INFO3007 Network Security Practical 1, Spring 2022 - ARP cache poisoning
INFO3007 Network Security
Practical 1, Spring 2022
Due: 11:59pm on Thursday of the week where the practical is.
Introduction
Shown in the figure below is part of a diagram used in Lecture 1, with regard to ARP Cache Poisoning. The main objective of this practical is to use a program to perform ARP cache poisoning attacks on the ARP cache of a target computer and indirectly via the default gateway.
IP Address | MAC Address |
192.168.1.1 | A_MAC_Addr |
192.168.1.2 | MAC_PC2 |
• ARP Cache Poisoning Attack
g Performed by changing (or poisoning) the MAC Address part of an entry in the target computer’s arp cache
In the diagram, PC3 is the attack computer and PC4 is the target computer. The end result of the attack is:
• The default gateway’s MAC address in PC4’s ARP cache is replaced by another MAC address A_MAC_Addr.
In the diagram, symbols, e.g. A_MAC_Addr, are used to represent MAC addresses. The actual MAC address values should be used in an actual system. Note that the IP addresses of the default gateway and the computers in the lab, which is a VMware environment, may be different from those in the diagram. The actual IP addresses of the default gateway and computers in the lab can be found by the Windows command ipconfig and should be used in this practical.
Task 1. Scapy (1 mark)
The networking tool used in this practical is called Scapy, which can be used as a packet builder. This tool is a computer program written in Python and is run in the Python interpreter. Python is a comprehensive script programming language. For this subject, we are not going to study, in depth, either Scapy or Python. We use Scapy as a tool to perform some of the practical tasks and will only use a few of the functions or features in Scapy or Python. These functions and features will be described and explained in the practical tasks if their understanding is important with regard to the successful completions of the tasks.
Use the altadmin account to logon a Windows machine. No password is required.
Step 1.1
Two Windows virtual machines (VM's), NS-W7a and NS-W7b (which may be called slightly differently in each year's VM environment), on the School’s VMware server are provided for each student. NS-W7a is used as the Attack Computer and NS-W7b as the Target Computer. (Students who are familiar with the Linux OS may use NS-Kali as the Attacker instead.)
Windows 7 VMs are used instead of Windows 10 as Windows 7 has less demand on resources than Windows 10. Running a large number of Windows 10 VMs may slow down the VMWare server.
The networking tool used in this practical is Scapy and it can be run by opening a Windows command window and entering the Scapy command.
In this task, we use Scapy to build an ARP query to get the MAC address of another computer connected to the same LAN. Firstly, we need to know the IP address of the target computer using the command ipconfig on the target computer.
1.2.1 Write down the IP address of the target computer.
To send a Layer 2 frame by Scapy and to get a reply, the Scapy srp command is used.
The function srp is the Scapy Send&Receive function, which sends packets onto the network
through a network interface card and receives the replies if any. For example,
ans,unans=srp(Ether(dst=“ff:ff:ff:ff:ff:ff”)/ARP(pdst=“192.168.1.134”),timeout=2, iface=“eth0”)
The above command broadcasts an ARP query onto the network connected to the network interface eth0 for the MAC address of another computer having an IP address of 192.168.1.134. Successful replies will be appended to the first list ans, while a sent packet which does not get a reply, after the timeout=2 sec, will be appended to the second list unans.
Note that Scapy fills in default values of those parameters which are not specified in the command. For example, if the parameter iface is not specified, Scapy will use a default interface:
ans,unans=srp(Ether(dst=“ff:ff:ff:ff:ff:ff”)/ARP(pdst=“192.168.1.134”),timeout=2)
In all the practicals where Scapy commands are used, it is not necessary to specify the iface parameter unless Scapy is not able to find the correct one.
Windows 7’s Firewall may interfere with some of the tasks below. It is better to disable it if it has not been done:
• Click Start → Control Panel → System and Security → Windows Firewall → Turn
Windows on or off
o Select both Turn off Windows Firewall (not recommended) and then OK o Close the Control Panel window
Note that like other command prompts, Scapy command prompt has command history enabled, i.e., you could retrieve a previously entered command using the up arrow key. However, if Scapy is closed/terminated, command history may be lost.
Note that a,b are used instead of ans,unans as they are just names for the output variables. In the above diagram, the iface parameter was not specified. Scapy in this case used the default value. However, sometimes it may not work and iface needs to be specified. There is no effective way to find out the NIC label of a Windows computer, i.e., your VM’s NIC may not be eth0. One way to find out is to try iface=“eth0”, iface=“eth1”, iface=“eth2”, etc. until you get an answer.
The above screenshot shows an example in using the function srp to send an ARP query to IP address = 192.168.1.134, and the different ways in showing the contents of the first output argument, which in this example is a.
The method show() displays the contents of a in a higher level format: sent packet ==> received packet
From the received packet, it can be found that the MAC address of the computer of IP address = 192.168.1.134 is 00:0c:29:24:9b:8b
Step 1.3 Use the Scapy srp command on the attack computer to find out the MAC address of the target computer, assuming that you don’t have physical access to the target computer, except to find out its IP address.
1.3.1a Write down the Target’s MAC address found by your Scapy srp command.
1.3.1b Screenshot (which must include the area of the window where your Student ID is) of the Windows command terminal showing the execution and complete results of the above Scapy command
Reminder: A screenshot must include the area of the window where the Student ID is as specified in the document "Practical Screenshot Requirements. No marks will be given for the answers associated with this screenshot if the requirements are not met.
Task 2. ARP DoS Attack (1.5 marks)
In theory, an ARP DoS Attack can be carried out by sending ARP queries continuously to the target computer where the query contains:
- a spoofed, (but valid) source IP address of the computer you want to masquerade
- a spoofed or an arbitrary MAC address
- the Target’s IP address
In Scapy command format, an ARP query to perform an ARP attack looks like this: sendp(Ether(dst=“Target MAC address”)/ARP(hwsrc=“Spoofed source MAC address”,
psrc=“Spoofed source IP address”, pdst=“Target IP address”), loop =1, inter=1)
In theory, dst=“ff:ff:ff:ff:ff:ff”. However, for the attack to work, dst has to be equal to the MAC
address of the target computer.
The function sendp is used instead in this case, since we are not interested in receiving any replies from the target computer.
The parameters, loop = 1 and inter=1, in the command cause Scapy to repeat the command every 1 second.
Effectively, the above command enables you to place the following IP-MAC address pair into the ARP cache of the target computer of IP address Target IP Address and make it to remain there:
Spoofed source IP address : Spoofed source MAC address
When the target computer uses this address-pair to send packets, these addresses will be used as destination addresses. If the addresses are “poisoned”, packets will be sent to the wrong place. Refer to Lecture 1 for details of ARP Cache Poisoning.
In the example below, the pair of addresses are 192.168.0.2 : 00:11:22:33:44:55.
The screenshot above shows an example of using Scapy to perform an ARP Cache Poisoning attack on another computer of IP address pdst=”192.168.0.203” and MAC address dst. The Spoofed source IP address in this example is 192.168.0.2, i.e., the computer sending these packets does not have this address, but masquerades this address. The source MAC address hwsrc is a random MAC address.
The sequence of dots after the command shows packets are being sent from Scapy with each dot representing one packet. If only three dots are shown, a command is not working.
Step 2.1 On the attack computer,
- Run Scapy using a Windows Command terminal
- Enter the above sendp command, but replace the address values in the above command
so that the command can be used to place the following pair of address in the target computer’s ARP cache:
Default gateway’s IP address a random MAC address
where the random MAC address should NOT be any pre-defined MAC address such as ff:ff:ff:ff:ff:ff and should start with 00. That is:
Spoofed Source IP address = Default Gateway’s IP address Spoofed Source MAC address = A random MAC address
The above command, if entered correctly, will perform a DoS on the target computer in that the target computer will not be able to reach the default gateway and hence the Internet. It can be confirmed by pinging the default gateway from the target computer during the attack.
2.1.1 Screenshot (which must include the area of the window where your Student ID is) of the Windows command terminal showing the successful execution of the Scapy command
Step 2.2 Step 2.3
Test if the attack is successful, by pinging the default gateway from the target computer.
If the attack is successful and while the above command is running on the attack computer, open a Windows command window on the target computer and use the Windows command arp –a to show the contents of the ARP cache on the target computer.
- 2.3.1a Screenshot (which must include the area of the window where your Student ID is) of the Windows command terminal showing the execution and complete results of the arp -a command
- 2.3.1b Write down the entry of the Target’s ARP cache relevant to this practical task, i.e. the IP-MAC address pair for the Default Gateway in the ARP cache.
Press Control-C to stop the Scapy command.
2.3.2 Write down the answer to the following question.
Why it is necessary to continuously send ARP frames to the target computer in this attack? Hint: There are at least two reasons due to the characteristics of the ARP cache and the ARP protocol. What are these reasons?
Task 3. Traffic Redirection from a Target Computer (0.5 mark)
Step 3.1 Type the same sendp command in Task 2 to the Scapy prompt, except that hwsrc is equal to the MAC address of the attack computer’s NIC instead of a random MAC address.
Hence, the hwsrc parameter may be omitted since Scapy will put in the default value, which is the MAC address of the attack computer’s NIC.
Run the sendp command to make sure it works, i.e., no errors, and Control-C to stop the command.
Step 3.2 Run Wireshark to capture all traffic on the attack computer
Step 3.3 On the attack computer, run the sendp command in Step 3.1 again. On the target
computer, ping the default gateway
Page 6 of 12
3.3.1 Screenshot (which must include the area of the window where your Student ID is) of the Windows command terminal showing the execution and complete results of the Scapy command in Step 3.3.
Step 3.4 Stop the Scapy command and Wireshark.
• In the Wireshark capture, locate the packets which can be used to confirm that the pings
from the target computer to the default gateway were indeed directed to the attack computer instead of being sent to the default gateway.
3.4.1 Screenshot (which must include the area of the window where your Student ID is) of Wireshark showing the relevant captured packets in Step 3.4.
Optional Task 5
This section of the practical task is for students who would like to explore some of the practical tasks further by using some investigation. This task is not assessed, i.e., no marks.
In Task 3, packets, i.e., ICMP echo requests, to the Default Gateway from the target computer were re-directed to the attack computer. The packets were captured by the use of Wireshark. Instead the packets may be captured by Scapy, e.g., using Scapy’s sniff() function.
Step 5.1 Repeat Task 3, but try using Scapy’s sniff() function to capture the re-directed ICMP echo requests instead.
Another enhancement to Task 3 is to forward the captured packets to the intended destination, i.e., the Default Gateway. In this case, knowledge on how to forward packets using the OS of the computer, or how to write program codes, e.g., using Python, to capture and forward the packets is required.
A.1 Connection to the VMware server
Open a Web browser and enter the following url to connect to the School’s VMware server.
• URL: https://vsphereteaching.scem.westernsydney.edu.au/ui/
Login with your CDMS user name and password
Locating and taking a snapshot of a VM
After logging in, navigate to the subject folder where your VM's are. Right-click a VM, and click Snapshots and take a snapshot of the VM. Note that the folder structure in the following diagram is different from yours.
