Partial preview of the text
Download Cryptography and System Security and more Summaries Cryptography and System Security in PDF only on Docsity!
EX. NO. 08 DATE: IEN:- 12226003 ARP SPOOFING Aim: To detect ARP spoofing using nmap and/or open-source tool ARPWATCH and wireshark. Use arping tool to generate gratuitous arps and monitor using wireshark Hardware / Software Required: ° PC with UNIX or Linux Desktop OS Theory: ARP (Address Resolution Protocol) spoofing, also known as ARP poisoning or ARP cache poisoning, is a type of cyber attack in which an attacker sends falsified ARP messages over a local area network (LAN). This attack aims to link the attacker's MAC address with the IP address of a legitimate device on the network, diverting traffic intended for that device to the attacker's machine. ARP spoofing can be used for various malicious purposes, including eavesdropping, man-in-the-middle attacks, session hijacking, or network disruption. Working of ARP Spoofing: ARP Protocol: ARP is a protocol used by network devices to map IP addresses to MAC addresses. When a device needs to communicate with another device on the same network, it uses ARP to determine the MAC address associated with the IP address of the target device. This information is stored in the ARP cache, a table that maps IP addresses to MAC addresses. Discovery Phase: In ARP spoofing, the attacker begins by monitoring ARP traffic on the network to identify the IP addresses and MAC addresses of other devices. This allows the attacker to choose which devices to target for the attack. Spoofing ARP Replies: Once the target devices are identified, the attacker sends falsified ARP replies to them, claiming to be the legitimate owner of a specific IP address. These ARP replies contain the attacker's MAC address instead of the true MAC address of the device associated with the IP address. Updating ARP Cache: When the target devices receive the spoofed ARP replies, they update their ARP caches with the false mapping between the IP address and the attacker's MAC address. As a result, any traffic intended for the targeted IP address is sent to the attacker's machine instead of the legitimate device. Packet Interception or Modification: With traffic being redirected to the attacker's machine, the attacker can intercept, modify, or analyze the data packets before forwarding them to the intended destination. This allows the attacker to eavesdrop on sensitive information, manipulate communication between devices, or launch further attacks. To prevent ARP spoofing attacks, several countermeasures can be implemented: Static ARP Entries: Manually configure static ARP entries on network devices to establish trusted mappings between IP addresses and MAC addresses. While effective, this method can be impractical for large networks and may require significant administrative overhead. ARP Spoofing Detection Tools: Use specialized network monitoring tools or intrusion detection systems (IDS) that can detect and alert administrators to suspicious ARP activity, such as unexpected changes in ARP mappings or multiple devices claiming the same IP address. ARP Inspection (ARP Spoofing Prevention): Implement ARP inspection or ARP spoofing prevention mechanisms on network switches or routers. These features validate ARP packets against known ARP mappings and discard packets with conflicting or falsified information. Port Security: Configure port security features on network switches to limit the number of MAC addresses allowed on each port. This prevents attackers from connecting rogue devices to the network and launching ARP spoofing attacks. Encryption and Authentication: Use encryption protocols (such as SSL/TLS) and strong authentication mechanisms to secure network communications and prevent attackers from intercepting or tampering with sensitive data. Network Segmentation: Segment the network into smaller, isolated subnets or VLANs (Virtual Local Area Networks) to minimize the impact of ARP spoofing attacks. By limiting the scope of ARP traffic within each segment, it becomes more difficult for attackers to launch widespread attacks across the entire network. 1. Install Necessary Tools: Ensure you have Nmap, ARPWatch, Wireshark, and arping installed on your system. If not, you can install them using your package manager. sql sudo apt update sudo apt install nmap arpwatch wireshark iputils-arping 2. Configure ARPWatch: By default, ARPWatch monitors ARP activity on the network interfaces. Ensure ARPWatch is running: sql sudo systemctl start arpwatch 3. Capture ARP Packets with Wireshark: Open Wireshark in the terminal: sudo wireshark Select the network interface you want to monitor and start capturing packets. OUTPUT: Terminal [03/30/23] seed@vM:~$ ifconfig enpOs3 Link encap:Ethernet HWaddr 6 inet addr:10.0.2.5 Bcast:10.0.2.255 inet6 addr: fe80: :c7e3:99e9: 30ac UP BROADCAST RUNNING MULTICAST RX packets:71 errors:0 droppe 0:27 e7:ca:c6 2dbf/64 Scope:Link MTU: 1500 Metric:1 overruns:0 frame:0 Mask: 255.255.255.0 TX packets:79 errors:0 dropped:0 overruns :0 carrier: 0 collisions: txqueuelen:1000 RX bytes:8807 (8.8 KB) TX bytes:8266 (8.2 KB) Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 RX packets:80 errors:0 droppe 0.0 Metric: overruns:6 frame:0 th a 0 TX packets:80 errors:0 dropped: overruns :0 carrier:0 collisions:6 txqueuelen:1 RX bytes:22428 (22.4 KB) TK bytes:22428 (22.4 KB) [03/30/23]seed@vM:~$ ping 10.0.2.6 PING 10.0.2.6 (18.0.2.6) 56(84) bytes of data 64 bytes from 10.0.2.6: icmp seq=1 ttl=64 time=1.23 ms ae --- 10.0.2.6 ping statistics -- 1 packets transmitted, 1 received, ©% packet loss, time Oms ret min/ava/nax/mdev = 1.233/1.233/1.233/0.000 ns [03/30/23]seed@VM:~$ arp Address HWtype HWaddress Flags Mask Iface 10.0.2.1 ether $2:54:00:12:35:00 ¢ enpds3 10.0.2.6 ether 08:00:27:89:d7:bbC enpos3 [63/30/23]seed@VM:-$ sudo netwox 72 -i "10.8.2.6" -d "enpOs3" -E O:aa:bb:cc:dd:ee -1 1.2.3.4 10.0.2.6 : 08:00:27:89:D7;BB esp (03/30/221 seedeun:-$ Devers Heb Terminal [63/30/23]seed@VM:~$ ifconfig enpés3 Link encap:Ethernet Hwaddr 08:00:27:89:d7:bb inet addr:10.0.2.6 Bcast:10.0.2.255 Mask:255.255.255.0 inet6 addr: fe80::fflc:d8f9:a269:5db2/64 Scope: Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:43 errors:0 dropped:0 overruns:0 frame:0 TX packets:74 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen: 1090 RX bytes:4942 (4.9 KB) TX bytes:7719 (7.7 KB) Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets :75 errors:0 dropped:0 overruns: frame: 1X packets :75 errors:@ dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:21793 (21.7 KB) TX bytes:21793 (21.7 KB) Iface enpOs3 enpas3 enps3 Hwtype HWaddress ether 08:00:27:e7:ca:c6 ether 52:54:00:12:35:00 C ether @0:aa:bb:cc:dd:ee C 23] seed@VM:~$ ping 1.2.3.4 -2.3.4 (1.2.3.4) 56(84) bytes of data Flags Mask c x EI = Expression. + Ne Time Souce Protocol Length Info 4 2028-03-20 ex!12:48.a0s1905- 10.0.7.5 Ten 98 Echo (ping) request id=oxoats, (io response faunal) 2 2023.03.26 5 012.6 rom? 9B Echo (ping) request id-Ox08F0, seq2i73/44208, (he response found!) 3 2023-03-99 04:4 1910.2.6 To SB Echo (ping) request id-exoefe, seq=i74/a4sas, (ho Fesponse found!) 44 2023.03-20 01:12:19.4770940. 10.0.2.6 18? 9B Echo (ping) request id-Ox00"0, seq=175/a4800, tt1=64 (no response Found! ) 6 2023-03-30 91112 20, 9250005- 18.0.2: pea To BG Echo (ping) request ideoxoete, seqri??/asei2, cele (no response found!) 7 2023-03-20 €1:12121.9902457_ 10.0.2.6 pesey oH? 98 Echo (ping) request | sea=278/ass60, (no response found! ) 8 2023-03-90 04:12:22.5797627_ 10.0.2.6 Peeicy 1H 98 Echo (ping) request 370748824, (no response found!) seas2a6. 10.0.2.6 12.3. Fry 98 Echo (ping) request 180/46080, (ho response found! ) 2023-03-98 01:12:24.6216018. 10.0.2.6 123. ro 98 Echo (ping) request (no response foundi) 41 2673.03-20 01:12:25, 6532502. 16.0.2.6 L2iad 1 BB Echo (ping) request (no response found!) 12 2023-09-20 04:12:26, 6096418. 10,0-2.6 12a 1oHP 98 Echo (ping) request (no response found) ) 33 2008-03-30 01.12:27,0945611 10.0.2.6 12/3 rH 98 Echo (ping) request (no response found! ) 44 2028-09-20 64:12:20. 7297874 10.0.2.6, 12.8 Tow 9B Echo (ping) request (no response found!) 415 2023-08-90 01:12:29, 7459047_ 1010.2.6 Vela. eH 98 Echo (ping) request (ho response found!) 2023-03-99 01:12:99.70S1987_ 10.0.2.6 12.3. 1oMP 98 Echo (ping) request % : (ne response found!) 2023-03-90 04:12:4.7002018. 10.0.2.6 123. 1H 98 Echo Fequest ; seqe188/48128, (no response found! ) ox:12:82.0322414. 10.0.2.6 1213.4 10 98 Echo Feqest d-0x08F0, seq-189/40288, (ho Fesponse found!) 028 62 inestanp from Senp data (relative): 0.0 7 wreshark enp]s3_20230330011215. LGBwHQ Packeis 18: Displayed: 18 (100.9%) Profle Default ts EP) a sea a O88 Teminal © (03/30/23}seedevm:-s echo setting ip forward = 1 to allow redirection ‘ting ip forward = 1 to allow redirection [03/30/23] seed@vm net. ipv4.ip forward = 1 [03/30/23]seed@VM:~$ sysctl -a | grep net. ipv4.ip forward sysctl: permission denied on key 'fs.protected hardLinks' sysctl: permission denied on key ‘fs.protected symlinks’ sysctl: permission denied on key ‘kernel.cad_ pid’ sysctl: permission denied on key ‘kernel.unprivileged_userns apparmor policy’ sysctl: permission denied on key 'kernel.usermodehelper.bset' sysctl: permission denied on key ‘kernel.usermodehelper.inheritable* net. ipv4.ip forward = 1 net.ipv4.ip forward_use_pmtu = 6 sysctl: permission denied on key ‘net.ipv4.tep_fastopen_key' sysctl: permission denied on key ‘net.ipv6.conf.all.stable secret’ sysctl: permission denied on key ‘net.ipv6.conf.default.stable secret’ sysctl: permission denied on key ‘net. ipv6.conf.enp0s3.stable secret’ sysctl: permission denied on key ‘net. ipv6.conf.lo.stable secret’ sysctl: permission denied on key 'vm.mmap_rnd bits ‘sysctl: permission denied on key ‘vm.stat refresh’ [03/30/23]seed@vm:~$ arp Address Hitype HWaddress Flags Mask Iface 10.0.2.1 ether 5: 0: 12:3 c enpos3 3 ether : enpos3 7 10.0.2. 10.0.2. 10.0 [03/30/23]seed@vm:~$ [] 6 ether 5 enp0s3 ether 00:27:12: enp0s3 10.0.2.16; icmp _seq=8 ttl=63 time=3.€7 ms 10.0.2.16: icmp_seqg=9 ttl=63 time=3.65 ms 10.0.2.16: icmp_seq=10 ttl=64 time=6.48 ms 10.0.2.16: icmp_seq=11 ttl=64 time=3.59 ms 10.0.2.16: icmp_seq=12 ttl=64 time=0.821 ms 10.6.2.16: icmp_seq=13 ttl=64 time=1.27 ms 10.0.2.16; icmp_seq=14 ttl=64 time=1.37 ms