Contents

ARP Protocol ......................................................................................3

ARP Protocol Process .........................................................................3
Let’s Begin the ARP Poisoning Attack..................................................5
Start Sniffing with Ettercap ................................................................6
Demonstrate MITM with Wireshark ................................................. 11
Combining DNS Spoofing with sniffing .............................................. 11
Capturing NTLM passwords .............................................................. 13
Combining DHCP Spoofing with sniffing............................................ 16
HTTP Password Sniffing .................................................................... 21
SMTP Password Sniffing ................................................................... 23
Capture Email of SMTP server with Wireshark .................................. 27
ARP Attack Detection ....................................................................... 29

Page 2 of 30
ARP Protocol
The Address Resolution Protocol (ARP) is a communication protocol. It is used for discovering the link layer
address associated with a given Internet layer address, a critical function in the Internet protocol suite.
ARP was defined by RFC 826 in 1982 and is Internet Standard STD 37. ARP is also the name of the program
for manipulating these addresses in most operating systems.

ARP is used for mapping a network address (e.g. an IPv4 address) to a physical address like a MAC address.
For more details visit here.

ARP Protocol Process

The Address Resolution Protocol is in many ways similar to a domain name service (DNS). An ARP resolves
known IP addresses to unknown MAC addresses in the same way that DNS resolves known domain names
to unknown IP addresses.As shown below in the given image,

If we observe the above image; IP address 192.168.1.102, wants to communicate with IP address
192.168.101, but does not know its physical (MAC) address. An ARP request is broadcast to all systems
within that network, including IP X.X.X.100, X.X.X.101, and X.X.X.103. When IP address X.X.X.101 receives
the message, it replies back via uni-cast with an ARP reply. This response contains the physical (MAC)
address of BB-BB-BB-BB-BB-BB As shown above, this ARP reply information is then placed in the ARP cache
and held there for a short duration, to reduce the amount of ARP traffic on the network. The ARP cache
stores the IP, MAC, and a timer for each entry. The timer’s duration may vary depending upon the
operating system in use, i.e., the Windows operating system may store the ARP cache information for 2
minutes compared to a Linux machine, which may retain it for 15 minutes or so.

Page 3 of 30
Let us now begin by exploiting the ARP protocol to our advantage!!!

Scenario: Consider the following scenario, in which we will use two Windows host machines to represent
victims Host A and Host B, and Kali Linux Host C to target the victims. In the following image, you can see
the attacker has conducted an arp poisoning attack, which has poisoned the arp table by adding the
attacker's mac address to both the host’s IP: A & B.

Page 4 of 30
Let’s Begin the ARP Poisoning Attack
The first step is to clear the ARP cache of both the hosts by typing the following command in the command
prompt: arp -d for Host A, then ping Host A for the reply. Now type the command arp -a. This will show
you the physical (MAC) address of the Host A machine.

arp -d
ping 192.168.0.101
arp -a

Page 5 of 30
Similarly, let us do the same activity on the other systems, which is Host B.

Start Sniffing with Ettercap

Let us now start to exploit both Host A and Host B. From the Host C machine, which is our Kali Linux, start
sniffing with the Ettercap tool as shown in the below image on Kali.

Go to Sniff and select Unified sniffing.

Page 6 of 30
Select the network interface as appropriate. In this case, it is eth0. Click on OK.

Now go to the Hosts Tab and select Scan for Hosts as shown below to scan the connected system on a
local network.

Page 7 of 30
You will get the host list of all the scan hosts as shown below. Let us now select our targets from the host
list X.X.X.101 and X.X.X.102. Add both the targets one by one by clicking on the tab Add to Target 1 and 2
respectively. From the given image, we can see that both the targets are now added to our list.

Page 8 of 30
Now go to MitM (the man in the middle) and select ARP Poisoning. A dialogue box will appear for
optional parameters.

Check the box "Sniff remote connection" and click OK.

Go to the start tab and click on "Start Sniffing" to target the hosts A and B added.

Page 9 of 30
Let us now go to our Kali machine and open the terminal. Let us now type the command ifconfig to
determine our IP address and physical (MAC) address. In our case, it is 00:0c:29:5b:8e:18 as highlighted
in the given image.

As we have started the arp poisoning attack on both the victim machines X.X.X.101 and 102 from our Kali
machine, if we go to any host and type arp -a on the command prompt, you will clearly see that the
physical (MAC) address of the victim machine has changed to the physical (MAC) address of the Kali
machine. As shown above, the physical (MAC) addresses of both the IP X.X.X.102 and X.X.X.107 are the
same, which means that all the traffic from host X.X.X.102 is passing through Kali machine X.X.X.107

Page 10 of 30
Demonstrate MITM with Wireshark
Let us now open Wireshark on our Kali machine and analyse the packets. Let us filter the packets by typing
the following command ICMP && (eth.sec = = 00:0c:29:5b:8e:18 || eth.dst == 00:0c:29:5b:8e:18), here
in the command eth.sec means (Ethernet source) and eth.dst means (Ethernet destination), the MAC
address are common in both source and destination which is the physical MAC address of our Kali
machine, what we see is the source IP X.X.X.102 and destination X.X.X.101 are getting captured by the Kali
machine which has a Physical (MAC) address 00:0c:29:5b:8e:18, hence proving successful sniffing of the
victim machine.

Combining DNS Spoofing with sniffing

Let us now exploit both of our victim machines with a DNS Spoofing attack.

From your Kali machine, go to the path: /root/etc/ettercap/etter.dns, open the file and remove any
content if available, then type the value * A (your Kali Linux IP address) as shown below, and save the
file.

Page 11 of 30
The next step is to go to the ettercap tool and select plugins, then click on Manage the Plugins as shown
below:

Now select the dns_spoof plug-in. Once selected, you will see a (*) sign on the said plug-in.

Now if from the victim machine we type the command ping www.google.com, you will observe that the
reply is getting received from IP X.X.X.107 which is the IP for our Kali machine, which means that the Kali
machine has become the DNS server for the victim machine.

Page 12 of 30
Let us now add one more plug-in the same way we added the dns_spoofing plug-in. This time we will use
the remote browser plug-in as shown in the image below. Once this plug-in gets added, you can capture
all the browser activity performed by the victim on his browser, including user names and passwords.

Capturing NTLM passwords

Open Kali terminal and type msfconsole. once the console starts to type: search http_ntlm, now type:
use auxiliary/server/capture/http_ntlm as shown in the below image:

This module attempts to quietly catch NTLM/LM Challenge hashes.

Page 13 of 30
 use auxiliary/server/capture/http_ntlm
set srvhost 192.168.0.107
set srvport 80
set uripath /
set johnpwfile /root/Desktop/
exploit

Now, according to the above trap set for the victim, this module will capture the NTLM password of the
victim’s system when he opens any http web site in his browser, which will redirect that web site to the
attacker’s IP.

The victim is attempting to browse "IMDb.com" on his web browser, but it requires authentication, which
is requesting his username and password, as shown in the image below.Now if he tries to open something
else, let's say google.com, it will also ask for a username and password for authentication. Until the victim
submits his username and password, he cannot browse anything on his web browser.

As the victim enters username and password, the attacker in the background will capture the NTLM hash
on his system.

Page 14 of 30
Great!! The attacker had captured NTMLv2 hash; now let count detail apart from the hash value that the
attacker has captured.

From the given image you can see that the attacker has captured two things more:

 Username: raj
 Machine name: WIN-1GKSSJ7D2AE

Now use John the Ripper to crack the ntlmv2 hash by executing the given below command.

Page 15 of 30
 john _netntlmv2

From the given below image, you can confirm that we have successfully decoded the captured hashes
with the user name as raj and password as 123.

Combining DHCP Spoofing with sniffing

DHCP spoofing: a fake DHCP server is set up by an attacker on a local network to broadcast a large number
Request message of false IP configurations to genuine clients.

Go to ettercap and click on MitM. Select DHCP spoofing.

Form the below image, provide the necessary information

 IP Pool – 168.0.200-210 (put an IP range to issue IP to the system connected to the network, this
will work as DHCP server)
 Net-mask 255.255.0 (as per the IP Class)
 DNS Server IP 168.0.1 (as per the IP Class)

Page 16 of 30
Click OK and Start sniffing.

I've enabled the "metasploitable server" here, and the image below shows the IP 192.168.0.202, which is
from the pool of IP ranges we provided on ettercap DHCP.

Let us now go to the client machine and try to connect the metasploitable server with an FTP (File Transfer
Protocol) client as shown in the below image.

Page 17 of 30
Provide the hostname (IP), user name, and password to connect to the FTP server.

From the given below image, we can see that, the information such as username and password for FTP
is getting captured by the ettercap provided by the host machine. In our case, it is User: msfadmin,
PASS: msfadmin.

Page 18 of 30
From the given below image, you can perceive that now we are trying to connect with the metasploitable
server (192.168.0.202) through telnet via port 23 using putty. It will prompt you for the user name and
password, and provide the necessary information.

Page 19 of 30
From the above image, we can clearly see that ettercap has captured the credential information provided
by the user. In our case, it is User: msfadmin. Pass: msfadmin for telnet service.

Page 20 of 30
HTTP Password Sniffing
Let us now do the same through HTTP (Hypertext Transfer Protocol)

From the below image, we can see DVWA service is running in our metasploitable server, through the
client browser let us type 192.168.0.202/dvwa/login.php, it will prompt for username and password,
let’s provide the credentials.

Page 21 of 30
From the below image, we can see that ettercap has once again captured the username and password
provided by the user from the browser. In our case, it is username: admin and PASS: password for HTTP
service.

Page 22 of 30
SMTP Password Sniffing
Lastly, let us now try this with SMTP (Simple Mail Transport Protocol) sniffing.

The first step is to configure an SMTP server in your environment. Please click here to see how we can
configure an SMTP server on a Windows machine.

Once the server is configured, and we have set up email clients on the target machines,

let us open Ettercap and add both our targets X.X.X.102 and X.X.X.104 and select ARP poisoning.

Page 23 of 30
Now let us send an email from Target A to Target B as shown below.

Here, target A: raj@pentestlab.local is sender who is the sending the message to target
B: aarti@pentestlab.local and hence port 25 for SMTP service will get into action.

Page 24 of 30
The given below image has confirmed that Aarti has received raj’s mail successfully, while in the
background, the attacker is sniffing all the traffic passing through the router.

Page 25 of 30
If we now go to the Ettercap console, we can clearly see that it has successfully sniffed the traffic between
Target A and Target B and captured the credential of Target A (Raj) as shown in the above image.

Page 26 of 30
Capture Email of SMTP server with Wireshark
Go to wire shark and put the filter smtp && (eth.src == 00:0c:29:4a:47:75 || eth.dst ==
00:0c:29:4a:47:75) the MAC address filter is for our Kali machine. You will observe it has captured
packets from both our target machines.

Page 27 of 30
It has sniffed every SMTP packet, captured both email IDs, i.e., sender and receiver, with the message
being sent to Target B, which is Hello friends, today we are performing SMTP sniffing, which shows that
we have been successful in our attack on the selected targets, as shown in the image below.

Throughout this article, we discussed ways and techniques that can be used to exploit the Arp protocol
successfully. Let us now briefly discuss the technique that can be used to detect the arp attack.

Page 28 of 30
ARP Attack Detection
There are various tools available to detect the arp attack. One of the most common tools is the XArp
tool, which we will be using for this article.

We can run this tool on any host machine in the network to detect the arp attack. The above image shows
the affected systems on the network highlighted in red (X). We can disconnect these hosts from the
network and decide upon the next course of action to mitigate this risk by implementing the following
controls:

1. Dynamic address inspection

2. DHCP snooping
3. VLAN hopping prevention

Page 29 of 30
Page 30 of 30
 JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security

Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer

Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

www.ignitetechnologies.in