Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Artificial Intelligence

Objective: To demonstrate an attack that leads to the loss of private

advertisement 
EC312 Security Exercise 27
Objective: To demonstrate an attack that leads to the loss of private information by manipulating the
Address Resolution Protocol (ARP) table.
Man-in-the-Middle ARP Spoofing
http://www.danscourses.com/Network-Penetration-Testing/arp-spoofing-man-in-the-middle-attack.html
A man-in-the-middle attack is an interior network attack, where an attacker places a computer
or network device between hosts, so that their data exchanges are unknowingly redirected to the man-inthe-middle. The goal is to capture and relay traffic so the victim is unaware that all traffic to and from
his computer is being compromised.
One way to accomplish a man-in-the-middle attack is to use ARP spoofing. With ARP
spoofing, the attacker targets the layer 2 MAC address protocol. On a local area network, a host
communicates with another host, including the gateway, by delivering packets to a MAC address. In
order to do this, first the ARP protocol needs to resolve the MAC address from the IP address of a host.
There is no verification or authentication procedure for the ARP protocol. When a computer needs
to send information to another host on the network, the computer generates an ARP broadcast. The
ARP broadcast is sent to every computer on the network requesting that a specific IP address respond
with the corresponding MAC address. When a computer responds with a MAC address, data can be
delivered to that MAC address. The problem is that the response is accepted without verification.
In fact, a response would be accepted even if a request was never made. ARP spoofing involves
sending fraudulent information to the targeted hosts so they incorrectly map the attacker’s MAC address
as belonging to the IP address.
1
Question 1. In an ARP Man-in-the-Middle attack (aka. ARP Spoofing), what type of addresses are
being targeted? (IP, Grandma’s, MAC)
ARP spoofing attack
1. Open VM Workstation and power on the BT5R3 VM.
a. BT5R3 will take 2-3 minutes to load.
b. Allow the automatic boot to count down.
2. Verify the network adapter is set to NAT.
a. Scroll the mouse over the network icon in the lower right-hand corner of VMWare
Workstation.
i. Make sure you are not in full screen mode.
ii. If the network icon is gray, click the network icon and select ‘connect’.
b. Most people should see NAT. If you see NAT, you can skip to Step 3.
c. If the VM is not in NAT mode,
i. Click on the network icon and select ‘settings’.
ii. Under network connections, select NAT and click OK.
2
3. Power on the Cyber2 VM.
a. You will be working with both the BT5R3 and Cyber2 VMs for this lab.
b. You should see tabs for both machines in the top left corner of the workstation.
i. You will be alternating between the two machines during the lab.
4. Verify/Set the network adapter for Cyber2 VM to NAT in the manner you did for the BT5R3 VM.
a. Make sure you are connected.
5. Type ‘sudo dhclient eth1’ into the command prompt of the Cyber2 VM.
6. Verify you are connected to the USNA-WAP wireless Internet connection.
7. Once you see the command prompt in BackTrack, type startx and press <enter>.
8. When the new user interface is loaded, open a terminal window.
a. Click the terminal button.
Setup for the lab is complete. You are ready to begin.
3
NOTE: If you lose
your cursor while
working in BT5R3,
pressing
control+alt at the
same time on your
keyboard will bring
it back.
Basic Unix Commands helpful for this lab:
ifconfig – can be used to display host IP address and MAC address
route –n – shows the gateway router for a host. (recall that 0.0.0.0 means ‘me’)
ping IP_address – can used to establish an IP address and MAC address correlation on the ARP table
within a local network if the entry is not already there.
arp – shows ARP table
9. Type ‘ifconfig’ on the command line the Cyber2 VM and press <enter>.
a. This will display various network information to include the MAC address and the IP
address.
b. Repeat the command for the BT5R3 machine.
10. Type ‘route -n’ on the command line the Cyber2 VM and press <enter>.
a. This will display the gateway router for a host. (recall that 0.0.0.0 means ‘me’)
11. Type ‘arp’ on the command line the Cyber2 VM and press <enter>. You may have to run ‘arp’
more than once to get the gateway router information to appear.
a. This will display the gateway router IP address and the MAC address.
4
Question 2. Using the information you just discovered, list the IP address and MAC address of the
Cyber 2 VM, the BT5R3 VM, and the Gateway Router.
IP address
MAC address
Cyber2 VM
_______________________ ________________________
BT5R3 VM
_______________________ ________________________
Gateway Router
_______________________ ________________________
12. Type ‘ettercap –G’ (this is case sensitive) on the command line in BT5R3 (this is case sensitive) and
press <enter>.
13. In the BackTrack VM, utilizing the ettercap program, select Sniff > Unified sniffing.
14. For Network Interface, press OK.
15. Select the tab Hosts then “Scan for hosts”.
16. Select the Hosts tab again but then choose Hosts list.
a. Your will be working with your Cyber2 VM IP address and the Gateway Router IP
address.
5
17. Add targets in which to be the Man-in-the-Middle.
a. Target 1
i. Select the IP address you wrote for the Cyber2
VM in Question 2 and press the Add to Target 1
button.
b. Target 2
i. Select the IP address you wrote for the Gateway
Router in Question 2 and press the Add to
Target 2 button.
NOTE: If you do not see
the IP address for your
Cyber2 VM in the list, retype ‘ifconfig’ on the
Cyber2 VM command line.
Your assigned IP address
may have changed. Update
Question 2.
18. Select the Mitm tab and choose ARP poisoning.
a. Check Sniff remote connections and press OK.
19. Select Start > Start sniffing
20. Go back to Cyber2 VM.
a. Type ‘ifconfig’ on the command line the Cyber2 VM and press <enter>.
b. Type ‘arp’ on the command line the Cyber2 VM and press <enter>.
Question 3. Using the information you just discovered, list the IP address and MAC address of the
Cyber 2 VM and the Gateway Router.
IP address
MAC address
Cyber2 VM
_______________________ ________________________
Gateway Router
_______________________ ________________________
Question 4. What has changed between the data recorded in Question 2 and Question 3?
Question 5. Based on the discussion on page 1, why is this significant? (Pay attention to which device’s
MAC address the Gateway Router’s IP address is now associated.)
6
Password theft
21. In the Cyber2 VM, open the firefox web browser.
a. Go to
http://www.danscourses.com/index.php?option=com_kunena&view=category&catid=0&
layout=list&Itemid=72
b. At the top of the webpage, enter login credentials and press the login button.
i. It doesn’t matter what you use for the login credentials, but it should not be a
password you actually use.
22. Go back to ettercap in the BackTrack VM and examine the output in the bottom pane under
“Starting Unified sniffing…”.
a. This output would not occur at a secure website.
NOTE: If there is no
b. You can try going to logging into Facebook this one
output, close ettercap and
reperform steps 12-19
time in class. You will not see any entry in ettercap.
and 21.
This is a software limitation, but the packets are still
traversing through the attacking computer.
Question 6. What significant information did the attacker get from this ARP MitM attack?
23. Go to http://www.youtube.com/watch?v=pwYuEdnz3-w and watch the ARP MITM attack.
7
Instructor led section
24. In Cyber2 VM, start Wireshark (as Root).
NOTE: If there are no
packets captured during
step 27, close ettercap
and reperform steps 1219.
25. Choose Capture > Options
26. Verify you have the something in the interface block (i.e. eth0 or eth1) and select ‘start’.
27. Let Wireshark run for about 30 seconds and press the stop button.
Question 7. What is the type for the majority, if not all, of the ARP packets received? (request or reply)
Question 8. Based on the discussion on page 1, why is this significant?
8
EC312 Practical Exercise 27
Name:
Question1:
Question2:
IP address
MAC address
Cyber2 VM
_______________________ ________________________
BT5R3 VM
_______________________ ________________________
Gateway Router
_______________________ ________________________
Question3:
IP address
MAC address
Cyber2 VM
_______________________ ________________________
Gateway Router
_______________________ ________________________
Question4:
Question5:
Question6:
Question7:
Question8:
9
Related documents
STATEMENT OF WORK (SOW)
STATEMENT OF WORK (SOW)
File
File
Project-2 Overview
Project-2 Overview
Cisco certified network associate - joelhill
Cisco certified network associate - joelhill
Chapter 11 Study Guide - Lansing School District
Chapter 11 Study Guide - Lansing School District
Data Link Layer
Data Link Layer
Chapter 7
Chapter 7
UC Retirement Planning
UC Retirement Planning
To show the relationship between linear speed and angular velocity:
To show the relationship between linear speed and angular velocity:
Wireshark_lab_arp
Wireshark_lab_arp
ARP Spoofing and Man in the Middle attack
ARP Spoofing and Man in the Middle attack
ARP Spoofing and Man in the Middle attack
ARP Spoofing and Man in the Middle attack
Download
advertisement