From ba0a8f1fa5aca87dd3b5bddfb5d8b31579aa0fcb Mon Sep 17 00:00:00 2001 From: seantywork Date: Mon, 20 Oct 2025 13:53:13 +0900 Subject: [PATCH] spoof arp relocate to medium --- spoof-arp/{README.md => 2509-04.xyz.md} | 59 ++++++------------------- 1 file changed, 13 insertions(+), 46 deletions(-) rename spoof-arp/{README.md => 2509-04.xyz.md} (76%) diff --git a/spoof-arp/README.md b/spoof-arp/2509-04.xyz.md similarity index 76% rename from spoof-arp/README.md rename to spoof-arp/2509-04.xyz.md index 3894e2c..858767e 100644 --- a/spoof-arp/README.md +++ b/spoof-arp/2509-04.xyz.md @@ -1,13 +1,5 @@ -# spoof-arp - -- source: [linuxyz/spoof-arp](https://github.com/seantywork/linuxyz/tree/main/spoof-arp) -- date: 2509-04 - -We can try out ARP spoofing on Linux with the source code and script in this directory. - -Below is the layout of the environment created by the `setup.sh` shell script. - +# 01 ```shell ------------------------- | host | @@ -33,18 +25,8 @@ Below is the layout of the environment created by the `setup.sh` shell script. ``` -The shell script not only creates the environment but also \ -sets `vbr0` to accept unsolicitied ARP packet, which \ -makes it vulnerable to ARP spoofing attack. - -In other words, if a switch located in that positon doesn't allow for \ -unsolicitied ARP packets, you don't have to worry about being ARP spoofed :) -And adding to that, `vnet2` is configured to drop the packets coming in whose \ -destination is not `11.168.0.200`, which means any packets set to be forwarded \ -will be dropped. - -Let's check out the poor victim's mac table. +# 02 ```shell $ sudo ip netns exec vnet1 ip neigh @@ -53,7 +35,7 @@ $ ``` -Now, let's check if it can ping the host `11.168.0.1` as usual. +# 03 ```shell $ sudo ip netns exec vnet1 ping 11.168.0.1 @@ -69,7 +51,7 @@ rtt min/avg/max/mdev = 0.047/0.060/0.084/0.014 ms ``` -Checking mac table again... +# 04 ```shell $ sudo ip netns exec vnet1 ip neigh @@ -78,9 +60,7 @@ $ sudo ip netns exec vnet1 ip neigh ``` -So far so good. - -Clear all info from the mac table. +# 05 ```shell $ sudo ip netns exec vnet1 ip neigh flush all @@ -89,12 +69,7 @@ $ ``` -Now, we're going to use ARP spoof attack to interfere (DoS) with \ -the normal flow of traffic. - -In the section below, `g` flag means it will use [gratuitous ARP](https://wiki.wireshark.org/Gratuitous_ARP) to \ -perform ARP spoofing. You can also use `ng` to perfrm ARP spoofing \ -but it uses unsolicited ARP reply packet to do so. +# 06 ```shell $ sudo ip netns exec vnet2 ./spoof.out g @@ -105,8 +80,7 @@ spoofing? ``` -On the other terminal, I captured the ARP packets going back and forth as you can \ -see below. +# 07 ```shell $ sudo ip netns exec vnet0 tshark -i vbr0 @@ -121,15 +95,13 @@ Capturing on 'vbr0' ``` -From the victim's namespace, we can see the updated mac table. +# 08 ```shell $ sudo ip netns exec vnet1 ip neigh 11.168.0.200 dev veth11 lladdr 22:e8:90:6d:69:e5 STALE ``` - -Now, back to the attacker, and hitting `enter` will make the program to \ -send out gratuitous arp to perform spoofing attack. +# 09 ```shell $ sudo ip netns exec vnet2 ./spoof.out g @@ -142,12 +114,7 @@ gratuitous arp... ``` -Seeing from packet capture, you can see that the program is lying \ -about its IP association. Specifically, it's saying that IP `11.168.0.1`, \ -which is `host`'s IP address is mapped to the attacker's mac address. - -If the switch accepts this dubious claim (in our case it does), then any packet \ -that's destined to `11.168.0.1` will end up trapped in `11.168.0.200`. +# 10 ```shell Frame 4: 42 bytes on wire (336 bits), 42 bytes captured (336 bits) on interface vbr0, id 0 @@ -192,7 +159,7 @@ Address Resolution Protocol (request/gratuitous ARP) ``` -Precisely that happens as you can see from `ping` command below. +# 11 ```shell $ sudo ip netns exec vnet1 ping 11.168.0.1 @@ -207,7 +174,7 @@ rtt min/avg/max/mdev = 0.129/0.149/0.169/0.020 ms ``` -It's also confirmed by the packet capture. +# 12 ```shell $ sudo ip netns exec vnet0 tshark -i vbr0 -f "icmp" @@ -233,7 +200,7 @@ Capturing on 'vbr0' ``` -Check out the current status of victim's mac table +# 13 ```shell -- 2.43.0