Man in the Middle/ARP Poisoning/Pauls Security Podcast
Pauls Security Podcast Wiki Notes
Q: What's the best ways to Arp cache poison?
Program called send_arp (http://insecure.org/sploits/arp.games.html), very simple example given below in which the ARP cache entry for the DNS server is poisoned.
DNS Server: 192.168.1.10 Attacker: 192.168.1.67 Victim: 192.168.1.61 ./send_arp \ 192.168.1.10 00:1f:c6:7b:4e:a2 \ 192.168.1.61 00:0c:6e:20:6b:4e
In this example, 192.168.1.10 is our DNS server, followed by its Mac address.
192.168.1.61 is our victim, followed by its MAC address.
The above command sends the arp entry for 192.168.1.10 to 192.168.1.61. In my example, I am tell the client "Hey, your DNS server's MAC address is really 00:1f:c6:7b:4e:a2". This now means that all of that traffic will be forwarded to that mac address.
The target should be totally fooled. Check by firing up tcpdump on the attacker machine:
16:17:24.561166 IP 192.168.1.61.2073 > 192.168.1.10.53: 3+ A? amazon.com. (28) 16:17:24.561179 IP 192.168.1.61.2073 > 192.168.1.10.53: 3+ A? amazon.com. (28)
But wait! There's more! The client is not happy, let's found out why!
From the perspective of the attacker, things are not going to go down smoothly. In the tcpdump traffic shown above, you can see requests going to our computer (since we poisoned the ARP table entry, everything will go to our hardware). But the traffic, when it arrives, is addressed to 192.168.1.10, which is the IP address the DNS server is supposed to have. But the attacker machine has an IP address of 192.168.1.67. Layer 2 was set up properly, but Layer 3 wasn't.
DNS requests have been properly routed to our hardware on Level 2, but even if a DNS server were running, the traffic isn't addressed to us, so the network card will, by default, ignore the packets unless they're addressed to 192.168.1.67.
To fix this, enable packet forwarding in the Linux kernel:
echo "1" > /proc/sys/net/ipv4/ip_forward
By enabling packet forwarding, the Linux kernel will forward, unmodified, any packets it receives for any non-192.168.1.67 addresses. This way, your computer will receive all network traffic, but will pass it along as though nothing happened. This makes passive attacks that intercept traffic and sniff packets possible.
If you want to modify the DNS traffic, there are multiple options (e.g.?)
Windows folks can use the program Cain and Abel to modify DNS entries as they go by. Cain and Abel does ARP poisoning of the routing layer, allowing you to rewrite responses to DNS queries and change DNS entries.
This can be a good way to control hosts on a network.
man in the middle attacksin which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker.
Wireless Attacks: Man in the Middle/Wireless
Wired Attacks: Man in the Middle/Wired
Layer 1 and 2 MITM Attacks:
Network Tap: Man in the Middle/Wired/Network Tap
Layer 3 and 4 MITM Attacks:
ARP Poisoning: Man in the Middle/ARP Poisoning
Traffic Injection/Modification: Man in the Middle/Traffic Injection
DHCP Attacks: Man in the Middle/DHCP
WPAD MITM Attack: Man in the Middle/WPAD
Port Stealing: Man in the Middle/Port Stealing
Rushing Attack: Man in the Middle/Rushing Attack
Attacking HTTPS: Man in the Middle/HTTPS
Session Hijacking: Man in the Middle/Session Hijacking
Man in the Middle Labs:
Dsniff ARP Poisoning:
Bettercap ARP Poisoning: MITM Labs/Bettercap Over Wifi
Bettercap to Replace Images: MITM Labs/Bettercap to Replace Images
MITMf to Backdoor Browsers: MITM Labs/MITMf to Backdoor Browsers
Browser + Wireshark/SSLSniff to Decrypt HTTPS: MITM Labs/Decrypting HTTPS Traffic with Private Key File
Browser + Wireshark to Decrypt HTTPS: MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info
Bettercap to MITM Android Phone: MITM Labs/Bettercap Android EvoFlags · Template:MITMFlag · e