Tuesday, September 22, 2015

How to detect ARP Spoofing Attack in your system ?


If not redirected, please click here https://www.thesecuritybuddy.com/data-breaches-prevention/how-to-detect-arp-spoofing-attack-in-a-system/


In one of my last articles, I discussed about ARP Spoofing. It is an attack in which an attacker send falsified ARP messages over a local area network and link the victim's IP address with his MAC address. As a result, all the traffic that is meant for the victim, will reach the attacker first. The attacker can afterwards steal sensitive information or prepare for more attacks.


In this article I am going to describe how to detect if your system has got an ARP Spoofing attack.






Preparing with tools


Firstly, you would need a few software to install in your system. For Linux, you would need tcpdump, wireshark and arp-scan.



tcpdump is used to analyze network packets in a Linux system. You can install the utility using:


# sudo apt-get install tcpdump



You would need arp-scan to find out all the IP addresses and corresponding MAC address in your local network. You can install it using :


# sudo apt-get install arp-scan



Wireshark is another tool for analyzing IP packets. The advantage of this tool is, it is GUI based. You can install it using:


# sudo apt-get install wireshark



Detecting ARP Spoofing Attack








Let's first do the analysis of network packets of the system using wireshark.

Type the following command in the command prompt to open wireshark :

# sudo wireshark



A wireshark window will appear.

Select proper interface for your system. In my system it is eth1. It may be different for your system.


On clicking on start, a window will appear where you will see source IP address, destination IP address of each packet along with few other information.

Select any tcp or udp packet. You will see a window like the one already shown above.




Here, I have selected a packet, whose source IP is 74.125.200.189 and destination is my IP.


Now, click on Ethernet II field below.


If you see carefully, source IP 74,125.200.189 is mapped with MAC address 00.1f.3a.bc.7b.58.


Now, open a terminal and type

# sudo arp-scan --interface=eth1 –localnet


It will show a list of IP addresses like below :

# sudo arp-scan --interface=eth1 --localnet
Interface: eth1, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.133 00:1f:3a:bc:7b:58 Pr_bc Ind.Co., Ltd.
192.168.1.138 *** (Unknown)
192.168.1.1 *** (Unknown)



So, you can see, the packet that I had selected, has actually come from MAC address 00,1f.3a.bc.7b.58, which mapped to IP 192.168.1.133 and not from IP address 74.125.200.189. And, IP address 192.168.1.133 is an IP address in the local network.

This means, someone has sent falsified ARP message to link your IP with his MAC address, which is an ARP Spoofing attack.



You can confirm the same with tcpdump also.

Open terminal and type:

# sudo tcpdump -vXXn -e -i eth1 dst 192.168.1.116


This means, you want to analyze packets to your IP address 192.168.1.116.


I have picked up a part of the output :

14:57:51.521068 00:1f:3a:bc:7b:58 > ****, ethertype IPv4 (0x0800), length 86: (tos 0x8, ttl 44, id 35883, offset 0, flags [none], proto UDP (17), length 72)

74.125.200.189.443 > 192.168.1.116.41334: UDP, length 44

0x0000: **** 001f 3abc 7b58 0800 4508 .H..6=..:.{V..E.
0x0010: 0048 8c2b 0000 2c11 2d1b 4a7d c8bd c0a8 .H.+..,.-.J}....
0x0020: 0174 01bb a176 0034 54a9 0087 e6d9 30be .t...v.4T.....0.
0x0030: ba35 de94 672a 603e 3fc8 5fa1 d8eb 3721 .5..g*`>?._...7!
0x0040: de39 f952 1bbf 722a 3afb 1812 2e04 6c9c .9.R..r*:.....l.
0x0050: 8a72 7d5e af95 .r}^..



Here also you can see, 74.125.200.189 is mapped to MAC address 00.1f.3a.bc.7b.58, which is MAC of a system which is in the local network (as per arp-scan output).


# sudo arp-scan --interface=eth1 --localnet
Interface: eth1, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.133 00:1f:3a:bc:7b:58 Pr_bc Ind.Co., Ltd.
192.168.1.138 *** (Unknown)


192.168.1.1 *** (Unknown)

So, the system is undergoing an ARP Spoofing Attack.


I think, now we are quite clear about ARP Spoofing attack and how to detect it. Hope it helped.




Read More

What is Man-In-The-Middle Attack and how to prevent it ?

A guide to network analysis using tcpdump

How to detect sudden increase in your network traffic with a simple script ?

Analyze your network traffic by source IP addresses using a simple script 

What is ARP Spoofing ?





No comments:

Post a Comment