DA102
Lab. 2
Name: ________________
Hardware/Software Setup Required
Cain & Abel v4.9.30 for Windows NT/2000/XP (available at http://www.oxid.it/cain.html
Wireshark 1.0.7 for Windows (available at http://www.wireshark.org/about.html
Problem Description
Monitoring network traffic on a switched Ethernet requires additional work and tools than
monitoring traffic on a shared Ethernet – where devices are connected to a hub instead of to a
switch.
One way to monitor traffic on a switched Ethernet is to perform an attack known as ARP
poisoning to impersonate the network gateway. Then, the attacker will be able to sniff all the
traffic from the victim’s computer to the gateway and vice versa.
In this lab, you will use Cain & Abel to perform the ARP poisoning attack and Wireshark to
monitor network traffic.
.
Outcome
Report the steps required to perform the task.
Validation/Evaluation
 How does ARP poisoning work?
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

How can you create filters in Wireshark to display only relevant information?
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
DA102
Lab. 2
Lab Solution
1. Install Cain & Abel and Wireshark on your computer and start Cain & Abel.
2. Start the sniffing process by clicking on the Start/Stop Sniffer button on the toolbar.
3. Next, select the Sniffer tab.
DA102
Lab. 2
4. Now, right-click on any point in the area below and select Scan MAC Addresses.
5. Select All hosts in my subnet and click OK on the next window.
DA102
Lab. 2
6. Cain & Abel will show a list of all devices connected to the network. The information
displayed for each device includes the IP address, MAC address, and a description (OUI
fingerprint).
Note: The result of the scanning process can vary depending on your network.
7. Now, use the result of the scanning process to determine the path you want to sniff. One of
the ends of this path should be the network gateway (usually the IP address x.x.x.1 of the
subnet), and the other end should be the victim’s computer. Note: You should ask your
instructor for the IP addresses of both the gateway and the victim’s computer. For this
exercise, we will monitor the path between the gateway (192.168.236.64) and the computer
with IP address 192.168.236.X.
8. Select the APR tab at the bottom of the screen.
DA102
Lab. 2
9. Now, click on the top-right panel. Notice that the + symbol on the toolbar activates.
Click in this area
10. Now, click on the + symbol on the toolbar to specify the path you want to sniff.
DA102
Lab. 2
11. On the left panel, select the IP address of the gateway (192.168.1.1).
12. On the right panel, select the IP address of the victim’s computer (192.168.1.105).
13. Now click OK to add this route.
DA102
Lab. 2
14. Finally, press the Start/Stop APR button on the toolbar to start the ARP poisoning attack.
At this moment Cain & Abel is poisoning the ARP table on the victim’s computer and
changing the MAC address associated with the gateway’s IP address with the MAC address
of the attacker’s computer. Similarly, Cain & Abel is poisoning the ARP table on the gateway
and changing the MAC address associated with the victim’s computer IP address with the
MAC address of the attacker’s computer. As a result of this attack, all traffic between the
gateway and the victim’s computer is being re-routed to the attacker’s computer. The
attacker’s computer is recording this traffic and forwarding it to the original recipient.
DA102
Lab. 2
15. Now, open Wireshark to sniff the traffic from the gateway to the victim’s computer.
16. Because we are only interested on the traffic between the gateway and the victim’s computer,
we will create a filter so that Wireshark will only show us the packets sent and received
between these two computers. Click the Expression… button to add the filter.
17. On the next window, select IP on the Field name and expand it.
DA102
Lab. 2
18. Next, select ip.src for the Field name, == for Relation, and write 192.168.1.105 for Value
(protocol).
19. Click OK to create the filter.
DA102
Lab. 2
20. Now, click on the Filter text field and write or followed with a blank space.
21. Use the Expression… button again and expand the IP tree on Field name as before.
DA102
Lab. 2
22. This time select ip.dst for the Field name, == for Relation, and write 192.168.1.105 for Value
(protocol).
23. Click OK to add this filter.
DA102
Lab. 2
24. Now, to start capturing traffic, click the Interfaces button on the toolbar.
25. On the next window, select the network interface connected to the switched Ethernet and
click the Start button for that interface. For this exercise, we will use the interface with IP
address 192.168.1.215.
DA102
Lab. 2
26. Click the Apply button to apply the filter.
27. Now, go to the victim’s computer (or ask the victim) and open a new Internet browser
window to connect to any Web site. Wireshark shows all captured packets sent and received
by the victim’s computer.
DA102
Lab. 2
28. Do a screen capture and print it out. Attach it to the lab.