Scribd
Upload
29 views

Lab 3

The document discusses ARP spoofing and IP spoofing attacks. It introduces the ARPWATCH tool, which monitors ARP activity on a network to detect spoofing. It can detect changes to the ARP table or new MAC-IP associations that may indicate an ARP spoofing attack. The document provides instructions for installing and using ARPWATCH on Kali Linux to monitor a specific network interface and check for changes in the network. It also provides background on how ARP spoofing and IP spoofing work to disguise an attacker's identity.

Uploaded by

Hamza Farooq
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
29 views

Lab 3

The document discusses ARP spoofing and IP spoofing attacks. It introduces the ARPWATCH tool, which monitors ARP activity on a network to detect spoofing. It can detect changes to the ARP table or new MAC-IP associations that may indicate an ARP spoofing attack. The document provides instructions for installing and using ARPWATCH on Kali Linux to monitor a specific network interface and check for changes in the network. It also provides background on how ARP spoofing and IP spoofing work to disguise an attacker's identity.

Uploaded by

Hamza Farooq
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

Lab 3

Topic : Detect ARP spoofing using open source tool ARPWATCH


In this lab we need to perform the task to know about ARP Spoffing, ARPWATCH is an
open-source tool used to track and monitor Address Resolution Protocol (ARP) activity
on a network. It monitors the connections between MAC and IP addresses, detecting
any changes or identify the new associations. This tool provides significant data to
maintain network security and integrity, particularly in identifying potential ARP spoofing
attacks and alerting administrators to suspect network activities. Before moving into
future details we need to answer the following questions.

Question: What is ARP Spoofing?


Address Resolution Protocol (ARP) is a network protocol that translates IP addresses to
MAC addresses, enabling devices to connect to the Internet. It is commonly used by
routers or gateways. ARP cache, a mapping table between IP addresses and MAC
addresses, is maintained by hosts to connect to network destinations. If a host doesn't
know the MAC address for a specific IP address, it sends an ARP request packet,
asking other machines for the matching MAC address. However, the ARP protocol was
not designed for security, allowing hosts to accept ARP responses even if they never
sent out a request, which opens the door to ARP spoofing attacks. ARP only works with
32-bit IP addresses in the older IPv4 standard,
ARP Soffing (ARP Poisoning):
ARP spoofing, also known as ARP poisoning, is a Man in the Middle (MitM) exploit that
enables attackers to intercept traffic between network devices. According to how the
attack operates:
● Network Access: After gaining access to the network, the attacker finds out the
IP addresses of various devices, including routers and workstations.
● Spoofing Tools: Utilizing tools like Arpspoof or Driftnet, the attacker sends
falsified ARP responses.
● Falsified Associations: The workstation and router are tricked into connecting
the attacker's MAC address to their IP addresses by means of the falsified
responses.
● Altered Communication Path: As a result, rather than speaking with each other
directly, both devices start talking to the attacker's computer.
● Updated ARP Cache: The devices are able to intercept and control the data flow
without the devices realizing it because they are updating their entries in the ARP
cache.

Question: What is IP spoofing??


An attacker can use the technique known as IP spoofing to change the source IP
address in a packet in order to mask their identity or pass for a different system. An
attacker can launch a variety of attacks, including DoS (Denial of Service) attacks and
attempts to get around security measures, by forging the IP address. This technique is
frequently used to conceal the source of malicious traffic or to obtain unauthorized
access to a network by pretending to be a reliable source.
Working of Ip Spoofing:
IP spoofing is a method where a hacker alters the source address in
a packet header to make the receiving computer system believe it is
from a trusted source, such as another computer on a legitimate
network. This occurs at the network level, preventing external signs
of tampering. In systems relying on trust relationships, IP spoofing
can bypass IP address authentication, a concept known as the
'castle and moat' defense. This vulnerability makes simple
authentication strategies increasingly being replaced by more robust
security approaches, such as multi-step authentication. While
cybercriminals often use IP spoofing for online fraud and identity
theft, it can also be used for legitimate purposes, such as testing
websites before putting them live.There are several type of ip
spoofing here i am going to share name of some.

● Distributed Denial of Service (DDoS) attacks


● Masking botnet devices
● Man-in-the-middle attacks

Working with ARPWATCH:

● Before starting the ARPWATCH tool first we need to install it in


our kali linux machine. This can be done by using the following
command:
sudo apt-get install

● Here we have successfully installed the arpwatch on our linux


machine.
● Let check the total network interfaces attached to our network
or in our machine by running the following command
Ifconfig

● Here we can see our device have multiple network interfaces


available.
● Inorder to watch a specific interface over the network we can
use the following command:
arpwatch -i (interface_name)

● If we want to check for any changes in our network like when


new devices connected to the network. We can use the
following command:
tail -f /var/log/messages

● You can also check current ARP table, by using following


command:
arp -a

● So we can see we have on choose the wlan0 to watch by using


the arpwatch and its avaliable in the arp table.
● If you want to send alerts to your custom email id, then open
the main configuration file /etc/default/arpwatch and add
the email as shown below.

You might also like