Ex.

No: 7
Perform an Experiment to Sniff Traffic using ARP Poisoning.

AIM
Perform an Experiment to Sniff Traffic using ARP Poisoning.

Description:

ARP is the acronym for Address Resolution Protocol. It is used to convert IP address to physical

addresses [MAC address] on a switch. The host sends an ARP broadcast on the network, and the

recipient computer responds with its physical address [MAC Address]. The resolved IP/MACaddress

is then used to communicate. ARP poisoning is sending fake MAC addresses to the switch so that

it can associate the fake MAC addresses with the IP address of a genuine computer on a

network and hijack the traffic.

ARP Poisoning Countermeasures

Static ARP entries: these can be defined in the local ARP cache and the switch configured to

ignoreall auto ARP reply packets. The disadvantage of this method is, it’s difficult to maintain on

large networks. IP/MAC address mapping has to be distributed to all the computers on the

network. ARP poisoning detection software: these systems can be used to cross check the

IP/MAC address resolution and certify them if they are authenticated. Uncertified IP/MAC address

resolutions can then be blocked.

Operating System Security: this measure is dependent on the operating system been used. The

following are the basic techniques used by various operating systems.

• Linux based: these work by ignoring unsolicited ARP reply packets.

• Microsoft Windows: the ARP cache behavior can be configured via the registry. The

following list includes some of the software that can be used to protect networks against
 sniffing;

• AntiARP– provides protection against both passive and active sniffing

• Agnitum Outpost Firewall–provides protection against passive sniffing

• XArp– provides protection against both passive and active sniffing

• Mac OS: ArpGuard can be used to provide protection. It protects against

both active andpassive sniffing.

• Computers communicate using networks. These networks could be on a local area

network LAN or exposed to the internet. Network Sniffers are programs that capture

low-level package data that is transmitted over a network. An attacker can analyze this

informationto discover valuable information such as user ids and passwords.

• In this article, we will introduce you to common network sniffing techniques and tools

used to sniff networks.

What is network sniffing?

Computers communicate by broadcasting messages on a network using IP addresses. Once a

message has been sent on a network, the recipient computer with the matching IP address

responds with its MAC address.

Network sniffing is the process of intercepting data packets sent over a network. This can be

done by the specialized software program or hardware equipment. Sniffing can be used to;

• Capture sensitive data such as login credentials

• Eavesdrop on chat messages

• Capture files have been transmitted over a networkThe following are protocols that

are vulnerable to sniffing

• Telnet
 • Rlogin

• HTTP

• SMTP

• NNTP

• POP

• FTP

• IMAP

The above protocols are vulnerable if login details are sent in plain text

Passive and Active Sniffing

Before we look at passive and active sniffing, let’s look at two major devices used to network

computers; hubs and switches.

A hub works by sending broadcast messages to all output ports on it except the one that has

sent the broadcast. The recipient computer responds to the broadcast message if the IP address
matches. This means when using a hub, all the computers on a network can see the broadcast

message. It operates at the physical layer (layer 1) of the OSI Model.

The diagram below illustrates how the hub works.

A switch works differently; it maps IP/MAC addresses to physical ports on it. Broadcast

messages are sent to the physical ports that match the IP/MAC address configurations for the

recipient computer. This means broadcast messages are only seen by the recipient computer.

Switches operate at the data link layer (layer 2) and network layer (layer 3).

The diagram below illustrates how the switch works.

Passive sniffing is intercepting packages transmitted over a network that uses a hub. It is

calledpassive sniffing because it is difficult to detect. It is also easy to perform as the hub sends
 broadcast messages to all the computers on the network.

Active sniffing is intercepting packages transmitted over a network that uses a switch. There

are two main methods used to sniff switch linked networks, ARP Poisoning, and MAC flooding.

Sniffing the network using Wireshark

The illustration below shows you the steps that you will carry out to complete this

exercise withoutconfusion

Download Wireshark from this link http://www.wireshark.org/download.html

• Open Wireshark

• You will get the following screen

• Select the network interface you want to sniff. Note for this demonstration, we are using a

wireless network connection. If you are on a local area network, then you should select the
 local area network interface.

• Click on start button as shown above

• Open your web browser and type in http://www.techpanda.org/

• The login email is [email protected] and the password is Password2010

• Click on submit button

• A successful logon should give you the following dashboard

• Go back to Wireshark and stop the live capture

• Filter for HTTP protocol results only using the filter textbox
 • Locate the Info column and look for entries with the HTTP verb
POST and click on it

• Just below the log entries, there is a panel with a

summary of captured data. Look for the summary that

says Line-based text data: application/x-www-form-url

encoded

• You should be able to view the plaintext values of all

the POST variables submitted to the server via HTTP

protocol.

Result:

Thus the experiment to Sniff Traffic using ARP Poisoning was performed