This project implements Address Resolution Protocol (ARP) spoofing/poisoning, a foundational Man-in-the-Middle (MiM) attack.
The attack exploits a vulnerability in the ARP protocol, tricking devices into associating the attacker’s MAC address with a legitimate IP address.
make
sudo ./ft_malcolm [HOST IP] [HOST MAC] [TARGET IP] [TARGET MAC] -v- HOST: This machine (attacker).
- TARGET: The victim device sending ARP requests.
- IP Format: IPv4 (e.g., 192.168.1.1).
- MAC Format:
xx:xx:xx:xx:xx:xx(separator can be:or-, case insensitive). -v: Enables verbose mode.
sudo ./ft_malcolm 10.0.2.15 08:00:27:e1:ad:e1 10.0.2.4 08:00:27:b9:e6:05 -v| Command | Description |
|---|---|
arp -a |
Displays the ARP table in a readable format. |
arp -d [IP ADDRESS] |
Deletes an IP address from the ARP table. |
sudo arping -c 1 -i [INTERFACE] [IP] |
Sends a single ARP request. Example: sudo arping -c 1 -i enp0s3 192.168.1.10 |
The following example simulates a MiM attack using two virtual machines (VMs) in VirtualBox.
-
Set Up Virtual Machines:
- Create 2 VMs (e.g., Ubuntu) with sufficient resources:
- 6.4 GB memory, 7 CPUs, 42 MB video memory, VMSVGA with 3D acceleration enabled.
- Virtual hard disks (10 GB is sufficient).
- Create 2 VMs (e.g., Ubuntu) with sufficient resources:
-
Configure Network Settings:
- Open VirtualBox > Tools > Network Manager.
- Under the NAT Networks tab, create a new NAT network if not already present.
- Attach both VMs to the same NAT network:
- Select VM > Settings > Network > Attached to:
NAT Network.
- Select VM > Settings > Network > Attached to:
-
Install Required Tools:
- VM1:
sudo apt install git make net-tools -y
- VM2:
sudo apt install net-tools arping -y
- VM1:
-
Run the Attack:
- VM1 (Attacker):
Clone, compile, and execute the program using VM2’s IP and MAC as targets. - VM2 (Victim):
Send an ARP request to the attacker’s IP.
- VM1 (Attacker):
-
Verify Results:
- On VM1, check the program output for ARP spoofing success.
- On VM2, inspect the ARP table with
arp -a.- The attacker’s MAC address should appear in the table for the host’s IP.
ARP spoofing manipulates network communication by sending forged ARP packets. This allows an attacker to intercept, modify, or redirect network traffic.
- Monitor the Network:
- Capture ARP packets using raw sockets.
- Craft Spoofed Packets:
- Replace the legitimate MAC address with the attacker’s.
- Send Forged Packets:
- Broadcast them to the network.
- Update ARP Tables:
- Devices update their tables with incorrect MAC-IP mappings.
- Intercept/Manipulate Traffic:
- The attacker now controls communication between devices.
A raw socket provides direct access to network protocols, bypassing standard APIs. This allows granular control of packet creation and manipulation, enabling custom headers and protocols.
Each ARP packet has a specific structure, as shown below:
| Layer | Field | Details |
|---|---|---|
| Ethernet Header | Destination MAC Address | Receiver's MAC address |
| Source MAC Address | Sender's MAC address | |
| EtherType | Identifies ARP (0x0806) |
|
| ARP Header | Hardware Type | Ethernet (1) |
| Protocol Type | IPv4 (0x0800) |
|
| Hardware Address Length | MAC address length (6) |
|
| Protocol Address Length | IPv4 address length (4) |
|
| Operation | ARP Request (1), ARP Reply (2) |
|
| Sender MAC Address | Source MAC address | |
| Sender IP Address | Source IP address | |
| Target MAC Address | Destination MAC address | |
| Target IP Address | Destination IP address |
To access specific layers:
- Calculate offsets based on the header sizes.
- Use raw sockets to extract or manipulate packet fields.
- Root Privilege Check: Ensures the program is run as root.
- Verbose Mode: Displays ARP requests received in real-time.
- Hostname Display: Shows source and target hostnames.