Help with ARP poisoning

Discussion in 'other security issues & news' started by nickk, Apr 16, 2005.

Thread Status:
Not open for further replies.
  1. nickk

    nickk Registered Member

    Joined:
    Apr 16, 2005
    Posts:
    4
    Hi,

    I have been reading a tutorial on ARP poisoning, seems simple enough, and I'm eager to try it out on my own network. I am using a tool called "arptoxin". I have 2 PC's on my network, and a router, and I want to intercept traffic between one of the pc's and the router. The following info is relevant:
    Router (default gateway)=> IP: 192.168.168.230 MAC: 00-50-fc-67-39-XX
    PC A (the pc that is to do the intercepting) => IP: 192.168.168.247 MAC 00-08-02-A8-21-YY
    PC B (the one whos traffic I am going to intercept) => IP: 192.168.168.245 MAC: 00-60-08-94-8d-ZZ

    Note, both of these PC's are mine, and I just want to practise the skill, nothing illegal going on here.
    Now what I recon I should do is:
    1) Send an ARP reply to the router and replace PC b's mac address with PC a's
    2) Send an ARP reply to PC b, replacing the default gateway's(routers) mac address with PC a's.
    3) Set up IP forwarding on PC a to forward traffic to and from the router and PC b

    I am planning to use the following arptoxin commands (all from PC a):
    1) arptoxin -ed 192.168.168.230 -sip 192.168.168.245
    2) arptoxin -ed 192.168.168.245 -sip 192.168.168.230
    3) NO idea how I am gonna go about doing this.

    Could someone please explain how I should go about doing IP forwarding, and how I should capture the traffic coming through PC a neatly (should I jsut use a packet capture program like Ethereal?). Also, are the commands for 1) and 2) correct?
     
  2. nickk

    nickk Registered Member

    Joined:
    Apr 16, 2005
    Posts:
    4
    Ok, well I tried those 2 commands, and enabled IP forwarding as per http://support.microsoft.com/?kbid=315236 .
    Now, when I try to go to, for example, hotmail.com from PC b, while having enabled Ethereal on PC a, I can see the queries (so the arp poisoning worked in this part, PC b thinks PC a is the router) BUT, for some reason it seems as if there is no internet connection at PC b (so either the packets arent getting forwarded from PC a to the router, or what?!). ANY suggestions will be appreciated.
     
  3. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Is PC b sending the packets out to the router? If not, then the problem is with the forwarding - if it is, then the router may have detected the ARP hanky-panky (since it now has 2 MAC address entries for PC a and b's IP addresses) and decided to discard all subsequent packets - in this case clearing the router's ARP table should "fix" things.
     
  4. nickk

    nickk Registered Member

    Joined:
    Apr 16, 2005
    Posts:
    4
    personally I think its the ip forwarding, would you mind taking a look at that link? do you think just enabling it is enough? do i need to reset my pc?
     
  5. nickk

    nickk Registered Member

    Joined:
    Apr 16, 2005
    Posts:
    4
    <bump> o_O :(
     
  6. Matthijs

    Matthijs Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    1
    Location:
    Netherlands
    @nickk:

    I have successfully used arptoxin to realize that scenario. These were my setup details:

    Router (default gateway)=> IP: 192.168.1.1 MAC: 00:90:96:4D:E2:XX
    PC A (the pc that is to do the intercepting) => IP: 192.168.1.2 MAC 00:04:23:6B:14:YY
    PC B (the one whos traffic I am going to intercept) => IP: 192.168.1.6 MAC: 00:08:A1:76:E3:ZZ

    PC A is running WinXP SP1 and has the IPEnableRouter key set to 0x01. PC B is running WinXP SP1. I disabled the personal firewalls on both systems and ran Ethereal on PC A to capture traffic.

    I was able to capture traffic between Router and PC B on PC A while maintaining the normal network connectivity from/to PC B ("PC B didn't notice") after issuing this command:

    arptoxin -d 1 -ed 00:08:A1:76:E3:ZZ -sip 192.168.1.1 -smac 00:04:23:6B:14:YY

    For your setup, I guess it would translate to this:
    arptoxin -d 1 -ed 00-60-08-94-8d-ZZ -sip 192.168.168.230 -smac 00-08-02-A8-21-YY

    Please note the "-d 1" - be sure to supply the number of the right NIC (see "arptoxin -l"). Discarding that parameter results in arptoxin using NIC #0, which on my system translates to "Generic NdisWan adapter" which I didn't want to use.

    Your arptoxin output should now look like this:
    Tell 00-60-08-94-8d-ZZ that 192.168.168.230 is at 00-08-02-A8-21-YY

    Please let me know if it worked for you!
     
Loading...
Thread Status:
Not open for further replies.