NASA Lab -
ARP Spoofing

by Arvin Liu

Recap - ARP

Task: 87 msg to 88

140.112.31.87

140.112.31.88

Switch cannot look ip.

So we needs 88's MAC to let switch forward.

src: 140.112.31.87

dst: 140.112.31.88

dst MAC: ???

87:87:87:87:87:87

88:88:88:88:88:88

<3

ARP Request & Reply

140.112.31.87

140.112.31.88

ARP Request

who has 140.112.31.88 ?

87:87:87:87:87:87

88:88:88:88:88:88

ARP Reply

140.112.31.88 is at

88:88:88:88:88:88

src ip: 140.112.31.87 src MAC: 87:87:87:87:87:87

dst ip: 140.112.31.88 dst MAC: 88:88:88:88:88:88

ARP Spoofing

ARP Spoofing

140.112.31.87

140.112.31.88

I know 140.112.31.88 => 88:88:88:88:88:88

87:87:87:87:87:87

88:88:88:88:88:88

ARP Reply

140.112.31.88 is at 89:89:89:89:89:89

140.112.31.89

89:89:89:89:89:89

89:89:89:89:89:89

What can ARP Spoofing do?

  • Spoofing only one side

    • DoS Attack (know two side IP)
    • pretend fake server

 

  • Spoofing both two sides

    • Packet Sniffing
    • MitM attack

Alice

Bob

Eve

Lab -

DoS by APR Spoofing

Network Topology

eth0 (Your net card)

VM 1

(victim)

VM 2

(attacker)

bridge

How 2 bridge?

Your Mission

VM1 (victim)

ping 8.8.8.8

VM2 (attacker)

ARP spoofing

Redirect

Router

It is kind of race condition. 

VM1 (victim)

VM2 (attacker)

Router

Gateway:

192.168.0.1

192.168.0.1

192.168.0.2

192.168.0.1 is at  bb:b..

bb:bb:bb:bb:bb:bb

aa:aa:aa:aa:aa:aa

192.168.0.1 is at  aa:a..

Useful Tools

You can choose not to use these tools, though.

Scapy

Install Scapy in Ubuntu

Ubuntu 20.04 already has python3.

Install pip (python package manager)

sudo apt install python3-pip

Install scapy

sudo pip install scapy==2.4.0
# or 
sudo python3 -m pip install scapy==2.4.0

Start Packet Crafting

import all you can use.

from scapy.all import *

craft any protocol packet you want

pkt = IP(dst="127.0.0.1")
print(bytes(pkt))
# b'E\x00\x00\x14\x00\x ...
# Which is packet's raw bytes

using "/" to concat

udp_pkt = IP(dst="127.0.0.1") / UDP(dport=80, sport=65001)

send it!

send(udp_pkt)

Examples

UDP data "AAA"

udp_pkt = IP(dst="127.0.0.1") / UDP(dport=777, sport=8888) / b"AAA"
send(udp_pkt)

Examples

fake ARP Request

arp_pkt = ARP(op=ARP.who_has, psrc="1.1.1.1", pdst="8.8.8.8")
send(arp_pkt)

ARP Parmeters

op : ARP.who_has (ARP request)  / 

       ARP.is_at (ARP response)

psrc : ip source (e.g. "127.0.0.1")

pdst : ip destination

hwsrc : MAC source (e.g. "08:00:27:1e:0f:88")

hwdst : MAC destination

These maybe helpful in lab ...

How 2 look ARP Table?

Type command "arp".

How 2 Get Score?

Your Mission

VM1 (victim)

ping 8.8.8.8

VM2 (attacker)

ARP spoofing

Redirect

Router

Screenshot 1 : before atk

ping 8.8.8.8 and highlight
1. ICMP request's Ethernet Src & Dst
2. victim's ip & MAC

Screenshot 2 : atk's info

highlight attackers ip & mac

Screenshot 3 : after atk

ping 8.8.8.8 and highlight
ICMP request's Ethernet Src & Dst

Ether Dst must be equal to Attacker's MAC, 

And these ICMP may not respond in a row.

Submit these 3 pics You'll get full scores!

Or you can webcast it :).

How to Prevent?

  • DAI (Dynamic ARP Inspection)

    • ​Bind ip & mac

Prevent ARP Spoofing

Another Net Setting

(If you cannot use bridge mode to ping 8.8.8.8, like you're using dorm's networks)

Network Topology Comp

mode Bridge

Host

VM1

mode NAT

Router

Router

Host

VM1

VM2

VM2

NAT

(+virtual router)

Network Topology Comp

mode Bridge

mode NAT

  • Host & VMs are in same LAN
  • Host can connect to VMs
  • VMs can connect to Host
  • Host & VMs are not in same LAN
  • VMs can connect to Host
  • Host cannot connect to VMs
  • VMs connect Internet by NAT mechanism in host.

NAT Network Setting

Step 1 : Create NAT Env

NAT Network Setting

Step 2 : VM's Net Setting

It should be "NAT Networks", not NAT.

if using NAT, your VMs cannot connect to each others.

NAT Network Setting

Step 3 : Check Your VM

VM 1

VM 2

1. They should have different IP & MAC

2. Can ping each others.

3. Can ping 8.8.8.8

NAT Network Setting

Step 4 : Enjoy your attack!

NASA Lab

By Arvin Liu

NASA Lab

NASA Lab - DoS by ARP Spoofing

  • 978