Monday, February 13, 2012

arpspoof

We can start the tool simple from the terminal. I don't want to go into the details how arpspoof works, there are tons of writing about that on the Internet. In short, we can become a man in the middle between two hosts on a LAN, with overwriting their ARP table with a false entry, which points to us, instead of the real address - this can be done with ARP.

Before we start it, we need to tun on IP forwarfing on Linux:

root@bt:~# echo 1 > /proc/sys/net/ipv4/ip_forward

Usage:

arpspoof [-i interface] [-t target] host
where
target - the hosts, whos traffic we want to sniff
host - The host we want to personate

Thus we need to run this from two windows, because running it for a single host we will see only one part of the traffic. We need to personate two hosts.

Example:

root@bt:~# arpspoof -i eth1 -t 192.168.1.2 192.168.1.18
root@bt:~# arpspoof -i eth1 -t 192.168.1.18 192.168.1.2



after that we can see the traffic in Wireshark:


The tool is part of the dsniff package, which is available here:


Protection:

Most modern switches already have a service, which tracks what MAC address is used on a port, and it allows only valid ARP traffic, which means that only those ARP packets will be allowed, which contains the MAC address of the host on that port. Cisco and Juniper calls it "Dynamic Arp Inspection (DAI)". More information:

No comments: