Introduction
Up until now all the main stream information about sniffing a
This document will teach you that it is possible due to flaws and security problems within TCP/IP.
We will be utilizing two programs one is called arpspoof and the other fragrouter.
TCP/IP Overview
As most of you know TCP/IP utilizes ARP (Address Resolution Protocol) to convert IP addresses into hardware addresses. This hardware address is referred to as a MAC (Media Access Control) address. Once the destination’s MAC address is determined, the encapsulated IP packed can be transmitted to the host. Every host on the network must have a unique MAC address for them to communicate on an Ethernet LAN.
Within Ethernet ARP there are four types of messages:
ARP request – A request for a destination hosts MAC address this is usually sent to all hosts in a broadcast domain.
ARP reply – This is a response to the ARP request and tells the hardware address of the destination host.
RARP request – This is a Reverse ARP request. This requests the IP address of a known MAC address.
RARP reply – This is a response to the RARP request and tells the IP address of the requested MAC address
All Ethernet hosts and
Sniffing traffic on network utilizing a hub is easy because all traffic is transmitted to each host on the network. Sniffing a
Since there is no way built into TCP/IP to verify which MACs are associated with which IP addresses but to ask or look it it’s ARP table this opens TCP/IP up for exploitation.
So the goal of a malicious hacker would be to trick your system into updating it’s ARP table so that data goes to the attacker instead.
There are many ways to do this, but for the purpose of this document we will cover arpspoof from dsniff.
Network Setup
We have a pretty basic network setup here 3 hosts connect by a
HostA: 192.168.0.2 MAC: 00:08:74:95:65:11
HostB: 192.168.0.3 MAC: 00:08:74:46:EB:08
HostC: 192.168.0.4 MAC: 00:02:B3:A4:7F:8B
For the purpose of this document we are HostC a linux box. Host B and Host C or something else, doesn’t really matter HostA could be a Sun box and HostB could be it’s default router, HostA could be a PC and HostB a Sun box, etc…
On HostC will will download and install dsniff
Src: http://monkey.org/~dugsong/dsniff/
Pkg: http://www.rpmfind.net
On HostC we will also download and install fragrouter
http://www.securityfocus.com/tools/176
>> tar zxvf fragrouter-1.6.tar.gz
>> ./configure
>> make
>> make install
Running Fragrouter
This app is very simple. We just want to do normal IP forwarding, we want the traffic to make it to the destination we just want to see it first.
>> fragrouter -B1
Running ARPSPOOF
The man page gives a completed explanation of how to use arpspoof. Of this document we will run arp spoof like this (again we want to watch traffic from host a to host b)
>> arpspoof -t HostA HostB
The man page for arpspoof says that -t . Target is the box that you want to spoof the arp tables on, meaning we want to update HostA’s ARP tables telling it that the MAC address of HostB is 00:02:B3:A4:7F:8B (which is you look above is the MAC address of HostC.
Frgrouter will just route the packets on to HostB.
Preventing Against This Type of Attack
Well there are a few ways to go about this.
1) You can gather all the MAC information for every host on your network and feed that into a startup script using arp -p. The problem with this is that every host will need to be updated if/when a network card gets replaced. — BAD IDEA
2) Solaris – Change the default arp_cleanup_interval. The default is 5 min. which means Solaris keeps arp values in it’s arp cache for 5 minutes.
ndd -set /dev/arp arp_cleanup_interval 6000
3) Arpwatch – This is one of the greatest tools for protecting your self against this type of attack.
You can download for linux from rpmfind.net and Solaris from sunfreware.com.
Example of logs:
Jun 23 10:22:02 hostA arpwatch: new station 192.168.0.5 00:02:B3:A4:7F:8B
Jun 23 10:22:02 hostA arpwatch: changed ethernet address 192.168.0.3 00:02:B3:A4:7F:8B
(00:08:74:46:EB:08)
The log on hostA which is running arpwatch show that hostB’s (192.168.0.3) MAC address has changed to what we know is hostC. You can easily setup scripts which monitor for this type of activity.
In Summary
As you can tell this document provides a basis for arp spoofing, however this basic idea lays the way for SSH and SSL man-in-the-middle attacks. Once a box is compromised and used as a gateway in a network the entire network’s security becomes open for exploitation.