Page |1

ARP And DNS Cache Poisoning

ARP and DNS Cache Poisoning

Goal of this Lab:

In this lab we will be:

1. Using netwag to perform ARP cache poisoning

2. Using SET to take advantage of ARP cache poisoning
3. Using Ettercap to perform DNS cache poisoning
4. Using SET to take advantage of DNS cache poisoning

Pre-requisites for this lab:

1. Kali Linux VM
2. Debian Linux VM as a Client
3. Debian Linux VM as a Server

Document title: ARP and DNS Cache Poisoning

Version: 1.2 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
 Page |2

ARP And DNS Cache Poisoning

Understanding TCP/IP based Attacks

In this lab we will gain first-hand experience on TCP/IP vulnerabilities, as well as attacks against these vulnerabilities.
Vulnerabilities of the TCP/IP protocols occur at several layers. This lab is we will be exploiting ARP which is Layer 2
protocol and DNS which is Layer 7 protocol.

Lab Environment Setup

To conduct this lab, we need 3 VMs connected in NAT Network. The tools being used for this lab are
Netwox/Netwag, Ettercap and SET.

LAB
ENVIRONMENT

SERVER ATTACKER(KALI) CLIENT

(10.0.2.8) 10.0.2.11 (10.0.2.15)

“Netwox is a toolbox for network administrators and network hackers.

Netwox contains several tools using network library netwib.
Netwox was successfully installed under Linux, Windows, FreeBSD, OpenBSD and Solaris.”

Reference: http://ntwox.sourceforge.net/

Document title: ARP and DNS Cache Poisoning

Version: 1.2 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
 Page |3

ARP And DNS Cache Poisoning

Task 1: ARP cache poisoning

The ARP cache is an important part of the ARP protocol. Once a mapping between a MAC address and an IP address
is resolved as the result of executing the ARP protocol, the mapping will be cached. Therefore, there is no need to
repeat the ARP protocol if the mapping is already in the cache. However, because the ARP protocol is stateless, the
cache can be easily poisoned by maliciously crafted ARP messages. Such an attack is called the ARP cache poisoning
attack.

Attackers may use spoofed ARP messages to trick the victim to accept an invalid MAC-to IP mapping, and store the
mapping in its cache. There can be various types of consequences depending on the motives of the attackers. For
example, attackers can launch a DoS attack against a victim by associating a non-existent MAC address to the IP
address of the victim’s default gateway; attackers can also redirect the traffic to and from the victim to another
machine, etc.

Step 1: Clear existing ARP table of client VM using following command

sudo ip -s -s neigh flush all

Step 2: Verify ARP table using following command

sudo arp -a

Step 3: Verify connectivity between client and server using ping

Document title: ARP and DNS Cache Poisoning

Version: 1.2 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
 Page |4

ARP And DNS Cache Poisoning

Step 4: After verifying the connectivity, check the ARP table of client.

sudo arp -a

You can see that MAC address of server has been mapped with IP of server in ARP cache.

Step 5: Run apache2 on Server using following command.

sudo service apache2 start

***********************************************************************************************
Student Task

Provide the screenshot of the command:

***********************************************************************************************

Document title: ARP and DNS Cache Poisoning

Version: 1.2 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
 Page |5

ARP And DNS Cache Poisoning

Step 6: Go to the client machine and Open a browser and type the IP of server

Step 7: To perform ARP cache poisoning we will use netwag in Attacker VM.
Start netwag:
sudo netwag

The GUI frontend of netwox called netwag will open.

Document title: ARP and DNS Cache Poisoning

Version: 1.2 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
 Page |6

ARP And DNS Cache Poisoning

Step 8: Specify the IP of the server and Run it.

Step 9: Verify the ARP cache of Client machine

You can see that IP of server has been mapped to MAC address of Attacker machine. We have successfully poisoned
the ARP cache.

Step 10: Try to access apache2 webpage using the IP of the server.

***********************************************************************************************
Student Task

Provide the screenshot of the output and briefly explain the output.

***********************************************************************************************

Document title: ARP and DNS Cache Poisoning

Version: 1.2 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
 Page |7

ARP And DNS Cache Poisoning

Step 11: Run the following command to enable 2nd IP on eth0 on Attacker machine

sudo ip addr add <IP of server>/24 dev eth0

***********************************************************************************************
Student Task

Provide screenshot of the interface eth0 with 2 IPs.

Hint: The command is not ifconfig.

***********************************************************************************************

Task 2: Using SET to take advantage of ARP cache poisoning

If you do not know how to run it refer to the previous lab

Hint: You might need to download and install SET

Document title: ARP and DNS Cache Poisoning

Version: 1.2 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
 Page |8

ARP And DNS Cache Poisoning

Step 1: Use the following options once you run SET

• Social-Engineering Attacks
• Website Attack Vectors
• Credential Harvester Attack Method
• Web Templates
• Use the IP of Attacker
• Use Google as templates

***********************************************************************************************
Student Task

Provide the screenshot of the final output.

***********************************************************************************************

Step 2: After successfully running SET, go to the Client’s browser and type Server IP

***********************************************************************************************
Student Task

a) Briefly explain what you have noticed.

b) Provide screenshot.

***********************************************************************************************

Document title: ARP and DNS Cache Poisoning

Version: 1.2 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
 Page |9

ARP And DNS Cache Poisoning

Step 3: Provide Email as Cyber and Password as Security

Verify if you see similar output.

If yes than congratulations, you have successfully redirected the web request which was for server
to the attacker.
***********************************************************************************************
Student Task

Now try with Email as Your name and Password as your learner number and provide screenshot below.

***********************************************************************************************

Document title: ARP and DNS Cache Poisoning

Version: 1.2 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
 P a g e | 10

ARP And DNS Cache Poisoning

Task 3: DNS cache poisoning (DNS Spoofing)

“DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt
Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an
incorrect result record, e.g. an IP address. This results in traffic being diverted to the attacker's computer (or any
other computer).”

Reference: https://en.wikipedia.org/wiki/DNS_spoofing

***********************************************************************************************
Student Task

Briefly explain what DNS is?

***********************************************************************************************

“Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. It can be used for
computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including
Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows. It is capable of intercepting traffic on a network
segment, capturing passwords, and conducting active eavesdropping against a number of common protocols. Its
original developers later founded Hacking Team.”

Reference: https://en.wikipedia.org/wiki/Ettercap_(software)

Web: https://www.ettercap-project.org/

Step 1: Use the following command to change the configuration of etter.dns

sudo nano /etc/ettercap/etter.dns

Document title: ARP and DNS Cache Poisoning

Version: 1.2 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
 P a g e | 11

ARP And DNS Cache Poisoning

Step 2: Navigate to the end of the file and insert the following

*.google.co.in A <IP of Attacker>

mail.google.com A <IP of Attacker>
#*.google.com A <IP of Attacker>
google.com A <IP of Attacker>

#www.google.com PTR <IP of Attacker>

www.google.co.in PTR <IP of Attacker>

*.g00gle.com A <IP of Attacker>

Save and Exit the file. By now you might have been master on it

***********************************************************************************************
Student Task

What will happen if you uncomment 3rd line?

***********************************************************************************************

Document title: ARP and DNS Cache Poisoning

Version: 1.2 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
 P a g e | 12

ARP And DNS Cache Poisoning

Step 3: Clear the cache of Firefox and run Firefox in private window.

Document title: ARP and DNS Cache Poisoning

Version: 1.2 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
 P a g e | 13

ARP And DNS Cache Poisoning

Select Everything

Document title: ARP and DNS Cache Poisoning

Version: 1.2 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
 P a g e | 14

ARP And DNS Cache Poisoning

Step 4: Run Ettercap dns spoof using following command.

sudo ettercap -i eth0 -T -M arp -P dns_spoof /<IP of Client>///

***********************************************************************************************
Student Task

Provide the screenshot of the command entered.

***********************************************************************************************

Task 4: Using SET to take advantage of DNS cache poisoning

Step 1: Use the browser of Client machine and type the following

www.google.com

Enter the following:

Email: [email protected]

Password: Learner Number

Document title: ARP and DNS Cache Poisoning

Version: 1.2 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
 P a g e | 15

ARP And DNS Cache Poisoning

***********************************************************************************************
Student Task

Provide the screenshot of the terminal running SET with the credentials captured.

***********************************************************************************************

Document title: ARP and DNS Cache Poisoning

Version: 1.2 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
 P a g e | 16

ARP And DNS Cache Poisoning

***********************************************************************************************

Challenge

Use Ettercap to perform ARP cache poisoning and provide the steps and output.

***********************************************************************************************

Hope you enjoyed.

Now do some research on other types of TCP/IP attacks like ICMP redirect.

Document title: ARP and DNS Cache Poisoning

Version: 1.2 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]