Lab Overview

Scenario

The scenario for this laboratory is an attacker and a sheep using laptops on the same wireless network. The goal here is to sniff the sheep's traffic over the network using Dsniff. Let's talk about what Dsniff does and does not do.

The Dsniff suite provides tools that read network traffic and search for interesting information/credentials - that's it. That means that we (the attacker) need to be able to read the sheep's network traffic before we can use Dsniff.

How we read the sheep's traffic depends on the type of network we're on.

• Wired networks: Man in the Middle/Wired
  • You must determine whether you're on a network switch or a network hub
  • Network switches selectively broadcast traffic from the gateway to the specific port corresponding to the intended destination node (this is determined using the ARP table, which maps MAC addresses to ports)
  • Network hubs broadcast all traffic to all ports, so all traffic is visible to all nodes, and nodes simply ignore traffic not intended fro them
• Wireless networks: Man in the Middle/Wireless

Notes on Detection

It is important to note the impact that an ARP spoofing attack will have on the network. ARP spoofing generates a MASSIVE amount of packet traffic, so it WILL slow down the network. Also, if it is an enterprise or business network, or any network with an active IT crew, they will almost surely be alerted to the attack. This is optimal for anonymous, small, unmonitored networks.

Setting Up

Wifi Network

This will use a standard wifi network that both the sheep and attacker can connect to. They should be on the same subnet.

Sheep

Sheep will be generating web/ssh/email/dropbox traffic. The sheep needs basic programs to do that stuff.

Attacker

To carry out the ARP poisoning attack, the attacker will need an ARP poisoning tool - this lab will use Arpspoof, part of the Dsniff suite.

To actually sniff the traffic, the attacker will need Dsniff.

Other tools?

Execution

Plan

The attack steps are as follows:

• Perform recon/information gathering
• Prepare for ARP poisoning attack (packet forwarding, network interfaces, etc.)
• Run ARP poisoning attack to poison ARP tables of sheep and of router
• Run Dsniff to capture goodies
• Browse some plaintext activity/upload some files on the sheep, see what you get on the attacker machine

Step 1: Recon/Info Gathering

The ARP poisoning attack requires us to be on the same subnet as our victim. If this is a foreign network, there are a couple of things we might want to know about it:

• How many other clients are there on the network?
• What is the volume of traffic on this network?
• Is this network administered? What is the potential the network is monitored?
• What kind of network router/other hardware is present?

If we're on a network like 192.168.0.* we can get a very quick picture of what other computers are on the network by doing a fast scan, or by scanning a particular port:

$ nmap -F 192.168.0.*

If you want more detailed information about the types of devices that are running, what operating systems, etc, you can run with the -A flag:

$ nmap -A 192.168.0.*

With this type of Nmap scan, it is possible to discover the following information:

• Router manufacturer from MAC address lookup
• Service information and operating system
• Open ports on router/sheep
• Other potential attack vectors

Step 2: Prepare for ARP Poisoning

First, keep in mind the disclaimer section on Man in the Middle/ARP Poisoning page. This will generate lots of network traffic and be very loud packet-wise.

You'll want to pick out your sheep target and the gateway router, and record the MAC address and IP of each. Here's the configuration for my laboratory:

Role        IP              Example MAC
Gateway     192.168.0.1     11:11:11
Sheep       192.168.0.7     22:22:22
Attacker    192.168.0.8     AA:AA:AA

When we carry out the ARP attack, we're confusing nodes on the network about which physical computer corresponds to which IP address. It's important that we keep traffic moving, however, or else the entire network will come to a grinding halt. We can do this by forwarding packets. That means that when the gateway sends a packet intended for the sheep, and it gets to the attacker instead, the attacker's network card will simply forward the packet along.

echo 1 > /proc/sys/net/ipv4/ip_forward 

(This simply changing the value of the file from 0 to 1)

Step 3: ARP Poisoning Attack

What we're doing is, we're contaminating the ARP tables on the Gateway and the Sheep, so that the Gateway thinks the Sheep is at AA:AA:AA, and the Sheep thinks the Gateway is at AA:AA:AA. The ARP attack is carried out by crafting fake ARP request responses (information that neither the Gateway nor the Attacker asked for). An ARP Poisoning attack floods the network with fake ARP requests - some say "Hello, whoever wanted to know where the gateway 192.168.0.1 is, it's at AA:AA:AA" and some say "Hello, whoever wanted to know where the sheep 192.168.0.7 was, it's at AA:AA:AA". Eventually all the computers that get these fake ARP request responses will put that information into their ARP table.

Use the arpspoof utility. This one's really dead simple to use. Get some help:

$ arpspoof -h

Basically we specify the interface we're using, the target, and the gateway/destination: the same info we recorded from Steps 1 and 2 above.

(Start Wireshark on the Sheep machine to watch the ARP poisoning attack's flurry of packets in action.)

$ arpspoof -i wlan1 -t 192.168.0.7 -r 192.168.0.1

This generates lots of output, so you can also pipe all the output to /dev/null:

$ arpspoof -i wlan1 -t 192.168.0.7 -r 192.168.0.1 &> /dev/null

Step 4: Run Dsniff

Step 5: Sheep Does Stuff and We Capture Booty

Flags