ARP Poisoning using Ettercap

Submitted in partial fulfillment of the

requirements for the mini project (III Semester) of
M.Sc. in Cyber Security
in the Centre for Information Technology and Engineering of the
Manonmaniam Sundaranar University

By

SRIRAM KUMAR A

(Reg.No:20224012533117)

Under the Guidance of

Dr.P. Kumar, M.Sc., M.Tech., Ph.D., M.B.A.,

Associate Professor,
Centre for Information Technology and Engineering
Manonmaniam Sundaranar University, Tirunelveli - 627012

Tirunelveli – 627 012, India

NOVEMBER 2023

i
 ARP Poisoning using Ettercap

Submitted in partial fulfillment of the

requirements for the mini project (III Semester) of
M.Sc in Cyber security
in the Centre for Information Technology and Engineering of the
Manonmaniam Sundaranar University

By

SRIRAM KUMAR A
(Reg. No: 20224012533117)

Approved By: _________________

(GUIDE)

Tirunelveli – 627 012, India

NOVEMBER 2023

ii
 CERTIFICATE

Certified that this report “ARP Poisoning using Ettercap”, submitted for the mini

project (III Semester) of Master of Science in Cyber Security is the bonafide work

Mr. SRIRAM KUMAR A (Reg. 20224012533117), Centre for Information

Technology and Engineering, Manonmaniam Sundaranar University, Tirunelveli, who

carried out the mini project under my supervision. Certified further, that to the best of

our knowledge the work reported here in does not form part of any other mini project

on the basis of which a degree or award was conferred on an earlier occasion on this

or any other candidate.

GUIDE/ SUPERVISOR PROFESSOR AND HEAD

Submitted for viva-voce examination held on

INTERNAL EXAMINER(S) EXTERNAL EXAMINER(S)

iii
 DECLARATION

I hereby state that the thesis submitted for the degree of

MASTER OF SCIENCE

in

CYBER SECURITY

on

“ARP Poisoning using Ettercap”

is my original work and that it has not previously formed the basis for the award of
any Degree, Diploma, Associate ship, Fellowship or any other similar title

SRIRAM KUMAR A

iv
 ACKNOWLEDGEMENT

I wish this opportunity to express my gratitude to each, who helped me

directly or indirectly to complete my mini project.

I thank the God the almighty for showering this blessing which helped me to
complete my mini project successfully.

It is with deep sense of gratitude that I express my heartfelt thanks to

Dr.R.Balasubramanian., B.E.[Hons]., M.E., Ph.D., Professor and Head i/c of
Centre for Information Technology and Engineering, Manonmaniam Sundaranar
University, Tirunelveli.

I am extremely thankful to guide Dr. P. Kumar, M.Sc., M.Tech., Ph.D.,

M.B.A., Associate Professor, Centre for Information Technology and Engineering,
Manonmaniam Sundaranar University, Tirunelveli for timely suggestions and
encouragement, which paved the way for the successful completion of my mini
project work.

I thank all my Faculty members and Administrative Staff Members of Center

of Information Technology and Engineering for their timely instructions and
encouragement, and advice and expert guidance in completing this mini project.

Finally, I acknowledge indebtedness to all my Family Members and Friends

whose overwhelming response helped me lot to finish this mini project in a successful
manner for their kind hospitality extended to me during my research discussion visits.

SRIRAM KUMAR A

v
 TABLE OF CONTENTS

Description Page No

CHAPTER I.................................................................................................................. 3

1.1 INTRODUCTION

1.1.1 Overview..................................................................................................3
1.1.2 What is an ARP....................................................................................... 4
1.1.3 How it works: The Arp Process & RARP................................................4
1.1.4 Types of ARP/RARP Protocol Messages................................................ 5
1.1.5 ARP and RARP message formats............................................................ 8
1.1.6 TCP Standard Ports/Services................................................................. 9

1.2 BACKGROUND
1.2.1 Address resolution protocol……………………………………...……..9
1.2.2 ARP Cache Poisoning and Spoofing Attack.......................................... 11
1.2.3 ARP Request Spoofing.......................................................................... 11
1.2.4 ARP reply spoofing………………………………………………….12
1.2.5 THE ANATOMY OF ARP POISONING ….………………...………13
1.2.6 MAN-IN-THE-MIDDLE (MITM)……………………………………13

CHAPTER Ⅱ ……………………………………......................................................

15

2.1 LITERSTURE SURVEY

2.2.1 Networking Basics................................................................................. 15

2.2.2 Data Link Layer..................................................................................... 16
2.2.3 ARP Spoofing........................................................................................ 16
2.2.4 ARP Port Stealing.................................................................................. 17
2.2.5 Network layer........................................................................................ 18

CHAPTER III.............................................................................................................21

3.1 EXISTING SYSTEM

3.1.1 Methodology.......................................................................................... 21
3.1.2 Environment.......................................................................................... 21
3.1.3 Systems & Tools.................................................................................... 23
3.1.4 ARP Spoofing........................................................................................ 25

vi
 3.1.5 Filtering..................................................................................................26

CHAPTER IV............................................................................................................. 28

4.1 PROPOSED SYSTEM

4.1.1 Environment Setup................................................................................ 28

4.1.2 What is ARP Cache Poisoning?............................................................. 29
4.1.3 What is Ettercap?................................................................................... 30

CHAPTER V.............................................................................................................. 32

Experimental Result............................................................................................... 39

CHAPTER VI……………………………………………………………………….32

FUTURE ENHANCEMENT………………………….………………...……….42
CONCLUSION…………………………………………………………………..43
REFERENCE…………………………………………………………………….44

vii
 LIST OF FIGURES
FIGURE PAGE NO

1.1 MITM attack technique.............................................................................. 03

1.2 TCP/IP Architectural Model.......................................................................05
1.3 ARP: Address Resolution Protocol............................................................ 05
1.4 ARP Request.............................................................................................. 06
1.5 ARP Reply..................................................................................................06
1.6 ARP Request and Reply Messages.............................................................08
1.7 ARP and RARP Packet Structure............................................................... 08
1.8 TCP Standard Ports/Services......................................................................09
1.9 Address Resolution Protocol...................................................................... 10
1.10 ARP Spoofing Attack................................................................................. 11
1.11 ARP Request Spoofing...............................................................................12
1.12 ARP Reply Spoofing.................................................................................. 12
2.1 The Open System Interconnection Model..................................................15
2.2 ARP Role....................................................................................................17
3.1 Test Environment Topology....................................................................... 22
3.2 Example hosts lists..................................................................................... 23
3.3 Spoofing Attack..........................................................................................26
4.1 Host Machine & Attacker Machine (Gateway)...................................... 29
5.1 Open the VMware Workstation.............................................................. 32
5.2 Open the Kali linux & win7 in VMware................................................ 33
5.3 Check the “IP Address”…...................................................................... 33
5.4 Check the Arp......................................................................................... 34
5.5 Set the Routing Command..................................................................... 34
5.6 Open the Ettercap in Terminal................................................................ 35
5.7 Scan the host list..................................................................................... 35
5.8 Set the target1 and target2...................................................................... 36
5.9 MITM Plugin the ARP Poisoning.......................................................... 36

viii
5.10 Select the Sniff Option........................................................................... 37
5.11 ARP Poisoning victims….......................................................................37
5.12 Monitoring HTTP Packets….................................................................. 38
6.1 Open the Win7 machine search the Browse........................................... 39
6.2 Testing Website Page.............................................................................. 39
6.3 Open the Wireshark tools…................................................................... 40
6.4 Analysis packet in search the “ip addr”..................................................40
6.5 View follow HTTP Stream..................................................................... 41
6.6 Get the username & password................................................................ 41

ix
 ABSTRACT

This project will provide a review and analysis of an open source sniffing and

ARP Cache Poisoning using Ettercap tool. Ettercap uses the insecure ARP protocol to

conduct man in the middle attacks on one or more than one targets by poisoning their

ARP cache. This feature enables it to sniff passwords, instant messages, e-mails and

much more on a switched local area network.

The main objective of this mini project is to warn administrators of packet

sniffing methods on switched networks so they can be prepared against such tools.

This project discusses in Ettercap, its basic functionality, plug-ins that do specific

functions and finally, solutions to mitigate the risks presented will be discussed.

In today’s interconnected world, network security is of paramount importance.

However, the pervasive use of ARP (Address Resolution Protocol) in local area

networks creates vulnerabilities that can be exploited by attackers.

This feature enables it to sniff passwords, instant messages, e-mail and much

more on a switched local area network. This project sets out to comprehensively

address the issue of ARP poisoning by leveraging the power of the Ettercap tool.

1
 ,

,
.
Ettercap ,
,
,

,
. ,
ARP (
) ,

, ,

.
, ARP

2
.

3
 CHAPTER I

INTRODUCTION

1.1 Introduction

1.1.1 Overview

The Internet has emerged as a fundamental aspect of daily life. By January

2022, the numbed of Internet users amounted to 4.88 billion internationally, equating
to almost 62% of the global population. This number continues to grow, with almost
257 million new Internet users being added last year; over 700,000 unique users are
added daily. The majority of people use it for communication and information
exchange. Therefore, security is deemed a foremost threat to computer networks and
their applications, requiring action to be initiated in order to safeguard networks and
services against illegal activity. Through such malicious attacks, computer systems
and technology-dependent businesses are targeted. These assaults primarily involve
the computer code twitch, the modification or deletion of data on computer systems,
as well as other forms of illegal access. The most prevalent of these types of attacks
are cyber-attacks, Man-in-the-middle (MITM), social engineering, replay, as well as
denial of service (DoS) attacks. An MITM attack is a cyber- attack through which the
attacker intercepts a two-party conversation, mirrors both parties and has access to
information provided by both parties. Whenever an MITM attack occurs, a malicious
client places his computer in the path of two communicators” transmissions. To
ensure that the communication appears unbroken, the unethical client’s computer
passes traffic between the unsuspecting clients, as presented in Figure 1.1 .

Figure 1.1 MITM Attack Technique

4
 MITM attacks enable eavesdropping between people, clients and servers. This
may include HTTPS connections to websites, other SSL/TLS connections, Wi-Fi
connections and more. When replay attacks are used, hackers do not necessarily need
to decrypt them. The attack network’s security is similar to standard data
transmission. A DoS attack involves blocking legitimate users” access to a network or
web resource. Typically, this is performed by flooding the target (usually a web
server) with traffic, or by sending malicious requests causing the target resource to
break down or become completely unreachable.
1.1.2 What is an ARP:
The Address Resolution Protocol (ARP) [4] is used by computers to map
network addresses (IP) to physical addresses or what is usually refer to: Media Access
Control addresses (MAC).

It translates IP addresses to Ethernet MAC addresses and classified as a

Networking protocol used to find host’s address given its IP address. Some network
expert consider it as a DataLink Layer protocol because it only operates onthe local
area network or point-to-point link that a host is connected to [5]. TheAddress
Resolution Protocol (ARP) is documented in RFC 826[1] and later it was adopted by
other media, such as FDDI [6]. For more details about Internet Protocols Suits; see
appendix [1]

1.1.2 How it works: The Arp Process & RARP

As we stated formerly from an architecture perspective, ARP is a layer 3

function (Network), however in a programming perspective ARP is considered as
layer 2 (Datalink) because it calls the LAN data like layer code. RARP is stand for;
Reverse Address Resolution Protocol, and it is a network protocol used to resolve a
MAC address to the corresponding network layer address, i.e.RARP is used to map a
MAC address to an IP address exactly the reverse function of the ARP request/reply.

5
 The figure (1.2) below shows the location of ARP in the TCP/IP Architectural
Model[7]:

Figure 1.2: TCP/IP Architectural Model

1.1.3 Types of ARP/RARP Protocol Messages:

There are four types of ARP massages that are sent by an ARP protocol:
a. ARP request
b. ARP reply
c. RARP request
d. RARP reply
As we just said in the definition, ARP is used to map network address (IP) to
physicaladdress (MAC) and when a host need to communicate with another host it
needs to know its MAC address. Here comes ARP protocol and works by
broadcasting a packet (ARP-Request) for any hosts connected over the Ethernet
network. The ARP packet contains the IP address of the sender and the IP address of
the target it is interested in communicating with. See Figure (1.3) and Figure (1.4):

Figure 1.3 ARP: Address Resolution Protocol

6
 Figure.1.4. ARP Request

However, the target host, identifying that the IP address in the ARP request
packet is belong to itself, so it returns an answer back in a unicast reply (ARP-Reply)
and the host which initiated the ARP request catches the [IP,MAC] pair and keeps it
in ARP cache memory. Keeping the host reply in cache will minimize the ARP traffic
in the LAN. See Figure (1.5):

Figure 1.5 ARP Reply

7
So simply when the ARP request is broadcasted to all PC's on the network it asks the
following question:
‐Is x.x.x.x is your IP address? , if Yes send back your MAC address.
Then every PC checks if it's IP address is matching the one in ARP request
and sends ARP reply with it's MAC address.

But the repeated ARP requests especially when it is broadcasted every time a
MAC address is required; creates a high traffic in the network, and hence the
Operating Systems keep copy of the ARP replies in the computer's cache memory and
update itfrequently with any new <IP, MAC> pair, this will help in reducing the ARP
requests number[9]. By the way ARP spoofing technique which we are going to talk
about in the next chapter is occurring when forged ARP replies <IP destination, MAC
attacker> is created and sent to the source computer who initiated the ARP request
formerly and updated it's ARP cache with fake information. We will know afterward
this kind of exploitation is called "poisoning the ARP cache".

Afterward the IP address which consists of 32 bit will be converted to 48 bit

Ethernet address, by the suitable encapsulation mechanism. This is the common
practice for the Address Resolution Protocol (ARP), which is documented in RFC
826. ARP can be defined as an exchange process between the network layers on the
Ethernet networks. This process will map the IP address to the “Link Layer” address
wheneverrequired. The Data Link Layer address is considered to be a hardware
address (although it is challengeable) on Ethernet cards; where an IP address is
considered as a logical address which can be assigned to any device connected to an
Ethernet network. A Datalink layer addresses are known by some other names, so
that;
 Ethernet Address
 Media Access Control (MAC) Address, and
 Hardware Addresses

However, the most accurate expression which was adopted by kernel side is "Link-
Layer- Address" since it can be changed by some tools.

8
 Figure 1.6 ARP request and reply messages

1.1.4 ARP and RARP message formats:

The ARP packet consists of Ethernet Header and Data packet; the
Ethernet header is divided to:

 6 bytes for the destination address

 6 bytes for source address
 2 bytes for the frame type in hexadecimal (e.g. 0806 for ARP & 8035 forRARP)

Where, the data packet structure of ARP packet is encapsulated and the
information that every part holds are demonstrated in the following table

Figure 1.7 ARP and RARP Packet Structure

9
  Hardware address type (2 bytes). 1=Ethernet

 Protocol address type (2 bytes). 0800H (hexadecimal) = IP address

 Operation type; 1 = ARP request, 2=ARP reply, 3=RARP request,

4=RARP reply.

1.1.5 TCP Standard Ports/Services

The table below is showing, a list of services and ports used by TCP protocol:

Figure 1.8 TCP Ports and Services

The simulated attack and detection have been performed on VMWare

Workstation on Kali Linux environment and Windows 7.

1.2 BACKGROUND

1.2.1 Address Resolution Protocol

The goal of address resolution protocol (ARP), one of the main protocols in
the TCP/IP family, is to map an IPv4 address to a physical address. To communicate
with another device, network applications use IPv4 addresses in the application layer.
The goal of address resolution protocol (ARP) is to determine the MAC address of a
device in your local area network (LAN) in order to identify the IPv4 address that the
network application is trying to interact with. To send a data frame across a LAN, the
sender must know the receivers MAC address. The ARP protocol is based on two
types of messeges.

10
Namely ARP request and ARP reply. The target host’s MAC address is included in the
ARP request, with the MAC address linked with that IP address possible to view in
the ARP reply.

Figure 1.9 Address Resolution Protocol.

For example, the source device uses ARP cache to determine whether it
already knows the resolved MAC Address of the destination device while
communicating with another device. For communication, it will utilise that MAC
address. The source machine generates an ARP request message with its data link
layer address (sender hardware address) and IPv4 address as the sender protocol
address if ARP resolution is unavailable in the local cache [18].. An ARP request
message is sent by the source to the local network, requesting a new IP address.
Because it is a broadcast, every device on the LAN receives the message. When a
source wants to communicate with another device, each device checks the target
device’s IPv4 address against its own (IPv4 address). Those not matching will have
the packet discarded. If the Target Protocol Address matches, the targeted device will
send an Address Resolution Protocol (ARP) reply message. The data for the targeted
hardware address and targeted protocol address is received from the ARP request
message and utilised in the reply message. The destination device’s ARP cache will
be modified, given that it will shortly need to access the sender machine. A unicast is
used, rather than a broadcast, to send an ARP reply message to the target device.

11
1.2.2 ARP Cache Poisoning and Spoofing Attack
The principal objective of ARP spoofing is to exploit any ARP protocol
authentication vulnerabilities, through sending spoofed ARP messages to the LAN. In
the majority of instances, the idea underpinning the attack is to connect the attacker’s
host MAC address to the target host’s IP address, resulting in any communication sent
for the target host instead being rerouted to the attacker’s host. To evade detection, the
attacker may snoop on packets while forwarding traffic to the real default destination,
or amend the contents prior to forwarding it (an MITM attack).

Figure 1.10 ARP Spoofing Attack

A DOS attack may be performed by dropping some or all of the packets on the
network. ARP spoofing is used to capture bandwidth by preventing the
communication of all other devices. Protocols such as ARP are stateless. If a network
host receives an ARP request without requesting it, the network host will
automatically cache the response.

1.2.3 ARP Request Spoofing

This spoofing approach is better comprehended by using an example MITM
attack. In this case, the attacker deceives both the victim and the gateway. The
attacker sends the victim an APR request packet. To mislead the victim, this ARP
request.

12
The victim believes that ARP request packet’s sender was a gateway, meaning that it
stores the information from the ARP request packet in its own ARP cache table;
similarly, the gateway is spoofed. All gateway-victim traffic is forwarded to the
attacker due to the poisoning. Subsequently, the perpetrator creates a path between
them.

Figure 1.11 ARP Request Spoofing

1.2.4 ARP reply spoofing

ARP reply packet spoofing is identical to ARP request spoofing. The ARP
packet type is the sole aspect that differs. Despite the victim having never asked for it,
the attacker directly sends an ARP reply. In such cases, the intrusion may be swiftly
detected, because it is unusual for a host to receive an ARP reply without issuing an
ARP request. Figure 1.12 shows how an ARP spoofing attack is performed.

13
Figure 1.12 ARP Reply Spoofing

14
 1.2.5 The Anatomy of ARP Poisoning
ARP poisoning is one of the most straightforward existing attacks to carry out,
not at all sophisticated.
Very briefly, the adversary only needs to craft malicious packets and unleash
them into the network. The crafted packet can be either an ARP reply or request, as
both trigger changes in the APR cache. The protocol address length fields are left
untouched, and the only tampering is with the addresses. When targeting one device,
the destination protocol and MAC addresses are legitimate, the sender protocol
address is of the device the attacker aims to spoof, and the source MAC address is the
adversary’s own.
Upon receiving the malicious ARP packet, the victim’s ARP cache is updated,
and the specific entry with the source IP (e.g., 192.168.1.1) is now rewritten, resulting
in the network address to be associated with the adversary’s MAC. From this point,
all the communication intended to 192.168.1.1 goes to the attacker. To guard the
existence of this “poisonous” cache entry, the attacker keeps on sending malicious
ARP packets periodically. After poisoning the victim, the adversary can decide what
to do next.

1.2.6 Man in the Middle (MITM)

The most ambitious and hazardous of the attacks using ARP poisoning. It is
similar to sniffing; however, this involves active participation. The attacker now may
tamper with the packets passing through, steal authentication tokens, change
messages. MITM opens new doors for the adversary. Now they can manipulate with
DNS (Domain Name System) to redirect the victim to a malicious server hosting
malware or a false webpage, tamper with DHCP (Dynamic Host Configuration
Protocol) resulting in address conflicts, and many more.

15
 CHAPTER II
LITERATURE REVIEW

The “Man-in-The-Middle” expression appeared around 1994 (Computer

Fraud & Security Bulletin, May 1994 cited by Eriksson, M., [no date] [1]). However,
the first concerns about the existing issues were analysed for long already (Lamport,
L., 1981 [2]). Since they are still widely used as they are well referenced and
technically easy to perform. Also, they are part of the standards, no need for an
attacker to install a malware or perform direct exploitation, most of all, they can be
used in massive attacks, as they can be launched on big infrastructures (Trummer, T.,
Dalvi, T., 2015 [3]).
In the past few years, MITM have been appearing in the news related to
computer security and Intelligence agencies, the American National Security Agency
have been reported impersonating google.com to perform one of their missions
(Masnick, M., 2013 [4]). More recently, security researchers and companies alerted
medias they found MITM attacks targeting entire countries, or companies (Pilosov,
A., Kapela, T., 2008 [5]), sometimes with stolen certificates to avoid alerts to be
raised.
Attacks can be “live”, when the attacker has to keep poisoning the network to
keep the attack running. They can also target the different cache. In order to save
bandwidth and decrease latency, systems often use a cache. Introducing wrong values
there will leave the network under attack as long as the cache data remains into the
victim system. In case the poisoned cache belongs to a server delivering data to
multiple users, it is even more powerful and dangerous, as the amount of victims
grows with the amount of users (Schuba, C., August 1993 [6]).
In its work, (Courtois, T., N., 2011 [7]) highlights two types of MITM
attacks: the active ones in one hand, that require a change in the network operating,
such as giving fake answers to the other systems, and the passive ones in the other
hand: they do not require any change on the network, it is made packets without
having to operate any modification.

16
2.2.1 Networking Basics

The Open Systems Interconnection (OSI) model provides abstraction

layers to the network protocols. The layers are presented in Illustration 1 below. Each
layer provides abstraction of the underlyings to the layers above. Hx represent the
layers corresponding header added by the protocol in use.

Figure.2.1 The Open Systems Interconnection Model (C. Servin, 2003 [8])

The Data Link layer provides an extra field called Frame Check
Sequence (FCS), used to correct errors and control the transmission. This model
provides standards for interactions and roles of the different protocols (Servin, C.,
2003 [8]). The conclusion is a modular network, where each protocol can be swapped
for another one of the same layers. The physical one is maybe the easiest to
understand, as Wi-Fi, Ethernet, or fiber are real objects. In this case, if an attacker
compromises the layer 2, all the above are compromised as well. Protocols using
encryption to provide security will be exposed to advanced attacks, as the attacker
will not see clear data without further exploitation. Vectors of attack are exposed by
different security researchers and security companies. The presentation by (Ornaghi,
A., Valleri, M., 2003 [9]) allows for an interesting understanding of the range and
possibilities in the different attacks. Based on the targeted mechanism, the
communications can be intercepted different ways: the attacks based on the layer 2
target the intra-network links, and can perform their activities directly on the Local
Area Network (LAN).

17
 Attacks target 3 layers of the network, as they are presented in the OSI model.
The Data link layer, the Network one, and finally the Application one as well
(Ornaghi, A., Valleri, M., 2002 [9]). This is explained because of their use and role,
presented in the following parts of the document.

2.2.2 Data Link Layer (2)

In order to perform communication, a network has to be aware of its
environment. In an IPv4 installation, hardware –Media Access Control– (MAC)
addresses manage communications on the LAN itself; logical –Internet Protocol– (IP
) addresses need to be routed (leaving the LAN), or resolved (destination on the LAN
, requires the corresponding MAC), as well as domain names (Servin, C., 2003 [8]).
As layer 2 packets cannot be routed between networks because they do not comply
with layer 3 requirements, it has to originate from the same subnetwork as the
victim(s). However, a panel of attacks target key protocols.

2.2.3 ARP Spoofing

Typically, it is the most used method to launch a MITM attack (Nayak, G.,
N., Samaddar, S., G., 2010 [10]). As documented by (Whalen, S., Engle, S., Romeo,
D., 2001 [11]), this attack changes the corresponding of a MAC address and its
legitimate IP associated. The Illustration 2 highlights the interactions between the
different mechanisms. To send data to a host, the system will first have to request the
corresponding MAC address of destination part of the LAN. The concerned system
will answer to the request. Once the host has the IP and the MAC, the packet is sent.
The forgery of ARP packets, containing the MAC address of the attacker, as
destination for the requested IP, will manipulate the victim system to send all data
directly to the compromised host (Defta, L., 2010 [12]). To not have to repeat the
operation every time, the host will save the MAC in a table for a future use as long as
its age allows it. If the MAC address is the attacker's one, it means the attack will live
longer than the forgery occurs: the host is poisoned.

18
 Figure 2.2. ARP role (Whalen, S., Engle, S., Romeo, D.,
2001 [11])

To mitigate such risk, there are various studies to propose a better protocol, or
implements security. The forgery of ARP packets can be easily detected using a
specialized tool such as ARP watch or Arp Alert. However to prevent them, the table
can be static and entries defined manually, not easy nor possible in all architectures,
the use of a different protocol implementing security represents the alternative (S-
ARP, Papaloe, G., 2008 [13]), switches can use a Dynamic ARP Inspection (DAI). A
DAI allows the switch to compare all ARP packets against a table of trusted hosts
(Cisco, 2010 [14]). This is used with DHCP snooping, explain can be implemented
with a dynamic architecture. Access Control Lists (ACLs) can also be used for static
entries. However, DAI is implemented on the switch, and will therefore protect only
the current broadcast Domain (Cisco, 2010 [14]).

2.2.4 ARP Port Stealing

ARP plays an import role to link the different layers. Another attack implies
the exploitation of the lack of security mechanisms in this protocol, ARP port
stealing. The attack is different in its target, as it aims the switch itself (Lauerman, K.,
King, J., 2010 [15]).

19
 The attack consists in the forgery of fake ARP packets to fill with non existent
addresses and overflow the switch's table (Bhaiji, Y., 2005 [16]). Once the operation
is successful (the size of the table varies between systems), the switch will start
behaving as a hub, allowing the attacker to receive all data (Nachreiner, C., 2008
[17]).

Among these solutions, the port security is a feature that can be enabled to
allow some security restrictions on the switch. Two types of security mechanisms can
be added this way (Cisco, 2010 [18]). The first consists in setting the maximum
amount of MAC addresses allowed per interface, avoiding a host to flood a huge
amount of random addresses; the second sets a sticky secure MAC address to a port,
as this cannot be changed by the host, only previously learned addresses can be used.
Both will prevent the switch from filling the entire CAM with the fake MAC
addresses received (Cisco, 2010 [18]).

2.2.5 Network layer (3)

The Network layer presents the ability to be routed. Therefore attacks can be
powerful and launched through a gateway (Ornaghi, A., Valleri, M., 2002 [9]). ICMP
provides messages on the network (Postel, J., 1981 [49(19)]). In case of failure, a host
can be informed and resend data, or set a new gateway if it is informed. As a
consequence, messages can provide a huge amount of information to an attacker
(Arkin, O., Yarochkin, F., 2001 [20]). Most of all, there is no security mechanism,
allowing packets to be forged to delude the hosts. As the Network layer provide inter-
network routing, a range of protocols are used to dynamically manage all links and
redundancy, as explained in the next point.

2.2.6 Route Mangling

The architecture of Internet provides redundancy for the different internetwork
links. To avoid issues such as loops and always provide the best route, these can be
dynamically calculated and updated by the autonomous systems (Odom, S.,
Nottingham, H., 2000 [21]).

20
List is not exhaustive (Harris, J., 2002 [22]). However, due to constraints and the
scope of this project, only a few will be experimented, covering the various issues.

IGPs are considered as layer 3 protocols, as they operate between autonomous

systems. However this can be subject to debate, as it can be seen as layer 7. For the
scope of this project, it will be assumed as layer 3 protocols, able to be routed, but
they do not interact with hosts.
Their misconfiguration can lead to the establishment of altered routes to
compromised hosts. As (Lair M., 2011 [23]) exposes, the forgery of packets allows
the attacker to advertise routes passing through its own system.

For protocols that do not provide security, such as RIP version 1, they are
simply considered as obsolete (Malkin, G., 1994 [24]) and it is recommended to
switch for a more recent one.

2.2.7 ICMP Redirect

ICMP is the short for Internet Control Message Protocol. The protocol is in
charge for providing information exchange between systems. It is used in pings,
tracing-route, and other functionalities informing the user of the current state of
systems and links.
ICMP redirect is in charge to keep the hosts using the best gateway available,
or to switch in case of failure. It is sent by bridges to inform the hosts that a better
gateway is available to communicate with a specific destination. ICMP redirects
(type 5) are sent by bridges exclusively: hosts should not send any. When one is
received, a new route is added in order for the host to make use of the information
(Brown, M., A., 2007 [25]).
ICMP redirects are composed of the gateway IP address, followed by an IP
datagram to define the route for which the change does apply (Xu W., 2008 [26]).
ICMP messages count four codes, that specify the class of datagrams the change
concerns (Almquist, P., 1992 [27]):

21
 • 0 – redirection for the network
• 1 – redirection for the host
• 2 – for a type of service and network
• 3 – for a type of service and host
The attack consists for the attacker to forge ICMP redirect packets for the
other hosts. They will update their routing table to use the compromised system as the
gateway (Ornaghi, A., Valleri, M., 2002 [9]), therefore allowing the attack to succeed.

In order to address the critical issue, two options are available, both involve to
disable ICMP redirect messages, on the hosts, or on the nodes of the network (it can
be individually disabled for specific interfaces). A secure implementation have been
developed for Linux, but do not seem to be effective against such attack (Ornaghi, A.,
Valleri, M., 2002 [9]).

22
 CHAPTER III

EXISTING SYSTEM

3.1.1 Methodology
Based on the time that was allocated, the author decided a different order of
approach than used in the Literature. As the project had to respect delays, vectors
have been organized based on their role in the network, the functionalities involved,
their presence / activation on systems by default. The possibilities and interests it
represents to an attacker have also be taken in consideration. Vectors will be
addressed in the following order: ARP- based, ICMP, DNS, DHCP, IGPs, STP,
IRDP. And finally, the different advanced exploitations that can be conducted once
the MITM is in place in the victim network.
The process in use involved the testing of each vector, and the corresponding
defence(s). Clear-text protocols will be targeted first, represented by the use of FTP,
as explained in “Systems”. Then will be approached advanced exploitation. This
choice has been made to address efficiently the project: MITM attacks do not let the
attacker read or modify the encrypted data. However, it can be vulnerable to further
exploitation, and the defence it seems to provide has to be mitigated.
The first step will address the MITM itself, the different vectors and defences
in order to prevent them. Attacks are tested before the defence is implemented.
The second step will address encryption and the defence it provides, through
protocols such as IPSEC or SSH. Risks and potential vulnerabilities will be outlined
in order to raise concerns to users that decide to use this protection method. Advanced
exploits will be used to demonstrate vulnerabilities and possibilities or risks of an
eventual attack to privacy and security.

3.1.2 Environment
In order to perform experiments on a network, GNS3 and different
virtualization solutions are going to be used,such as VirtualBox. A testing
environment is set up and running as shown on figure 3.1.

23
 Figure 3.1 Test Environment Topology

The virtualization provides a great solution with no financial cost. It can be

restored to an initial state after each experiment is needed. However, it comes with a
price: some experiments have highlighted limits in the systems available, and in the
architecture itself. While the virtualization involves the use of a system image to run,
some equipment’s such as switches are not widely available, and old modules have to
be used (NM-16ESW for Ethernet switching), providing a good support but the code
has been modified to improve some issues (CAM table aging). Resources are also an
issue, as the system cannot keep up with an intense flood, per instance.

Four hosts are distributed between two networks. Systems noted Rx represent
the routers to simulate a remote environment. Equipment’s IP address(es) are
summarized as follow:

24
 Figure 3.2 Example hosts lists
All networks use the netmask 255.255.255.0 (/24) allowing up to 254 hosts.
The 3.0.0.0/24 network represents the link between the two routers, and is the third
network of our topology.

3.1.3 Systems & Tools

As seen above, the topology contains various systems and equipment’s. The
following will address the reasons and possibilities for each system or equipment in
use, as well as the tools that will be used in order to perform the tasks as planned.
Systems
The server present on the LAN uses Ubuntu Server 15.04, a Linux distribution
based on Debian, but thought for servers. It comes already including the different
packages to run multiple and specific servers (no graphical interface, nor games, nor
other extra software). For the described use, a specific list of protocols is required to
be implemented. The presence of the File Transfer Protocol (FTP) in the list is
justified because of its operating. It is a widely used protocol, and allows for a
complete check-up regarding authentication limits, transfer issues and so on. As a
consequence, this application layer (7) protocol will be used to perform the tests when
vectors target underlying layers. The full configuration is described as follow:
• DHCP, using isc-dhcp-server, for dynamic addressing;
• FTP, based on vstpd, for the non-encrypted protocol analysed;
• SSH, for the encrypted protocol exploited;
• DNS, with Bind (version >10), in order to analysed the protocol.

25
 Regarding the different nodes on the network, their virtualization with GNS3
implies compatible systems. In order to do so, equipment run the c3725
Adventerprisek9mz 124-15. T14 binary image of the IOS system. The choice to use
Cisco equipment’s is based on the precedent knowledge and practice of the author,
and the market share of about 75% for network switches and 50% for routers (
http://www.trefis.com). As this project does not aim to provide all defences on all
existing systems, the scope is limited to the equipment’s in use.

As switches do differ from bridges, their installation is the same as the other
nodes, but they do include the old NM-16ESW module. The last task is to ensure the
f0/* interfaces are not used to connect with other systems, as the switching operates
only on the interfaces above (f1/*).

The attacker machine runs a Kali Linux 1.0.6 distribution specialized for
penetration testing and other security related works. It is extremely useful as it comes
with a huge amount of packages and tools already ready to perform a wide range of
experiments and testing on networks, systems and equipment’s.

Tools
The different tools are available on Internet. They will be globally explained,
however this will be kept relatively short: the presentation will tend to focus more on
the use in the current project. Websites of the different projects provide information,
well beyond our scope.

Ettercap

‹‹ Ettercap is a comprehensive suite for man in the middle attacks. ››. website:
https://ettercap.github.io/ettercap/

26
Ettercap will be used to perform ARP and DHCP spoofing, as well as the advanced
exploits, involving filtering. Ettercap provides a language to write filters making it
really handy and useful.

3.1.4 ARP Spoofing

ARP spoofing is realized by packet forgery. The task is to give fake replies to
ARP requests, filling the victim's table with our MAC address.

The tool used on the attacker's system is Ettercap. This widely used software
provides a great toolbox for MITM attacks. An important amount of plugins and
filters can be used with Ettercap, covering a lot of cases and situations. The following
command starts the ARP spoofing of connections (including remote ones) between all
hosts and destinations (both left empty selects all):

ettercap -T -M arp:remote // //

The use of monitoring tools to protect the network do not provide an

automatic answer: it only alerts the administrator of the network of suspicious
activities. The DAI implementation directly on the switch allow us to define trusted
ports, and protect the others in case of an attack. As a conclusion, packets from the
attacker are not transmitted to the hosts, as they do not pass the DAI validation. They
are dropped and an error message is logged:
ip arp inspection vlan 1
“VLAN 1” represents the default Virtual LAN (VLAN) for all the interfaces
on the switch. The trusted interface is configured as follow:

ip arp inspection trust

27
 Figure.3.3 Spoofing Attack

3.1.5 Filtering
Filtering allows an attacker to identify packets and choose the preferred action
to perform when forwarding it. Filtering can defeat IPSEC and PPTP connection
establishment.
The script presented in Appendix 7 shows the filter used to defeat IPSEC
connection establishment. The two parts cannot exchange key material, as Ettercap
will automatically drop the packet from or addressed by UDP to port 500.
In order to use a filter, it has to be compiled and loaded in the software. The
compilation is done using the Etterfilter tool. To load the filter in Ettercap, the MITM
attack can be initiated specifying the filter(s):

ettercap -T -q -F <filter_filename> -M ARP:remote // //

That command initiates a MITM attack using the “ARP Spoofing” method to
perform poisoning and uses the filter to forward packets and apply the required
changes.
Two outcomes can change the game. First, the connection can be set to
automatically fall back to a weakest protocol such as PPTP because of the
impossibility for the host to establish the encrypted channel. In this case, the attacker
will then be able to proceed with exploits such as key manipulation or cypher
downgrade, most of all the user can potentially never realize the change and think it is
a safe communication.

28
User does not establish at all. In that case, the attacker will probably look deeper into
its options, while the defender will try to figure out where and/or why the packets are
dropped.
As a defence, disabling the rollback to a weakest protocol is sufficient, but can
lead to the impossibility to connect while the attacker drops the required packets.
However this does not represent a data breach, busst the MITM issue is still present.

29
 CHAPTER IV

PROPOSED SYSTEM

4.1.1 Environment Setup

For setting up the environment for the project the following tools and libraries are
needed:

 VMWare Workstation: VMware Workstation is a hosted hypervisor

that runs on x64 versions of Windows and Linux operating systems.
Using VMWare Workstation, users can set up Virtual Machines on a
single device. The Virtual Machines can then be simultaneously used
along with the actual physical machine.
 Kali Linux: Designed for digital forensics and penetration testing, Kali
Linux is a Debian derived Linux distribution operating System.
 Windows: The operating system for mainstream personal
computer and tablets. The latest version is win 11. The main
competitor of this family is macos by Apple for personal
computers and iPadOs and Android for tablets.
 Ettercap: You can use this tool for network analysis and security
auditing and it can be run on various operation systems, like Linux,
BSD, Mac OS X and Windows. Ettercap can sniff network traffic,
capture passwords, etc.
 Wireshark: Wireshark is a packet sniffer and analysis tool. It captures
network traffic from ethernet, Bluetooth, wireless (IEEE. 802.11),
token ring, and frame relay connections, among others, and stores that
data for offline analysis

Since using ARP poisoning attacks can potentially change or mess up the
LAN configurations of the system, the experiments were conducted in an controlled
environment using Virtual Machines.

30
 Figure.4.1. Host Machine (Gateway) & Attacker Machine
(Gateway)

4.1.2 What is ARP Cache Poisoning?

ARP Cache on a host is vulnerable to false gratuitous ARP replies. It allows
an attacker to create and/or modify victims ARP cache entries. Since ARP is a
stateless protocol, every time a host gets an ARP reply from another host, it thinks
that at some point in the past it must have sent an ARP request and now that reply has
arrived, thus accepting that ARP entry and placing it in its ARP cache.

Because of this insecure nature of the ARP protocol, all traffic can be
redirected from the intended host to the unintended (attackers) host.The process of
ARP Cache poisoning goes as follows:
Host A 192.168.1.100 00-40-
ab-0e-2c-b8 Host B
192.168.1.101 00-01-05-2a-
1b-5a Attacker X
192.168.1.102 00-55-02-2g-
4b-6a
1. X wants to poison the ARP cache of A and B.
2. X sends an ARP reply to A that looks like this
“I am B (192.168.1.101) and my Mac Address is 00-55-02-2g-4b-6a”.

31
 3. X also sends an ARP reply to B that looks like this
“I am A (192.168.1.102) and my Mac Address is 00-55-02-2g-4b-6a”.
4. A and B both accept this information and add it to their ARP Cache.
5. Now all communication between A and B will go to X, which
sniffs all traffic and then forwards it to the intended hosts.

This is also referred to as the “man in the middle attack” An Attacker can
also poison these hosts by sending them completely non existing Mac addresses,
which will stop them from communicating on the network completely and thus
disable them to properly function as network clients, this type of attack is also
referred to as a DOS, (Denial of Service) attack.

4.1.3 What is Ettercap?

Ettercap is a very powerful packet sniffer and ARP cache poisoning tool for
Unix based systems. It can perform MAC and IP based sniffing, intercept and modify
packets, decrypt passwords and launch a denial of service attack against other
Ethernet hosts.
Sniffing traffic on a hubbed network can be accomplished by any regular
packet sniffer such as Microsoft network monitor, ethereal and tcpdump, however
sniffing non broadcast packets on switched networks can be accomplished via ARP
cache poisoning. Ettercap can perform the classic “man in the middle attack” by
sending fake ARP replies. Ettercap is capable of capturing/decoding ssh1, HTTP, FTP,
POP, SMTP and SSL passwords.

Ettercap General Options

Some of the most common options are for running Ettercap are listed below,
for more options, type man Ettercap.

 -z By giving Ettercap the –z option it wont start an ARP broadcast at

startup, many Network based Intrusion Detection Systems raise red
flags when an ARP Broadcast such as the one shown above in the
screen shot is detected on the network.

32
 -b This method will start a broad ping upon startup instead of an ARP
Broadcast upon startup.

 -Z <n sec> A delay of n amount of seconds when sending an ARP

storm to avoid detection by IDS and smart switches, if given this
option at startup, Ettercap will wait n seconds before sending each
ARP requests.

 -D The delay in seconds between the ARP replies to a poisoned or

victim host since different operating systems have different ARP
Cache timeout values.

 -S This option is used to spoof the attackers IP address when scanning

the network with ARP requests.

 -H This option, when given the arguments of IP1; IP2; IP3 will only
send ARP requests to these three hosts. This is a less invasive method.

 -J This option will take a filename of the hosts as an argument that

were created as a result of typing k during an interactive session so
when an ARP request broadcast is not desired, Ettercap is launched
with the –j <filename> option.

 -k This option is used to save the current host list which includes host
names, IP’s and Mac addresses.

33
 CHAPTER V

Experimental Works

Step 1. Open the VMWare Workstation

Figure.5.1. Open the VMware

Workstation

Open the VMware workstation setup the machine operating system the Kali
linux and Windows 7. The attack is monitoring kali linux and target is windows 7
machines.

34
 Step 2. Start the win7 & Kali linux machines.

Figure 5.2. Open kali linux & win 7 in VMware Operating system run
in VMware workstation access the basic usage.

Figure 5.3: Check the “IP address”

35
 Figure 5.4: Check the Arp

Step 3. Setup Linux IP forwarding (routing) manually configure Server.

Figure 5.5 Set the routing command

Since ettercap disables Linux IP forwarding (routing) while it is running, you

need to enable it manually every time after using ettercap or you won't be able to
route to your Windows server. This is done by simply running.

36
Step 4. Click Open> Terminal to run a “Ettercap -G”

Figure 5.6 Open the Ettercap in Terminal

Step 5. Click Hosts > Scan for Hosts to run a quick scan and get a list of host
targets

Figure 5.7 Scan the host list

37
 We can run a quick scan of different hosts acting as parties in network traffic.
Click Hosts
> Scan for Hosts to run a quick scan and get a list of host targets. You should
see Ettercap populate a list of host IP and MAC addresses.

Figure 5.8: Set the target1 and target2.

Now that you have a list of hosts, find your target in the list and click on it.
(Or, if you want to attack every computer on the network, don't select any list item.)

Step 6. Click MITM > Arp Poisoning to select the Arp Poisoning attack.

Figure 5.9. MITM Plugin the ARP poisoning

38
 This will print a message letting you know that the ARP Poisoning attack is
beginning. As interesting/juicy information shows up on the wire, Ettercap will
extract it and display it, just in case you don't capture it or find it with Wireshark.

Step 7. Select the Sniff remote connections.

Figure 5.10 Select the Sniff option

Make sure and check "sniff remote connections" before you

start the attack.

Figure 5.11 ARP poisoning victims

39
 Step 8. The second terminal window, you will be monitoring HTTP packets.

Figure 5.12 Monitoring HTTP packets

In the second terminal window, you will be monitoring HTTP packets between the
LIN and WIN machines. Use the command:

tcpdump -n -i <iface> port 80 and host LIN

40
Experimental Result:
Victim machine attack already now target machine search any
link in browser the packet capture.

Step 1: Open the Win 7 machine in VMware workstation and Browse .

Figure 6.1 Open the win 7 machine

search the browse.
Step 2: Open the Acunetix web Vulnerability page.

Figure 6.2 Testing website page

Test browse some unencrypted websites on your Sheep computer.
Take a look at the Wireshark dumps. You should see a whole bunch of
GET requests and traffic between the target and the destination

41
 Step 3: Open the Wireshark in kali linux VMware workstation.

Figure 6.3 Open the Wireshark tools

Now fire up Wireshark so that we can do a packet capture of our MITM
session. Start a capture on the eth0 network interface (which is a network cable
connected to the router, the same router that the sheep is connected to).

Step 4: The Wireshark top search bar typing “ip addr”

Figure 6.4 Analysis packet in search the “ip addr”

42
 Once the packet capture has started, we can test out Wireshark's abilities to
sniff out regular traffic. By running an ARP Poisoning MITM, we are able to see all
traffic to the Sheep as though we were physically sitting at the same network port as
them.

Step 5: Select the ip address & Protocol right click open the follow and view
follow HTTP Stream.

Figure 6.5 View follow HTTP Stream

HTTP live streaming (HLS) is one of the most widely used video
streaming protocols. Although it is called HTTP "live" streaming, it is used for both
on-demand streaming and live streaming.

Step 6. Then the Get Username and password was taken.

Figure 6.6 Get the username & password.

43
 CHAPTER Ⅵ

FUTURE ENHANCEMENT

• Future enhancement for an ARP poisoning project using Ettercap could

involve expanding the project’s scope, improving its capabilities or addressing

emerging security challenges.

• Integration with Threat Intelligence

• Automated Mitigation

• Red Team / Blue Team Exercise

• Blockchain-Based Network Security

• Mobile Application

• These enhacements can make the ARP poisoning project more robust,

educational and adaptable to the evolving threat landscape. The pecific

direction of future development should align with the projects goals and the

needs of its users.

44
 CONCLUSION

ARP spoofing and poisoning is a threat that can take network

administrators by surprise if they are not aware of ARP cache poisoning and

unprepared to detect unauthorized activity on their network. Tools like Ettercap can

be launched on a network without detection if the attacker is smart enough to run

them silently. Once the attacker has a list of IP to MAC addresses, there is nothing to

stop them from sniffing passwords, sensitive information, corporate secrets, instant

messages, e-mails and any or all traffic that they want to sniff. A carefully executed

attack can go unnoticed for a long time.

45
 REFERENCE

[1] Eriksson, M., [no date]. An Example of a Man-in-The Middle Attack Against
Server Authenticated SSL-sessions.

[2] Lamport, L., November 1981. Password Authentication with Insecure

Communication.

[3] Trummer, T., Dalvi, T., 2015. Mobile SSL Failures.

[4] Masnick, M., 2013. The NSA Is Running Man In The Middle Attacks Imitating
Google's Servers.

[5] Pilosov, A., Kapela, T., 2008. An Internet-Scale Man In The Middle Attack.

[6] Schuba, C., August 1993. Addressing Weaknesses in the Domain Name System
Protocol.

[7] Courtois, T., N., 2011. Basics of Network Security.

[8] Servin, C., 2003. Réseaux et télécoms : cours et exercices corrigés [French].

[9] Ornaghi, A., Valleri, M., 2002. Man in the middle attacks [Italian].

[10] Nayak, G., N., Samaddar, S., G., 2010. Different flavours of Man-in-The- Middle
attack, consequences and feasible solutions.

[11] Whalen, S., Engle, S., Romeo, D., 2001. An Introduction to ARP Spoofing.

[12] Defta, L., 2010. Network security attacks ARP poisoning case study.

[13] Papaloe, G., 2008. Improvements in physical intrusion detection on LAN

[Italian].

46
[14] Cisco, 2010. Configuring Dynamic ARP Inspection. In: Cisco. Cisco IOS
Software Configuration Guide, Release 12.2SX.

[15] Lauerman, K., King, J., 2010. MAC Address Overflow Attack and Mitigation
Techniques. Cisco.

[16] Bhaiji, Y., 2005. Layer 2 attacks & mitigation techniques. Cisco.

[17] Nachreiner, C., 2008. Anatomy of an ARP Poisoning Attack.

[18] Cisco, 2010. Configuring Port Security. In: Cisco. Cisco IOS Software
Configuration Guide, Release 12.2SX.

[19] Postel, J., 1981. Internet Control Message Protocol. RFC 792.

[20] Arkin, O., Yarochkin, F., 2001. ICMP based remote OS TCP/IP stack
fingerprinting techniques. Phrack Staff

[21] Odom, S., Nottingham, H., 2000. Cisco Switching Black Book.

[22] Harris, J., 2002. Cisco Network Security Little Black Book.

[23] Lair, M., 2011. OSPF: All your routes belongs to us…

[24] Malkin, G., 1994. RIP Version 2 Protocol Analysis. RFC 1721.

[25] Brown, M., A., 2007. Guide to IP layer network administration with Linux.

[26] Xu W., 2008. CSCE 515: Computer Network Programming.

[27] Almquist, P., 1992. Type of Service in the Internet Protocol Suite. RFC 1349.

47
48