ARP cache Poisoning Attack lab

Scenario

The ARP is a communication protocol for detecting the connection layer address, such as a MAC
address, provided with an IP address. The ARP protocol is a very basic protocol and no
protection mechanism is introduced. The attack of ARP cache poisoning is a frequent attack on
the ARP protocol. An attacker could trick the victim into accepting forged IP-to-MAC mappings
during this attack. This will result in redirecting the packets of the suspect with the forged MAC
address to the server.

The purpose of this lab is to learn first-hand about the attack of cache ARP and what harm such
an attack can do. In specific, the ARP assault can be used to initiate a man-in-middle attack,
where the intruder will capture the packets between A and B victims and alter them. The lab also
aims to allow to learn packet sniffing and spoofing, as these are basic network security skills and
are the basis for many network attack and protection tools.

Task 1: ARP cache poisoning

In this project packet spoofing is aimed at initiating an ARP cache poisoning attack on one
destination, in order for the attackers, who may alter packets and therefore become a man in the
middle between A and B, to interface their packets if two victim A and B devices attempt to
communicate. This is referred to as a Man-In-the-Middle attack (MITM). We are using ARP
cache poisoning in this laboratory to perpetrate a MITM attack.

ARP is a stateless protocol used to resolve IP addresses in a local area network at a physical
MAC (mid-access) address. The MAC address of an attacker is connected to a valid LAN user's
IP address. This happens through the development of a wide range of ARP requests. This allows
all incorrect entries to poison the target machine's ARP cache, and instead, all of the user's
information can now be passed to the malicious user for the host of an IP address. In the given
scenario the ARP request is sent as shown in the screenshot below:
 Fig – 1 victim virtual machine

Fig – 2 ifconfig to check ip address mapping to MAC address

Fig – 3 back track machine checking MAC address

Fig – 4 pinging machine

 Fig – 5 checking ARP cache

Fig – 7 update info

As in the above screenshots by using ARP request on the host machine it is observed that the
MAC address is mapped and by checking the reply packet we also checked the MAC address
and it was mapped to B’s address in the cache of A’s. At last, the information was updated in
order to avoid any mishap in the topology.
Task 2: MITM attack on telnet using ARP cache poisoning

The intruder wakes up contact between the two targets in a middle assault man (MITM), then
secretly relays, perhaps modifying the messages between the two sides, who think they
communicate between them directly. The perpetrator effectively masked himself as a different
person in this case. The assailant is therefore aware of the content of the correspondence and can
exploit the message. This is somewhat similar to a postal provider that reads or changes the
contents of the letter with its edition.

Possible attack results include theft of an online user ID and password, local FTP identification
and password, or a protected shell (SSH) or telnet session. A MITM attack attacks an application
using a flaw such as a defective SSL socket layer. With the man-in-the-middle MITM attack, the
program code and setup's flaws or bugs are exploited to jeopardize application protection.

In the given scenario we have set the following topology as shown in the figure below:

Fig – 8 men in the middle attack on telnet

In the following attack, some of the important steps that are considered include launching the
ARP cache poisoning attack. First, Host M carries out an ARP cache poisoning attack, which in
both A and B is a poisoning attack that maps A to M's MAC's ARP cache and A to M's MAC's B's
ARP cache. Packets from A to B will be sent to M after this move. To accomplish this purpose,
we will use Task 1's ARP cache poisoning attack.
 Fig – 9 sniffing code

The skeleton-sniffing program is used to do the attack for the supporting program. The software
captures all TCP packets and then changes for packets from A to B (the modifying portion is not
included, as it belongs to the task). The application essentially transfers the initial packets for
packets from B to A.
 Fig – 10 running program IP forwarding

Fig – 11 capturing packets using Wireshark

 Fig – 12 Arp – a command

The ARP protocol is stateless and does not authenticate, allowing the attacker to spoof the
victim's ARP cache. The perpetrator will sound as if he is another computer and send an ARP
request to which the victim replies without verification of the legitimacy of the sender's IP.

Fig – 13 poisoned

It should be remembered that the above code collects all TCP packets, including the program
itself. This is unwanted, since its efficiency would be affected because the filter changes in the
program and its own packets are not captured.

Each character in Telnet normally activates an independent TCP packet, but if you type very
quickly those characters can be received in the same packet. Therefore, the payload comprises
only one character in a standard Telnet packet from client to server. The server echoes the
character sent to the server, and then the client displays the character in its window. So, what we
find in the client window is not the immediate product of typing; it takes a round trip before it is
shown what we enter in the client window. Anything we entered in the client window will not be
viewed when the network is disconnected until the network is restored. Similarly, if attackers
during their round trip change the character to Z, Z will be seen in a Telnet client browser, even if
it's not what you typed.

Task 3: MITM attack on Netcat using ARP cache poisoning

This task is identical to Task 2, except that hosts A and B use netcat rather than telnet to
communicate. Host M needs to intercept their correspondence, so that the data transmitted
between A and B can be changed. You can render a netcat TCP connection between A and B
using the following commands:

Fig – 14 netcat

NetCAT reveals that side-channel cache attacks on the network represent a practical threat.
Traditionally, cache attacks were used to leak local sensitive data. This threat spreads with
NetCAT to untrustworthy network clients who can now leak confidential data including
keystrokes from remote servers in an SSH session without local control. A new Intel
functionality called DDIO is the root cause of the flaw, which provides access to network devices
and other peripherals in the CPU cache. We have seen ARP poisoning has serious security
consequences as a performance enhancement on fast networks which expose servers to side-
channel attacks on local networks.
Fig – 15 installing netcat

Fig – 16 netcat
 Fig – 17 NC command on 10.0.2.7

Conclusion

The ARP spoof is an ARP exploit that enables attackers to decrypt contact between network
devices. It is also known as the ARP poisoning attack. Both devices download ARP cache entries
and connect with the attacker rather than explicitly with one another from the moment on. The
ARP poisoning is generally used to connect the MAC address of an attacker with the IP of a
target host so that all targeted traffic is now used by an attacker. This traffic can be forwarded to
the goal by the attacker as a man in a middle attack (MitM). In this lab, the packet altering and
sniffing is done and also the impact of the ARP poisoning attack is understood to make the
devices secure. The network security is understood by performing this attack.