Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
21 views16 pages

Assign3 - Pen Testing

Uploaded by

zohaibnaseem351
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
21 views16 pages

Assign3 - Pen Testing

Uploaded by

zohaibnaseem351
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Man in the Middle Attack using ARP Poisoning in Ettercap

Overview of Man in the Middle Attack


A Man in the Middle (MITM) attack is a cyberattack where the attacker secretly intercepts and
relays messages between two parties who believe they are directly communicating with each
other.

Purpose of MITM attack


❖ The attacker aims to eavesdrop, modify, or inject false information into the
communication.

Key Elements
❖ Interception: Attacker intercepts communication between two parties.
❖ Relay: Attacker relays the communication, often after altering it.
❖ Eavesdropping: Attacker listens to the communication without detection.
❖ Data Manipulation: Attacker can modify the data being exchanged.

ARP Poisoning
ARP (Address Resolution Protocol) Poisoning, also known as ARP Spoofing, is a type of attack
where an attacker sends falsified ARP messages over a local network.

Purpose of ARP poisoning


o To associate the attacker's MAC address with the IP address of a legitimate computer or
server on the network.
o Redirects network traffic through the attacker's device.

How ARP Poisoning Works


o The attacker sends ARP replies containing their MAC address mapped to the IP address
of the target machines.
o The target machines update their ARP tables with the incorrect mapping.
o The attacker becomes the middleman, intercepting all communications between the
targets.

Benefits to the Attacker


o Data Interception: Attacker can capture sensitive data (passwords, private messages).
o Attacker can redirect the traffic towards falsified system to get more money(as google
pays more when traffic of a site is higher).

Tools used for ARP Poisoning Man in the Middle Attack


Ettercap
Ettercap is a comprehensive suite for man-in-the-middle attacks on LAN. It features sniffing of
live connections, content filtering, and many other powerful features.

Capabilities:
❖ ARP poisoning
❖ Password interception
❖ Traffic manipulation

Another tool used to analyze network


Wireshark
Wireshark is a network protocol analyzer that lets us capture and interactively browse the traffic
running on a computer network.

Capabilities:
❖ Network traffic capture
❖ Packet analysis
❖ Filtering and inspection of captured data

Setup for the Attack


Attacker's Machine
❖ Kali Linux: The primary machine used to perform the attack.

Targeted Machines (two)


❖ Windows 10 VM: Installed on Oracle VirtualBox.
❖ Kali Linux VM: Another instance, separate from the attacker's machine, also installed on
Oracle VirtualBox.
Launching MITM attack using ARP Poisoning
Installing and configuring the targeted machines and attacker’s machine.

Here,
Attacker’s machine is→ ZAGKali (ZAG is the abbreviation of Zohaib and Ghous)
Targeted Machines→ 1) Kali 2) ZAGWindows
Starting the targeted and attacker’s machine

At this step, All the machines have same ip address, but to make communication between them,
each machine must have a unique ip address(virtual box assign same ip to each virtual machine
which is 10.0.2.15), to make communication we need to create a internal network.

Configuring the network


Ip address of windows machine (targeted)

Ip address of kali machine (targeted)

Ip address of ZAGkali machine (Attacker)


Connected machines, data to be read by attackers machine

Windows mac address

Kali’s mac address

(arp -a) command Shows the entries in the ARP (Address Resolution Protocol) table. This
command displays information about ARP entries, including the IP address, MAC address, port,
and state.

ARP table at windows machine


Enabling forwarding

The command "sysctl net.ipv4.ip_forward=1" is used to enable IP forwarding on a Linux system.


IP forwarding allows the system to pass network traffic from one network interface to another,
essentially acting as a router.

Process to launch attack


We'll poison the ARP caches of Kali and ZAGWindows, tricking them into sending their traffic
through us instead of where it's supposed to go. Once that's done, we're right smack in the
middle, intercepting and peeking at all the data passing between our targets and the network
gateway.
Wireshark tool to analyze the network
How mac addresses are spoofed?

Selecting the eth0


Ettercap(5 hosts are in the added list)

Here,
o 192.168.1.5 is the ip address of ZAGWindows machine(targeted)
o 192.168.1.6 is the ip address of kali machine(targeted)
192.168.1.5→added to target1
192.168.1.6→added to target2

After clicking on ok, ip will be spoofed.

Results before and after attack

Before ARP spoofing, check out the mac address against ip address

Attacker ip: 192.168.1.4


Attacker mac: 08-00-27-95-4a-5c
Kali (targeted machine) ip: 192.168.1.6
Kali (targeted machine) mac: 08-00-27-e9-5d-1f
ZAGWindows (targeted machine) ip: 192.168.1.5
ZAGWindows (targeted machine) mac: 08-00-27-8b-c5-99

After Spoofing

Kali (targeted machine) ip: 192.168.1.6


Kali (targeted machine) mac: 08-00-27-95-4a-5c (spoofed)

ZAGWindows (targeted machine) ip: 192.168.1.5


ZAGWindows (targeted machine) mac: 08-00-27-95-4a-5c (spoofed)
Analyzing the results in Wireshark
First packet which did the attack

This is the first packet which did the attack, attacker send the packet to ZAGWindows machine
that kali machine has this ip address (192.168.1.6) and this mac address( binding his own mac
address instead of correct mac address) spoofing the mac address. ZAGWindows machine then
update its ARP table, basically ZAGWindows want to send packets to kali machine, now each
packet which ZAGWindows send to kali will go to attacker machine instead of original receiver.
Sniffing the data
Now, we are going to sniff the data, at ZAGWindows machine we will provide some login details,
and after pressing the login button, credentials will automatically be sniffed. Now, I have
configured my targets as ZAGWindows as target2 and gateway address as target1. Every
information which ZAGWindows send to router and router send to ZAGWindows will be sniffed
and all data goes to the attackers machine, as we spoof the ip addresses.

After pressing login button, username and password will be sniffed, Ettercap and Wireshark will
render this information.
Check out the last result.

Packet capturing results in Wireshark


Our Learning and Findings
Through our exploration and hands-on experience with Man-in-the-Middle (MITM) attacks
using ARP poisoning, we delved deep into the mechanics, tools, and processes involved in
executing such attacks.
❖ We gained a comprehensive understanding of executing a Man-in-the-Middle (MITM)
attack using ARP poisoning.
❖ We learned that ARP poisoning involves sending falsified ARP messages to associate the
attacker’s MAC address with the IP address of a legitimate network device, allowing
interception and manipulation of network traffic.
❖ We used Kali Linux as our attacker’s machine and Windows 10 and another Kali Linux VM
as targets, configured within Oracle VirtualBox.
❖ Ettercap facilitated the ARP poisoning, password interception, and traffic manipulation,
while Wireshark enabled us to capture and analyze network traffic, confirming the
success of our attack.
Our findings revealed how easily an attacker could intercept and manipulate data between
targeted machines, emphasizing the critical need for robust network security measures. We
observed that the targeted machines' ARP tables were successfully poisoned, redirecting their
traffic through the attacker’s machine.
This activity highlighted the importance of implementing secure communication protocols,
continuous network monitoring, and awareness to effectively defend against such cybersecurity
threats. The practical use of tools like Ettercap and Wireshark demonstrated the potential for
significant security breaches if proper precautions are not taken.
References
o https://www.imperva.com/learn/application-security/man-in-the-middle-attack-mitm/
(Man in the middle attack)
o https://www.okta.com/identity-101/arp-
poisoning/#:~:text=ARP%20spoofing%3A%20A%20hacker%20sends,The%20contagion%
20spreads. (Arp spoofing and what tools used for it)

o https://ranmal-b-dewage.medium.com/arp-spoofing-and-ettercap-usage-bec8a2aebd15
(ARP spoofing using Ettercap)
o https://sanjumath.medium.com/ettercap-a-comprehensive-tool-for-mitm-attacks-
de92dc3f269d
(Ettercap, a comprehensive tool for launching MITM attack)

o https://cybersecurity.att.com/blogs/security-essentials/network-traffic-analysis-using-
wireshark\
(Wireshark to analyze the network traffic)
o (Also, take help from the activity file listed with the assignment)

You might also like