Tuesday, September 26, 2017 14:41

Perl Arpspoofing / Packet Forwarding

Arpspoofing is one of the most common and simplest ways to perform a mitm (man-in-the-middle) attack. Not only is it trivial to do, but it is extremely effective, and it is often very easy to avoid detection.

To show this I have made a complete set of mitm tools that allow, first, for the interception of packets from a victim computer on the network by means of “tricking” that computer into thinking I am the router. I then have another program that is able to filter the packets and send them on transparently to the real router, hence not breaking the datastream. So long as I do not specifically arpspoof the router, it becomes a little (but not much) harder for an IDS to actually detect I am now the mitm.

While in theory (and on wired networks) this is all well and good, on open and public networks there is often additional security in the form of both advanced IDS and source MAC filtering. This means that when a computer connects to a network, whatever MAC that is used in the dhcp transaction is saved, and from now on any packets received from this computer’s IP whos MAC varies from the saved MAC are dropped. This makes it a LOT more difficult to stay in the middle of a connection transparently (both 1 way and 2 way). But, there are another 2 options.

The most efficient option is to, when filtering and forwarding packets, change the incoming packet’s src IP to my own. This makes the packet valid as it is now coming from my MAC and IP which do not violate the saved MAC of the victim (as there is no mention of the victim at all). I then forward all packets addressed to my IP back to the victim’s computer. This has the obvious drawback of not being able to actually USE my connection as it would be a little difficult to differentiate between packets addressed to me and packets for the victim. It has another drawback, that any incoming syn packets to the victim will be messed up completely (and will never see a reply). Luckily, incoming opening packets are rare on public networks most of the time. The final drawback is that a connection can only be used for a single mitm attack. It is 1 or nothing, so that’s life.

The other option is to spoof the victims MAC, but this has the drawback of needing a connection to exactly the same AP asĀ  the victim… It works if they are sitting within 10-20 meters of you, but apart from that, is not very useful.

Both options are implemented in my packet forwarding program. Both methods become obslete with wired networks, of course, where normal packetforwarding works off the bat.

There is also a small script included to do an arp scan on a range of IPs (exaclty like nmap formatting) using “arping”, then dns whoever is up using “host”. You need the program “arping” but if you don’t have it, get it. Arping rules.

Download will come later, after at least a little polish.

Leave a Reply