ARP Cache Poisoning Man-in-the-Middle with Ettercap

Man-in-the-Middle attacks are good to have in your bag of tricks. Here is one with ARP Cache Poisoning.

Overview

ARP Cache Poisoning is an attack that is based on impersonating a system in the network, making two ends of a communication believe that the other end is the attacker’s system, intercepting the traffic interchanged. This type of attack is classified as a Man-in-the-Middle (MITM) and is accomplished in two steps by the attacker:

  1. Sending a modified ARP packet to the source system of a given communication saying that the destination IP address belongs to his own MAC address.
  2. Sending a modified ARP packet to the destination system of a given communication saying that the source IP address belongs to his own MAC address.

So from this moment, both systems will interchange information through the attacker’s system.

ARP High-level Overview And Why This Attack is Possible

Most networks are Ethernet networks using TCP/IP for communications. IP is often viewed as the sole means of routing a packet, but once an IP packet comes into an Ethernet Local Area Network (LAN), it must be converted into a packet that Ethernet can understand. Ethernet was built to support protocols other than just TCP/IP and therefore does not rely on IP addresses to deliver packets. When an Ethernet device delivers an IP packet to a network segment, the packet is encapsulated into an Ethernet frame for local handling and uses the network card’s hardware address when transmitting packets between systems. This hardware address is referred to as the Media Access Control (MAC) address (written as 6-byte hex strings such as 00:0A:CC:A3:38:D3), which are unique in their identification of a particular piece of equipment.

When an Ethernet interface receives a packet, it looks at the MAC address to see if the packet is destined for it. If so, it picks it up off the wire and passes it up the operating system (OS) layers to be further processed. When sending an IP packet, Ethernet uses the Address Resolution Protocol (ARP) to resolve IP addresses into hardware MAC addresses. Once the destination’s MAC address is determined, the IP Packet can be encapsulated into an Ethernet frame and transmitted to the destination host.

Systems accept something called a “gratuitous ARP”, which allows other systems to identify their MAC/IP address without being asked. In an ARP spoofing attack, the attacking system sends a gratuitous ARP to each communication end point and to trick the end points into communicating through the attacker.

Ettercap

Ettercap is a comprehensive suite for MitM techniques, and ARP Cache Poisoning is just one of its many features.

For this attack, I will be poisoning the ARP Cache of my Windows 7 machine and a webserver that the Windows 7 machine is communicating with. Here is a visual of the initial conditions:

ARP_Cache_Poison

To start the attack, my Ettercap command is:

root@kali:~# ettercap -TqM arp:remote /192.168.0.5/ /192.168.0.130/

This sends a gratuitous ARP to the victim and the web server, making them believe the attacker’s MAC address is the hardware address of the machine they are actually trying to communicate with. The traffic gets forwarded through Ettercap to the victim, so the victim has no indication that anything is wrong. If the victim visits a site that uses SSL, the victim will receive a certificate error (but may just click through it). As an attacker, you can just sit back and wait for interesting traffic to go through. In this scenario, when my victim visits the webserver and authenticates to the site, Ettercap captures the following:

HTTP : 192.168.0.5:80 -> USER: jake  PASS: password  INFO: http://192.168.0.5/DVWA-1.0.8/login.php

CONTENT: username=jake&password=password&Login=Login

You can also write custom filters with Ettercap that allow you to do some manipulation of the client traffic, which leads to cooler attacks.

Here is a video walking demonstrating the attack:

Leave a Reply

Your email address will not be published. Required fields are marked *