Professional Documents
Culture Documents
Spoofing and Man-in-the-Middle Attacks: Date Assigned: Mm/dd/yyyy Time Due: Mm/dd/yyyy by HH:MM Educational Objectives
Spoofing and Man-in-the-Middle Attacks: Date Assigned: Mm/dd/yyyy Time Due: Mm/dd/yyyy by HH:MM Educational Objectives
Educational Objectives
This lab will introduce you to both ARP spoofing and man-in-the-middle attacks and how they
are carried out within a networked environment.
Lab Environment
Summary
When you connect to a computer you often take for granted the protocols used to find the
destination machine. In a LAN the method of resolving an IP address to a MAC to send a packet
to its destination is by ARP (Address Resolution Protocol).
In this lab you will learn how to poison victims ARP cache and passively sniff connections.
Before software can be used to poison an ARP cache you must first do some preliminary
exercises to better understand how to use and manipulate your ARP cache. Once you understand
ARP and how your ARP cache is utilized, the next few exercises use ARP poison to sniff and
attack connections. The first exercise is to understand a powerful tool used to perform ARP
poison and various LAN attacks. This tool is Ettercap. Next you will be passively and actively
sniffing a connection between two victim machines. After completing these exercises you will
have a good understanding of how man-in-the-middle attacks occur.
Background
What is ARP?
Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP
address) to a physical machine address that is recognized in the local network. For example, in IP
Version 4, the most common level of IP in use today, an address is 32 bits long. In an Ethernet
local area network, however, addresses for attached devices are 48 bits long. (The physical
machine address is also known as a Media Access Control or MAC address.) A table, usually
1|Page
called the ARP cache, is used to maintain a correlation between each MAC address and its
corresponding IP address. ARP provides the protocol rules for making this correlation and
providing address conversion in both directions.
In order to minimize network traffic, ARP implementations update their cache of ARP-to-IP
mappings whenever an ARP request or reply is received. If the MAC address reported in the
packet for the given IP has changed, the new value will overwrite the old one in the cache. ARP
replies are unicast packets directed at one machine, and cause only that machine to update its
cache.
2|Page
The particular kind of ARP attack examined in this lab is the use of ARP reply packets to
perform cache poisoning. This attack makes possible many sorts of man-in-the-middle attacks.
Consider an example depicted in Figure 1. The attacker, Host C, sends an ARP reply to B stating
that A’s IP maps to C’s MAC address, and another ARP reply to A stating that B’s IP maps to
C’s MAC address. Since ARP is a stateless protocol, hosts A and B assume that they sent an
ARP request at some point in the past and update their ARP caches with this new information.
Now, when A tries to send a packet to B it will go to C instead. Host C can use this unique
position to forward the packets on to the correct host and monitor or modify them as they pass
through C (Figure 2). This man in the middle attack allows C to monitor or modify telnet
sessions, read mail passing over Post Office Protocol (POP) or SMTP, intercept SSH
negotiations, monitor and display Web usage, and commit many other malicious activities.
The ARP cache poisoning attack can be used against all machines in the same broadcast domain
as the attacker. Hence, it works over hubs, bridges, and switches, but not across routers. An
attacker can, in fact, poison the ARP cache of the router itself, but the router won't pass the ARP
packets along to its other links. Switches with port security features that bind MAC addresses to
individual ports do not prevent this attack since no MAC addresses are actually changed. The
attack occurs at a higher network layer, the IP layer, which the switch does not monitor.
The tool that was used in demonstrating and testing the effectiveness of these attacks was
Ettercap. Developed as an open source project, Ettercap provides both a menu based and
command line tool to perform ARP cache poisoning and man in the middle attacks against
switched networks (among other things).
What is Ettercap?
(http://Ettercap.sourceforge.net/)
3|Page
Ettercap is a multi-functional packet sniffer/interceptor/logger that works on switched LANs. It
allows the active and passive dissection of numerous protocols, including ciphered ones, such as
SSH1, and includes features for network and host analysis.
Ettercap should be installed on your BT5R3 machine – however you can place it on another
machine such as FC18 is you wish:
Test Ettercap
# ettercap -v
If your installation completed successfully, you will be able to see “Ettercap NG-0.7.3”.
Now you have to make sure that you have a FTP server installed and running on your
CENTOS6.4 machine.
Start ftp:
# /etc/init.d/vsftpd start
Make sure the TELNET server is installed on your Windows 7 machine, and is running:
Note: If Telnet service is not installed please install using the following steps
Control Panel -> Programs and Features -> Turn Windows features on or off -> Telnet
Server
4|Page
0.4: Telnet Server CENTOS6.4
Make sure the TELNET server is installed on your CENTOS6.4 machine, and is running:
Check to make certain that both Operating Systems have Wireshark installed.
Section 1: ARP
By now you should have a clear understanding of what ARP is and how it works. Now you will
get a chance to learn more about this protocol and how to hack it, by doing some exercises. In
the first exercise you will learn how to read your own ARP cache in Linux (Windows is very
similar) and how to modify it. After learning the basic OS commands to control your ARP cache,
you will use the program Ettercap to poison other computer’s caches on the network.
Before doing the lab it is important to understand which machine is being used in each situation.
Each of the machines hardware addresses will be identified by the following notation
a:b:c:d:e:f. Make sure you substitute the appropriate hardware address when you see the
notation a:b:c:d:e:f.
1) First you are going to observe the initial state of your ARP cache.
Open up a terminal in you CENTOS6.4 machine
# arp
If the entry is blank, then think about when exactly does a computer start sending out ARP
packets to discover hosts on the network.
2) Now you are going to observe as entries are added to the ARP cache.
On the CENTOS6.4 machine:
First start the program Wireshark to capture ARP packets.
Make certain that Wireshark will stop the capture after 30 packets and then capture.
Next you are going to ping the BT5R3 machine from the terminal
If the Wireshark program did not already stop capturing packets then click on < stop >
5|Page
Review the captured ARP packets in Wireshark
Next check the ARP cache in the CENTOS6.4 machine
Next you are going to ping the Win7 machine
Next check the ARP cache in the CENTOS6.4 machine
Q1.1.1: What did you see after typing “ARP”? Why is this?
3) Finally before you move on to the next part of the lab, make a table of each machine’s IP
address and its corresponding hardware address.
BT5R3
CENTOS6.4
Windows 7
4) In addition to just observing the ARP cache, the ARP cache can be manipulated with the
“ARP” command. The ARP command also allows the user to manually enter in IP to hardware
address mappings.
Although on a large network this would require a lot of labor, it is an easy way for networks with
static IP addresses to defeat ARP poison attempts by hackers. By adding the ARP entry
manually, it becomes static and cannot be changed except by the owner of the computer. Let’s
work with some of these other commands now.
Use the “ARP” help feature and look through the possible options.
Next edit the cache manually be adding back the deleted BT5R3 computer so that its address is
static
6|Page
Q.1.1.3: What command did you use to manually add the entry?
Q1.1.4: What is the significance of ‘CM’? Make certain that you provide a detailed
response.
1) Now you are going to test to see what happens when an IP address is mapped to the
wrong hardware address. Before you use an ARP poison program to do this, you are
going to do this manually.
2) In the following commands below, make sure to set the hardware address for the BT5R3
to the wrong address.
3) Make certain to verify the ARP cache again
Cd
The static entry should be identified by the flag ‘CM’
Q1.2.1 What happened when the machine was pinged? Why did this happen?
Section 2: Ettercap
2.1. Creating FTP Access
1) For the next few exercises you are going to use the BT5R3 machine as the attacking machine
and the Win7 machine and CENTOS6.4 machine to communicate with each other using various
ports. These machines will be the unknowing victims within the network.
1. Make certain that you create an account that can be used to access CENTOS6.4’s FTP
server.
2. Write the username and password for this account below:
7|Page
3. Also on CENTOS6.4, create a simple text file named no_protection.txt within the
/var/ftp/pub directory. This file will be used to transfer from CENTOS6.4 to Win7 via
FTP.
# cd /var/ftp/pub
# echo [YOURMTUUSERID] > no_protection.txt
Although Ettercap is best used by command-line, for this introductory use, we will use the
program’s GUI interface.
#ettercap -G
8|Page
Let’s see how Ettercap scans your addresses.
Open Wireshark
Start capture
1. Select Sniff - Unified Sniffing using the Ethernet port that is assigned to your BT5R3
machine (i.e. eth0)
2. Then Hosts - Scan for hosts (**is using subnet to scan and not host file)
3. Once Ettercap is done scanning stop the Wireshark packet capture
4. Make certain to notice how Wireshark views the Ettercap scan.
Q.2.2.1: How could you use software to detect that Ettercap is being run on your network?
Remember to give a detailed response.
Now you are going to use the skills you learned in the previous section to perform a man in the
middle attack on a connection. For this scenario a user on the Win7 machine will attempt to login
to the ftp server on the CENTOS6.4 machine. Unknown to the victim, the attacker on the BT5R3
machine will be in the middle of the connection watching and logging the actions of the
victim(s).
First you must use Ettercap to select the victim machines and ARP poison them.
9|Page
Now that the ARP poison has taken place between the two targets, conduct the following:
Q.2.3.1: What did you see different about the ARP cache on the two virtual machines
compared to before?
2.4. Displaying Ettercap’s Abilities to Conduct Man-in-the-Middle Attack
To illustrate how Ettercap can conduct a man-in-the-middle attack, you will be logging into
RHEL’s FTP server from Win7.
Before this takes place, make certain that you start another Wireshark session on the BT5R3
machine to help you clearly see all of the packets involved in the attack.
Q2.4.1: What did you notice about the packets hardware address compared to its IP
address? How would software looking to detect this attack fail?
10 | P a g e
Q2.4.2: Were you able to get the userid and password using Ettercap?
Ettercap also has a wide variety of methods to disrupt a connection. Using the existing FTP
connection that has been established between the Win7 and CENTOS6.4 machine, attempt to
inject data or a file into this connection on either or both victim computers.
Now go ahead and “kill” the FTP connection between the victim’s machines. Once completed,
you should be able to view that the connection was broken from the Win7 machine that
established the FTP connection to the CENTOS6.4 machine.
Q.2.5.2: How would you proceed to avoid an attacker from being able to shut down
computer connections such as FTP between CENTOS6.4 and Win7? Make certain to be
specific in order to demonstrate your knowledge on this topic.
Q4.3. On a scale of 1-10 (with 1 being easy and 10 being difficult) how would you rate this
lab?
11 | P a g e
Answer Sheet
Q.1.1.1: What did you see after typing “ARP”? Why is this?
Q.1.1.3: What command did you use to manually add the entry?
Q.1.1.4: What is the significance of ‘CM’? Make certain that you provide a detailed
response.
Q1.2.1 What happened when the machine was pinged? Why did this happen?
Q.2.2.1: How could you use software to detect that Ettercap is being run on your network?
Remember to give a detailed response.
Q.2.3.1: What did you see different about the ARP cache on the two virtual machines
compared to before? Make certain to explain your answer to demonstrate your knowledge
on this topic.
Q2.4.1: What did you notice about the packets hardware address compared to its IP
address? How would software looking to detect this attack fail?
Q2.4.2: Were you able to get the userid and password on the BT5R3 machine using
Ettercap?
Q.2.5.2: How would you proceed to avoid an attacker from being able to shut down
computer connections such as FTP between CENTOS6.4 and Win7? Make certain to be
specific in order to demonstrate your knowledge on this topic.
12 | P a g e