Attackers frequently modify address resolution tables to redirect communications away from a valid device to an attacker’s computer.

In this lab, you will be using ARP poisoning to redirect traffic from a victim’s computer to your own.

The purpose of this activity is to provide information regarding how these programs function in order that adequate defenses can be designed and implemented. These programs should never be used in a malicious fashion against another user.

Part 1: ARP Poisoning

In this project, you view the ARP table on your computer and make modifications to it. You will need to have another “victim’s” computer running on your network (and know the IP address), as well as a default gateway that serves as the switch to the network.

  1. Click on the Settings for the Windows VM and click on Network. Disable Adapter 2 by unchecking its Enable Network Adapter that is set to NAT. Click OK. Both VM’s should be configured to use the host-only network adapter. Start both the Windows VM and Kali Linux VM.
  2. Open an admin Command Prompt window by searching for “Command Prompt” and clicking Run as administrator.
  3. View your current ARP table.
     arp -a
    

    The Internet Address is the IP address of another device on the network while the physical address is the MAC address of that device.

  4. Determine network addresses.
     ipconfig /all
    
  5. Record the IP address of the default gateway, which may be 192.168.56.1.
  6. Delete the ARP table entry of the default gateway by running arp with the IP address of the gateway or DHCP server, which may vary.
     arp -d 192.168.56.1
    
  7. Repeat step 6, but now delete the Kali Linux IP.
  8. Verify that the entries are deleted in the ARP table.
     arp -a
    

    The IPs for both the default gateway and the Kali VM should be gone from the ARP table.

  9. In the Kali VM, open Terminal and run wireshark.
     sudo wireshark
    

    Open the eth0 interface.

  10. In the Windows VM, create an automatic entry in the ARP table of the victim’s computer (in this case the Kali VM) by pinging the Kali VM’s IP address, which may vary.
    ping 192.168.56.102
    
  11. In the Kali VM, find and analyze the ARP and ICMP traffic in Wireshark.
  12. As a result of the ping command, the two VM’s had to resolve each other’s IP address to a MAC address. This resolution can be found in each system’s ARP cache. In the Windows VM, verify that this new entry is now listed in the ARP table Record the physical address of the Kali Linux computer.
    arp -a
    
  13. Run arp using the Kali VM’s IP address and MAC address to re-add that entry to the ARP table, which may vary.
    arp -s 192.168.56.102 08-00-27-23-ff-90
    

    If this fails, run netsh with the Kali IP and MAC address, which may vary.

    netsh.exe interface ipv4 add neighbors "Ethernet" 192.168.56.102 08-00-27-23-ff-90
    

    The -s flag is used to add a static entry to the ARP table. ARP poisoning works by sending fake MAC addresses to the switch. If we were ARP poisoning, we would send the gateway a different Kali MAC address.

  14. Repeat step 3 and confirm that there is an ARP table entry for the Kali VM.
  15. We could also do this in Kali. In the Kali VM, open the program ettercap-graphical and click the checkmark to accept the settings.
  16. Click the magnifying glass to scan for hosts on the network. Then, click on the button to the right of that for the hosts list.

    You should see hosts including the Windows VM’s IP address and MAC address. This includes a functionality which we won’t use in this lab to add targets to man-in-the-middle attack.

  17. Close all windows.
  18. In Windows, delete all entries from the ARP table.
    arp -d
    
  19. Close all windows.
  20. Write up a paragraph answering the following questions.
    1. How could an attacker use ARP poisoning to target a victim?
    2. How could a network administrator protect his network from ARP poisoning?

Part 2: Simulating a Hosts File Attack

Substituting a fraudulent IP address can be done by either attacking the Domain Name System (DNS) server or the local host table. Attackers can target a local hosts file to create new entries that will redirect users to their fraudulent site.

In this project, you add a fraudulent entry to the local hosts file.

  1. Turn off the Windows VM if it is on. Click on the Settings for the Windows VM and click on Network. Enable Adapter 2 by setting its Enable Network Adapter setting to NAT. Click OK.
  2. In the Windows VM, search the Start Menu for “Microsoft Edge” and click New InPrivate window.
  3. Go to the DuckDuckGo website at http://www.duckduckgo.com and then go to the Google website at http://www.google.com to verify that the names are correctly resolved.
  4. Now search based on IP address. Go to http://52.149.246.39 for DuckDuckGo and http://142.251.40.164 for Google.

If Google does not resolve, then open Command Prompt and ping Google’s website. Use that IP address instead for Google.

ping -c 1 www.google.com
  1. Close the web browser.
  2. Click Start and then Windows Accessories.
  3. Search the Start Menu for “Notepad” and click Run as administrator. If you receive a User Account Control prompt, click Yes.
  4. Click File and then Open. Click the file type drop-down arrow to change from Text Documents (*.txt) to All Files (*.*).
  5. Navigate to the file C:\Windows\System32\drivers\etc\hosts and Open it.
  6. At the end of the file add the IP address of DuckDuckGo, a tab, and the Google website.

    52.149.246.39 www.google.com

  7. Click File and then Save to save the file.
  8. Repeat step 22 to open your web browser and then browse http://www.google.com.
  9. Return to the hosts file and remove this entry.
  10. Save the file.
  11. Close all windows.
  12. Write up a paragraph answering the following questions.
    1. Which website appears in step 32? Why?
    2. How could an attacker use a hosts file attack to target a victim?
    3. How could a security administrator prevent such an attack? Include the defense-in-depth approach.

More Info