackingcomputer'sMACaddress.

22NextwewanttochangethetargetIPaddressfieldtothegateway'sIPaddress.

23Nowthatwefinallyhaveourpacketsconstructedwecanalmostcommenceourattack.However forthespooftobeexecutedcorrectlyIPforwardingmustbeenabledonourattackingmachine.Not doingsowillresultinaDenialofServiceattackonthetargetcomputer.Wedothisbytypingthe followingcommandintotheterminal. eh >1/pr c/ y e pv co o s s/n t/i 4/ip_f r ad ow r Placingthevalue1intheabovefileenablesIPforwarding,allowingourcomputerto...forward IPs:P 24Sincethemethodusedinstep14isonlytemporarywewillcreateascriptthatsendsourcreated packetsoverthenetworkeverytwoseconds.Createanewfilecalledattack.shandopenitinnano.We candothisbytypingthefollowingcommandintotheterminal. n n a a ks a o tt c . h createsanewfilenamedattack.shandopensitinnano

25Enterinthefollowingcodeinthisfileinordertocreateourloopingscript. # bi b s !/ n/ a h w e[1]; o hil d fil 2 a e-i eh -f ap_t g t e c bl t 0 r ar e fil 2 a e-i eh -f ap_ at w y e c bl t0 r g e a sl e 2 ep dn oe thisloopsthefile2cablecommandsevery2secondsuntilitisstopped 26Savethetheattack.shscriptandgiveitexecutablepermissionsbytypingthefollowingcommand intotheterminal. c m d7 5a a ks h o 5 tt c . h givesthefileattack.shexecutablepermissions Bycreatingthisscriptandgivingitexecutablepermissions,whenranitwillkeepsendingourpackets throughthenetworkeverytwosecondsnotallowingthetargetcomputer'sARPcachetorecover. 27SO!wehavesuccessfullycreatedourpacketsandascripttoloopthosepackets.Ifwerunthis scriptbyenteringthefollowingcommandintotheterminalourattackwillcommence. ./att c . h a ks executestheattack.shscript

28Ifalloftheabovestepswentsmoothlyweshouldbeabletolaunchourattackscript,startupour sniffer,andwatchaswecapturethetrafficthatourtargetcomputerisreceiving.:)Youshouldsee somethingsimilartotheimagebelowinwiresharkscapture.