Spoofing is the act of masquerading as another system on the network. Generally, this is done by injecting false data in the network.
ARP
The Address Resolution Protocol (ARP) allows a system to find the MAC address that is associated with a certain IP address. This will only be effective for finding MAC addresses of other machines in the same local network (LAN), and not for those outside the LAN.
In order to resolve the MAC address of an IP address, a system will broadcast an ARP request over the local network. The request will look something like this
Who has 172.26.24.151? Tell 172.26.24.253
specifying the IP address it wants to resolve (172.26.24.151
).
The sender can expect a response for the system with the requested IP, which looks something like
172.26.24.1 is at 00:00:0c:07:ac:29
Responses are stored locally on each machine in their ARP tables.
For Unix machines, its content can be observed by running arp -a
.
ARP spoofing
In an ARP spoofing attack, an attacker broadcasts a continuous stream of ARP response packets for a certain targeted IP address with a false MAC address. Unfortunately, the other hosts on the network automatically accept these responses, even when they did not send out requests for that IP (incredibly insecure!).
This will result that all hosts in the network think the MAC address for the targeted IP resides at the false MAC address and therefore will send all their traffic intended for the legitimate host to the malicious one.
In Kali Linux, an ARP spoofing attack is easy to execute.
arpspoof [IP address to take over]
While the command is running, ARP responses are continuously broadcasted, until cancelled with ctrl + c
.
This will restore the ARP tables of all hosts to their original state.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 80
.
Here --dport 80
is the port to which the request is being send and --to-port 80
is port on which the local http server runs.