Week 9: Networking Hacking II – Intermediate Attacks & Network Spoofing

Lecture Objectives

By the end of this session, you should be able to:

• Explain ARP, DNS, and DHCP protocols and how they can be
manipulated.

• Perform ARP and DNS spoofing using common tools.

• Understand MITM attack techniques and implications.

• Recognize network poisoning indicators and prevention

strategies.

• Apply ethical considerations to lab-based network testing.

.
Understanding Spoofing in Network Attacks

• Spoofing involves forging information to mislead systems.

• Used to impersonate devices or redirect traffic.

• Often the first step in more complex attacks like MITM.

• Types: IP, MAC, ARP, DNS, DHCP, email, etc.

• Goal: Intercept, modify, or disrupt communication between hosts.

ARP: Address Resolution Protocol Review

• Protocol that maps IP addresses to MAC addresses in a local

network.

• Operates at Layer 2 (Data Link) of OSI.

• Uses ARP requests and replies.

• No authentication built into ARP = vulnerable by design.

• ARP Cache: Temporarily stores mappings to avoid re-requests.

What is ARP Spoofing?

• Attacker sends fake ARP replies to associate their MAC address with IP
of a legitimate device (e.g., gateway).

• Causes target to send data to attacker instead of the correct device.

• Attacker can intercept, modify, or drop packets.

Enables MITM attacks, credential theft, or session hijacking
Visualizing ARP Spoofing

• Normal Path: Host → Gateway

• Spoofed Path: Host → Attacker → Gateway

• Attacker replies to ARP request faster than real device.

• Devices are unaware; data flows through attacker transparently.

Tools for ARP Spoofing

• arpspoof: CLI tool from dsniff package for injecting fake ARP
responses.

• Ettercap: GUI/CLI suite for LAN MITM attacks with plugins.

• Bettercap: Modern tool with scripting, MITM, ARP spoofing,

packet injection.

• Combine with Wireshark to capture and inspect data.

Detecting ARP Spoofing

• ARP table anomalies: MAC address changes unexpectedly.

• Packet captures showing frequent unsolicited ARP replies.

• Duplicate IP address warnings.

Tools: XArp (Windows), arpwatch (Linux), Wireshark filters
ARP Spoofing Ethical Concerns

• Legal risk: Performing ARP spoofing on unauthorized networks

is illegal.

• Network disruption: Can cause disconnections or performance

issues.

• Always use isolated labs or virtual environments.

• Document permissions and testing boundaries before conducting

tests.
DNS Overview: What It Does

• DNS = Domain Name System.

• Resolves human-readable names (e.g., google.com) to IP addresses.

• Works like a phone book for the internet.

• Operates over UDP/53, sometimes TCP/53.

• Common target for spoofing and poisoning attacks.

What is DNS Spoofing?

• Attacker forges DNS response to redirect victim to a malicious IP.

• Can be performed on local network or upstream DNS server.

• Used in phishing, malware distribution, and surveillance.

• Impacts user trust and data confidentiality.

Local DNS Cache Poisoning

• Insert false DNS records into victim’s local cache.

• Subsequent requests go to malicious IP even if attacker is gone.

• Hard to detect unless user inspects cache manually.

• Can persist until cache TTL expires or is flushed.

DNS Spoofing Using Ettercap

• Modify etter.dns file to specify spoofed domain and IP.

• Launch ettercap in MITM mode with DNS spoof plugin:

• ettercap -T -q -i eth0 -M arp /victim/ /gateway/ -P dns_spoof

Redirects victim’s requests for e.g. google.com to attacker IP.
Defending Against DNS Spoofing

• Use DNSSEC (adds signatures to DNS responses).

• Configure secure DNS servers internally.

• Flush DNS cache regularly and use encrypted DNS (DoH or DoT).

• Monitor for unusual or inconsistent domain-IP mappings.

What is a Man-in-the-Middle (MITM) Attack?

• Attacker silently relays and possibly alters communications

between two parties.

• Commonly enabled by ARP spoofing or rogue Wi-Fi.

• Targets credentials, session cookies, financial data.

Used in phishing, surveillance, or access escalation.
MITM Attack Examples

• Login page interception: capture usernames and passwords.

• Session hijacking: steal auth tokens/cookies.

• Injecting JavaScript or ads into web pages.

• Downgrade attacks (e.g., HTTPS to HTTP).

MITM Toolset Overview

• Ettercap: ARP spoofing + DNS spoof + credential capture.

• Bettercap: MITM, HTTPS stripping, scripting support.

• Responder: Captures NTLMv2 hashes from Windows.

• SSLStrip: Downgrades HTTPS to HTTP to capture credentials.

Bettercap Overview

• Supports real-time packet analysis, HTTP proxy, ARP spoofing,

DNS spoofing.

• Has web UI for live monitoring.

• Supports modules and scripting (Caplets).

• Lightweight and actively maintained.

Demonstrating MITM in Class

• Setup: Kali (attacker), Windows (victim), router.

• Launch Bettercap:

• sudo bettercap -iface eth0

• Enable ARP spoof and sniffing.

Show intercepted HTTP login credentials.
Lab: ARP Spoofing + Credential Capture Goal: Intercept victim’s
login data on HTTP site.

• Tools: Kali Linux, DVWA, Ettercap/Wireshark.

• Steps:

1.Enable IP forwarding.

2.Start Ettercap with DNS spoofing.

3.Use Wireshark to observe HTTP POST requests.

• Expected Result: Plaintext credentials captured.

Rogue DHCP Attacks Overview

• DHCP assigns IP, DNS, gateway.

• Rogue DHCP = attacker sets up fake DHCP server.

• Victim receives malicious network configuration.

• Leads to full control of victim traffic routing.

Rogue DHCP with Yersinia

• Yersinia is a network attack tool for Layer 2 protocols.

• Can send rogue DHCP offers with:

o Fake gateway (attacker IP)

o Malicious DNS

• Used to redirect or isolate victims on network.

Detecting Rogue DHCP Servers

• DHCP client logs show duplicate offers.

• Monitor for IPs outside of known DHCP pool.

• Tools: dhclient -v, Wireshark filter bootp, DHCP snooping on switches.

Network Poisoning Overview

• Poisoning = sending forged data to corrupt network protocol behavior.

• Examples: ARP, DNS, DHCP poisoning.

• Goal: mislead target into interacting with attacker.

• Common precursor to full compromise.

Risks of MITM and Network Poisoning

• Credential theft (banking, email, enterprise apps).

• Data manipulation (redirecting URLs, injecting malware).

• Connection drops or performance issues.

• Persistent backdoors via cached spoofed entries.

Protocols Commonly Exploited via MITM

• HTTP, FTP, Telnet – no encryption.

• SMTP, POP3 – credentials in plaintext.

• SMB – vulnerable to NTLM hash theft.

• LDAP – common in enterprise environments

SMB/NTLM Hash Capture with Responder

• Run Responder:

• sudo responder -I eth0

• Wait for victim to access a shared resource (e.g. \\MALICIOUS-IP)

• Capture NTLMv2 hashes for offline cracking.

• Windows tries to authenticate automatically = stealthy.

Mitigation: Network Segmentation & VLANs

• Separate networks based on role (e.g., guests, admin).

• Prevent broadcast/multicast from spreading.

• Use VLAN tagging to isolate ARP/DHCP domains.

• Reduce scope of potential attacks.

Mitigation: Static ARP & DHCP Snooping

• Set static ARP entries for critical devices.

• Enable DHCP snooping on managed switches.

• Block untrusted ports from sending DHCP responses.

• Combine with Dynamic ARP Inspection (DAI).

HTTPS, HSTS, and Certificate Pinning

• HTTPS encrypts traffic – prevents sniffing credentials.

• HSTS = HTTP Strict Transport Security (forces HTTPS).

• Certificate pinning: app trusts only specific certs.

• Helps stop SSL stripping and fake cert attacks.

Monitoring MITM Activity

• Use Wireshark to inspect ARP/DNS anomalies.

• Look for changes in MAC-IP mappings.

• Check SSL/TLS cert warnings in browsers.

• Deploy intrusion detection systems (Snort, Suricata).

Wireshark for MITM Detection

• Filters:

o arp, bootp, http, dns

o eth.addr == xx:xx:xx:xx:xx:xx

• Visual tools: TCP stream follow, graph analysis

• Export sessions for evidence or training.

Summary – Key Learning Points

• ARP, DNS, and DHCP protocols are vulnerable to spoofing.

• MITM attacks can intercept or manipulate traffic.

• Tools like Bettercap, Ettercap, and Responder simplify attacks.

• Defenses include segmentation, encryption, monitoring

References

1. OWASP Network Security Project

2. Bettercap Documentation: https://bettercap.org

3. Wireshark Protocol Guide: https://wiki.wireshark.org

4. MITM & DNS Research Papers (suggested reading)

THANK YOU
Any Questions ?