Introduction:
Sniffing is the act of gaining access to data which one does not have permission by interception or theft. For example, your friend who looks at your keyboard when you type your password is sniffing. He/She is accessing the data (your password) without your permission.
Digital sniffing is very similar to this. The attacker who is in the same network as the victim tries to access the victim’s data through various methods and exploiting vulnerabilities in the network. In this tutorial, we will go through one such method – ARP Poisoning.
What is ARP:
ARP or Address Resolution Protocol is a communication protocol. Its functionality is to translate IP address to physical address. We need both IP address and MAC address of a machine if we need to communicate with it on the network as the Data Link Layer hardware does not understand IP address. Simply put, it is used to find/translate to the MAC address of computers in a network using their given IP address. When a connection is made through ARP, the connected computers store the information in an ARP table which is either static or dynamic.
Imagine 2 computers – A and B, in the same network. Through DNS, A knows the IP address of B (B might be a website or a server). If A wants to send some data packets to B, it needs the MAC address of B. So first, it looks up its own cached ARP table to find any records corresponding to B. If there is a previous record, then it means that that A has already connected to B before and thus it has B’s MAC address now. If there is no existing record, it sends an ARP request to all the computers in the network requesting a reply corresponding to the IP address of B. All the computers excpet B just ignore this message as its not addressed for them. But B responds back with an ARP response which contains its MAC address. It might add A’s data into its own ARP table and A might do the same too.
Everything works well untill someone tries to break it:
This is the part where an attacker comes into play. In an ARP Poisoning/Spoofing attack, messages meant for the target are sent to the attacker instead, allowing the attacker to spy on, deny service to, or man-in-the-middle a target.
In an ARP Poisoning/Spoofing attack, the attacker will send spoofed (pretending to be someone else) messages and try to associate their MAC address to the IP address of the victim in one side and on the other side, try to associate their MAC address to the IP address of the switch in the network. Due to this, the switch will send packets intended for the victim to the attacker and the victim too will send packets intended for the switch to the attacker. So effectively, the attacker will be in between the victim and the switch or anyother thing, thus, Man-In-The-Middle. The attacker can either just sniff the data or perfom a DOS (Denial Of Service).
How to do it:
I have used Ettercap for demonstrating this. Ettercap is an open source tool used for Man-In-The-Middle attacks like ARP and DNS poisoning. Unlike its other alternatives, it has a graphical interface which makes it easy to learn and understand. Even though the command line interface might provide more information, using Ettercap graphically is more comfortable for beginners. Ettercap is preinstalled in Kali-Linux and is compatible with other Linux Distros.
1) First startup Ettercap-Graphical and select your primary interface (ethernet or wifi)
2) Go to the “Ettercap Menu”, then go to “Hosts”, enable Ipv6 scan and click “Scan for hosts”.
• What this does is it scans the local network in the specified interface for hosts which are alive. If we don’t enable the Ipv6 option, the scan only shows the hosts which use Ipv4 which is pretty outdated and we want to know all the hosts on the network.
3) Then go to Ettercap Menu -> Hosts -> Hosts list
• This give us a window which shows all the live hosts in network which are captured during the scan. (I blurred the outputs which I got)
4) Select your target/victim and click “Add to Target 1” to add them as the main target.
5) Then click the “MITM Menu” and select “ARP Poisoning” and click “OK”.
This will start the ARP Poisoning attack on the victim.
6) Click “Start Sniffing” to start sniffing.
In this example, my victim is trying to login to a “HTTP” website. Ettercap re-routes the data packets to my machine and I can see the details like the website which the victim was logging into, their Username and their passwords, all of the things which are super valuable for an Ethical Hacker.
(I blurred the outputs which I got)
Limitations:
1) Unfortunately, Ettercap can only intercept and show the packets of login pages which allows us to get information like the website name, Username and Password. If someone wants to gain access to all of the victim’s data packets, they can re-route the output from Ettercap to Wireshark which will show and analyse all the packets. In this way, the attacker can get all the packets which are sent to and from the victim.
2) This attack only works on websites which use outdated protocols like HTTP, Telnet and other vulnerable protocols. This is because the newer ones like HTTPS are encrypted. The attacker might get the victim’s data packets, but they can’t do anything with it as it is encrypted. There is one way around this and that is called SSL strip. This effectively converts HTTPS to HTTP and allows to attacker to read the data. But this too has been tackled by big companies like Google and Facebook.
How to protect against ARP Poisoning:
1) Using VPN – This is the best option for individuals but not for organisations as encrypting and decrypting on a large scale will hinder the network’s performance. It will also raise many complex complications.
2) Using Packet Filters – They filter malicious packets and suspicious IP address.
3) Using static ARP entries instead of dynamic – It is one way to protect against ARP poisoning. But if someone tries to get access to data no matter what, they can do another similar attack called MAC spoofing.
Conclusion:
Thats it!! We have successfully implimented an ARP Poisoning attack.
ARP Poisoning and other similar attacks are very dangerous for an individual and even more dangerous for a company. This is the reason why indivduals and companies should protect themselves against such attacks. So we must always be prepared for such attacks anytime.
0 Comments