mitm by arp poisoning - Linuk

Well I noticed the linux area kinda empty so I decided to fix that ^_^ with a little something I pulled in teh last few days. First of all you should understand how Local Area Netowrks (LANs) work. On a hubbed network (or an 802.11 wireless one) when a computer sends data to another one, teh hub sends that data to ALL hosts in the network while only the intended reciecver accepts it while all the others just drop it. Running a sniffer such as ethereal on a hubbed network (which sets your NIC into promiscuous mode) captures all that data that should be discarded and lets you view it. On switched networks though things are more secure. A switch only sends data to the intended reciever . To do this, hosts on a LAN use a protocol caled ARP (Address Reslution Protocol) which translated IP addresses on a LAN to MAC addresses (a supposedly unique address to each NIC, there are ways of spoffing your MAC address though). Let's say teh switch would recieve a piece of data and wants to send it to 192.168.0.2, it has to know which port to send it to (i mean a physical port on the switch, not your virtual ports), in other words on which wire to transmit it. So the host which sends the data broadcasts an ARP request like: "Who has 192.168.0.2 gimme your MAC address" to which 192.168.0.2 would respond "I'm 192.168.0.2, my MAC address in AA:BB:CC:11:22:33" (completely bogus MAC address used there for demonstrtive purposes) and then the host would send that data to the switch(along with the destination MAC address) and the switch to the intended MAC address. One flaw in ARP is that it considers ALL responses valid, so it doesn't need to send a request to get an answer. It just considers ALL answers valid. So if I were to keep sending specially crafted arp responses to a host saying "I'm 192.168.0.2, my mac address is AA:BB:CC:44:55:66" then all packets from that host destined for 192.168.0.2 would be rerouted to me. That's coz as I send these packets continuously and 192.168.0.2 only sends 1 when it's asked for it, the host recieves more packets from me before it gets to send that data so it ends up sending it to the latest MAC address for 192.168.0.2 (this is called arp poisoning). Now MITM stands for Man-In-The-Middle. An attack of this nature means turning your computer into an invisible proxy between to other computers, basically turning:

192.168.0.2<-------->192.168.0.3 into
192.168.0.2<--->my_ip_address<--->192.168.0.3

This can be accomplished by arp poisoning the 2 hosts and forwarding the recieved packets. To do a MITM between 192.168.0.2 and 192.168.0.3 you'd arp poison 192.168.0.2 into thinking you're 192.168.0.3 and 192.168.0.3 into thinking you're 192.168.0.2 and DON'T FORGET to turn on packet forwarding coz if you don't you kill the connection between the 2 hosts. Next up i'm gonna show you how to sniff packets between 2 hosts on teh same LAN using 'arpspoof' and 'ethereal'. Arpspoof is found in the 'dsniff' package and ethereal comes with almost every Linux distro. For this example I used the auditor boot cd which can be found at remote-exploit.org . What I wanted to do was listen in on Yahoo Messenger convos. So I did teh following:

First I turned on ip forwarding 'echo 1 > /proc/sys/net/ipv4/ip_forward'
Then I chose my victim , at the time I knew 192.168.0.5 was having a YahooMesenger convo so I did:
'arpspoof -t 192.168.0.5 192.168.0.99' which makes 192.168.0.5 believe that i'm 192.168.0.99, sending all packets with destination 192.168.0.99 to me. Now 192.168.0.99 is teh gateway in my LAN so it's our link with the internet therefore all packets for YahooMessenger must pass through it.

Then I did:

'arpspoof -t 192.168.0.99 192.168.0.5' which makes all packets from the internet to 192.168.0.5 pass through me (now if I didn't do this i'd only get half the conversation, what 192.168.0.5 sends,to be exact).

Now I turned on ethereal and started capturing all packets which pass through eth0 (my only NIC) and selected real-time update for the captured packets (coz I want my list of captured packets updated as tehy are captured). The following list should flood with packets (mostly ARP packets coz you send tons of them out), so it was a good idea to select the filter 'YMSG' which only shows you teh yahoo meseneger packets. A good option is to get teh 'ngrep' utility if you wanna sniff out for certain keywords. 'ngrep pass' would show me all packets containing the string 'pass' and the 'dsniff' utility which automatically looks for HTTP, FTP, POP3 etc passwords and displays them in a readable context. Another good utility found on the auditor cd id 'webspy' which redirects your netscape browser to URLs sniffed from captured packets, allowing you to surf in parallel with the victim (a cool party trick lol ). If you have any questions on this article don't hesitate to PM me.