Man in the middle (mitm) attack – arp poisoning - wsec/club GitHub Wiki

This guide is a basic walk-through on how to perform an ARP poisoning attack against a wired LAN.

Kill Chain

  1. Reconnaissance: determine IPv4 addresses (nmap)
  2. Attack: man in the middle (MitM)
  3. Compromise: network analysis utility
  4. Report: avoid untrusted/unencrypted connections.
Countermeasures Dynamic ARP inspection (DAI) can detect ARP poisoning on enterprise-grade switches.

Users and administrators may also manually monitor changes to the ARP table.

Step 1. IP forwarding

sysctl -w  net.ipv4.ip_forward=1

Or:

echo 1 > /proc/sys/net/ipv4/ip_forward

Step 2. ARP spoofing

$server.ip can be either

  • the network gateway, if the client is attempting to connect to the Internet
  • an IP address, if the server is on the client's LAN.
arpspoof -i eth0 -t $client.ip $server.ip
arpspoof -i eth0 -t $server.ip $client.ip
  • -t specifies the target. See man arpspoof.
  • -i specifies the interface. The command ip addr show lists the available network interfaces.

Optionally, append & > /dev/null to run the jobs in the background and suppress output.

Clear ARP cache on a Linux client 
ip -s -s neigh flush all

Step 3. Packet sniffing

Choose a network analysis utility.

  • dsniff
high level password sniffing From Wikipedia:
[dsniff] handles FTP, Telnet, SMTP, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP MS-CHAP, NFS, VRRP, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting Maker, Citrix ICA, Symantec pc Anywhere, NAI Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase[,] and Microsoft SQL protocols.

  • sslstrip: could be used to hijack HTTP POST requests.
  • tcpdump: low level network logging
  • wireshark: easy to use cross-platform GUI.

Next steps

  1. Wait for network activity
  2. passwords are stolen
  3. ????
  4. Profit.

Sources

https://wsec.gitlab.io/

⚠️ **GitHub.com Fallback** ⚠️