Tech Juice

Introduction

This post explains how to execute a man-in-the-middle attack on Linux. Only the actual attack is described here. The mechanisms of ARP poisoning and man-in-the-middle attacks are explained in a different post.

In this post we demonstrate a MITM with the Ettercap tool. Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN, and pretty much the Swiss army knife of ARP poisoning. Every security researcher should include it in his toolbox, and it is included in the Backtrack Linux distribution. Ettercap features a pretty nice GUI, but in this post we only use the text mode.

Command Syntax

The ettercap program has the following syntax:

ettercap [OPTIONS] [TARGET1] [TARGET2]

The targets can be IPs and MACs, and specific TCP and UDP ports can also be targetted. A simple description of the TARGET1 and TARGET2 syntax is given below. Read the target specification section on the man page for details.

TARGET is in the form MAC/IPs/PORTs. 
 
If you omit any of the parts, it means a wildcard is used for that part.
 
Examples:
//80         means ANY

Introduction

Scapy is a powerful interactive packet manipulation tool, packet generator, network scanner, network discovery tool, and packet sniffer. It is written in the Python, and is installed by default on Backtrack 4+. On Ubuntu it can be installed using this command:

sudo apt-get install scapy

The official scapy documentation is located here, and you may also need a Python Cheat Sheet.

Scapy Basics

Execute scapy at the command-line to run the Python interpreter with the scapy libraries loaded.

Start up scapy and run the ls() command. This will list all supported packet types.

$ scapy
Welcome to Scapy (2.0.0.5 beta)
>>> ls()
ARP        : ARP
ASN1_Packet : None
BOOTP      : BOOTP
CookedLinux : cooked linux
DHCP       : DHCP options
...more

List all available functions using lsc():

>>> lsc()
 sr               : Send and receive packets at layer 3
 sr1              : Send packets at layer 3 and return only the first answer
 srp              : Send and receive packets at layer 2
 srp1             : Send and receive packets at layer 2 and return only the first answer
 srloop           : Send a packet at layer 3 in loop and print the answer each time

The ls() command can do much more. Show the contents of the IP structure with ls(IP)…

Other posts in the ARP series: The ARP protocol explained, Viewing and manipulating the ARP cache on Windows and Linux

Remember that each network interface maintains a table of (IP->MAC) mappings in its ARP cache. The ARP protocol packet has the following structure:

There are two types of ARP packets: request and reply. The type is determined by the Operation Code field. The tabel below shows a scenario of normal operation:

• Host A sends an ARP request looking for the MAC address of Host B
• Host B responds with ARP reply.

This ARP packet is encapsulated in an Ethernet frame with the following values:

Normally an ARP request is sent because the sender wants to talk to a given IP address and needs to find out the associated MAC address. But sometimes the sender generates an ARP packet to inform the receivers about some information, instead of asking for information. This is called gratuitous ARP and is commonly used in the following situations:

• Duplicate address detection
• Change of MAC address
• Virtual IP

Routers and other network hardware may cache routing information gained from multiple gratuitous ARP packets. Read this page for more information. For gratuitous…

Other posts in the ARP series: The ARP protocol explained and An introduction to ARP cache poisoning.

Both Windows and Linux have a tool called arp. I tested this with Windows 7 and Linux kernel 2.6.31, but this information should be true for just about every OS version since the dawn of TCP/IP.

Command Overview

Be aware that there is one ARP cache (table) per interface, as opposed to the routing table, which is global for the system.

Windows: arp.exe

Open an (you need administrator rights). Now you can type arp to execute the Windows ARP cache manager.

Display the current ARP entries for each interface with arp -a:

[sourcecode language="text" classname="nonum"]
C:>arp -a

Interface: 232.19.232.231 — 0xb
Internet Address      Physical Address      Type
232.19.232.2          22-22-2c-27-ac-22     dynamic
232.19.232.22         22-21-f3-23-3e-23     dynamic
232.19.232.32         22-29-33-c1-c2-24     dynamic
232.19.232.91         22-2d-29-a9-33-17     dynamic
232.19.232.231        22-22-29-c2-22-b7     dynamic
232.19.232.242       …

Introduction

The Address Resolution Protocol, or ARP, is used for resolution of network-layer addresses (IP) to link-layer addresses (MAC). This post describes the basics of the ARP protocol, viewing and manipulating your arp cache is discussed in the next post.

Other posts on the ARP protocol are available here:

• Viewing and manipulating the ARP cache on Windows and Linux.
• An introduction to ARP cache poisoning.

ARP Basics

When a system wants to send data to another computer, it prepares an IP packet with the appropriate destination IP. This packet is passed down to the link-layer (usually Ethernet). This layer needs to encapsulate the IP packet in an Ethernet frame before it can be sent.

An Ethernet frame must be addressed to a destination hardware address (MAC address). But which MAC address corresponds with the destination IP address? This is looked up in the ARP cache. The ARP cache contains mappings of the form (IP - MAC).

Source and Destination Hosts on the Same Local Network

The sending host will first look up the destination IP address in its routing table. If the destination IP is on the same physical network (subnet) then there are no routers between the host…