ARP spoofing experiment

The Internet Control Message Protocol (ICMP) consists in a set of errors reporting and queries operations concerning the network. It is part of the network layer.
Télécharger le PDF
182KB taille 14 téléchargements 421 vues
commentaire
Report
Grégoire Charvet - Hugo Fichter (2009400420) - Elinatan T. Jacobsen(2009380012)

ARP spoofing ARP spoofing ...................................................................................... 1 Introduction....................................................................................... 1 Technical perspective .......................................................................... 1 ARP Protocol ................................................................................... 1 ICMP Protocol.................................................................................. 3 The application................................................................................... 4 Functional description....................................................................... 4 JPCAP library................................................................................... 4 Program architecture........................................................................ 4 Tests results ...................................................................................... 0

Introduction Our experiment consists in writing a program that performs ARP spoofing (also cold "ARP Poisoning") on a given IP address. The "attacker" must then answer ICMP requests (also referred as "ping") with ICMP reply (casually called "pong"). Through this experiment, we aimed at getting familiar with the Ethernet, ARP, IP and ICMP protocols and their programming. We did not pursue any criminal goal, hence our program can not be used directly to perform a "man in the middle" attack, which is considered to be the principal application of ARP spoofing. Moreover we conducted our tests on unused IP addresses in order not to disturb the network users. In this report, we assume the reader has basic knowledge about networking. Including notions about the layered networking architecture (at least concerning the data link and networks architectures, the Ethernet frames and IP datagrams).

Technical perspective ARP Protocol The Address Resolution Protocol (ARP) is a network level protocol for determining the mac address of a host with its network address. Structure of an ARP packet on an Ethernet network using IPv4 addresses

• • • •

HARDWARE TYPE: 0x0001 for Ethernet PROTOCOL TYPE: 0X0800 for IPv4 HARDWARE ADDRESS LENGTH: 6 (length in bytes of a mac address) PROTOCOL ADDRESS LENGTH: 4 (length in bytes of an IPv4 address)

When a host A wants to send a packet to a host B on the same network and knows B's IP address A needs first to get B's MAC address to send B an Ethernet frame. A will broadcast an ARP request on the network. Format of the request: • OPERATION: 1 (request) • SENDER HARDWARE ADDRESS: MAC address of A • SENDER IP ADDRESS: IP address of A • TARGER HARDWARE ADDRESS: 0 (the information A is looking for) • TARGER IP ADDRESS: IP address of B When B receive this packet, it will send to A (this packet is not broadcast) an ARP reply containing these fields: • OPERATION: 2 (reply) • SENDER HARDWARE ADDRESS: MAC address of B (the address A is looking for) • SENDER IP ADDRESS: IP address of B • TARGER HARDWARE ADDRESS: MAC address of A • TARGER IP ADDRESS: IP address of A Then A will use the MAC address of B to send B the IP packet it wants to send.

ICMP Protocol The Internet Control Message Protocol (ICMP) consists in a set of errors reporting and queries operations concerning the network. It is part of the network layer.ICMP packets are encapsulated in IP packets for delivery through the network. In our case we will only discuss the echo requests and reply operations. Structure of an echo request/reply packet

• Type: 0 (request) or 8 (reply) • Checksum: 2 complement of the packet The identifiers and sequence number are used by tools such as ping to keep a trace of a series of request sent. They are not formally defined. When a host receive an echo request, it will reply to the sender with an echo reply. All the fields of the reply are identical to the request (including data) except for the type and checksum.

The application In order to offer a pleasant experience to every user, our application offers a modern graphical interface. It is multiplatform (tested on windows and Linux operating systems). It comes packed in a neat jar file. The application is written in java and needs oracle's Java Runtime Environment v.1.6. In order to perform, it is also needed to have administrators privileges. The programs uses the java JPCAP library. For the installation of the library, please refer to the following link: http://netresearch.ics.uci.edu/kfujii/jpcap/doc/ Functional description The user is required to enter information about the spoofing operation: • Network interface to use • IP address to spoof • MAC address to use (usually the mac address of the interface) Then our program will wait for broadcasted ARP requests concerning the spoofed address and reply them with ARP reply. JPCAP library The JPCAP library offers an abstraction layer for networking operations. It allows easy capturing and sending operations for various type of packets at different levels. ARP packets and ICMP packets are used in our case. Program architecture In the first phase, the applications gathers the attack information through the SWING graphical interface. Refer to: GUITool.java Then the programs passes these parameters to a forked thread performing the networking operations. This thread performs a loop waiting for packets of two types: • ARP request containing the spoofed IP address are replied with ARP reply containing the MAC address entered earlyer by the user • ICMP echo requests on the spoofed IP are replied with the corresponding IMCP echo reply Refer to: SpoofingThread.java To run the program under Eclipse, first, one has to change the project parameters so that there is no more "API acces restriction" warnings.

Tests results The first picture show an empty ARP cache. It was taken before we began with our test to spoofed the ARP. This empty ARP cache is on a Windows machine, the next picture show it on a Mac machine.

Figure 1: Empty ARP cache Windows

Figure 2: Empty ARP cache Mac We begin our test by running the java code on Eclipse, in this tool(Figure 3) we can choose the interfaces for ARP spoofing. We choose 0:en0 with the address: 169.254.187.106

Figure 3: Choose interface After clicking on the chosen interface the next window will pop up(Figure 4), here we choose the IP and MAC address as you see in Figure 4.

Figure 4: Choose IP address and MAC address to be spoofed When we start the spoofing another window will pop up, and show that we began our ARP spoofing.

Figure 5: Spoofing We ping the spoofed address 169.254.254.254 from the Windows PC who have the IP address 169.254.193.13, and see that in Wireshark we have ARP request and answer.

Figure 6: Ping the spoofed address

Figure 7.a: ARP request and answer

figure 7.b: the ARP cache after the operation.

Now that 169.254.193.13 have the spoofed ARP in the arp cache we can ping again and see that we have the ICMP packet answered by the attacker.

Figure 8: Ping for ICMP The next figure will show the request and answer by ICMP

Figure 9: ICMP request and answer We first tried to do the ARP spoofing on wireless network, but we didn't got the right result. With the wired network we didn't have any problem, and it shows the above results.