Detecting ARP Poisoning On Ubuntu with Wireshark

Posted: November 24, 2011 in Guides
Tags: , , ,

So you utilize public wifi a lot, or maybe you share an internet connection in a dorm with a creepy Comp Sci major who wants nothing more than to talk to your girlfriend on Facebook. The problem is he wants to do it while impersonating you. Man in the Middle attacks are ever so common on shared internet connections these days. They make it extremely easy to hijack credentials, and analyze other packet traffic, even if you’re using SSL. Tools like SSL strip, Wireshark and Ettercap make it alarmingly easy to take apart SSL.

Now — we know (or might not) that SSL is still reasonably secure, there aren’t really any inline attacks for breaking SSL. BEAST not withstanding which still can’t break SSL at line speed, SSL isn’t actually being broken. What is happening is network traffic is being manipulated, usually via ARP poisoning and use of a proxy such as SSLstrip to downgrade the connection and fake SSL authentication when in reality, it’s not happening. That being said, anyone on a shared network segment can rather easily acquire your credentials.

What we’re going to discuss is using Wireshark to detect the most common type of MITM attack. Note this is performed on Ubuntu 11.10 with Wireshark, if you don’t have Wireshark you can get it by doing the following.

sudo apt-get install wireshark

and starting it doing this

gksudo wireshark &

By far ARP poisoning attacks are the most popular, they are extremely easy to do, in fact it’s beginning to seem like every 15 year old has a Youtube video demonstrating how to grab Facebook credentials using Ettercap. In conjunction with SSLstrip this can be devestating. The most common and effective method of doing this on a shared network segment is to ARP poison the target router, or entire subnet. This also makes it extremely easy to detect. Because an ARP poisoning attack works by repeatedly Re-ARPing the target it will occassionally collide with ARP frames sent by the ACTUAL host. We can detect this with Wireshark by filtering duplicate address ARP frames.

We simply start our capture and set our filter to “arp.duplicate-address-frame” When we examine the data provided by Wireshark we also see that the IP address is being claimed by another MAC address. Under normal network operations two systems should not be claiming the same address on the same network segment, particularly the address of the gateway.

Sure. You’re thinking what about other attacks like DHCP spoofing or ICMP Redirects, well here’s the thing, those are not full duplex attacks and pose little to no threat to an SSL connection. For instance if an attacker wants to create a DNS redirect scenario ARP poisoning would be much easier and more effective on a switched or broadcast based network than ICMP redirect based attacks which will fail on a switched network.

Oh by the way happy Thanksgiving for those of you in the states πŸ™‚

  1. Carlos says:

    Hey Adan, this is some scary stuff indeed. If you i’m tunneling my traffic throw ssl would that help mitigate this type of attack?

    • dangertux says:

      Hey Carlos :

      Are you doing an SSH forward (not the same as SSL) or are you actually doing an SSL tunnel? Or are you just utilizing SSL on the site (IE: HTTPS)

      In this case the way the attack works is the attacker puts themselves in the path of the traffic and actually proxies the traffic re-estabilishing SSL on the oppposite side. So essentially it’s a downgrade attack, meaning you’re not ACTUALLY sending encrypted data to the attackers machine. There are obviously restrictions on this. IE: They need to be on the same network segment, and you may notice they don’t have an appropriate certificate (ie : the “Get me out of here”) warning in Firefox.

      I hope this answers your question.

      • Carlos says:

        Hey Adam, i’m doing it through ssl tunnel from another machine. For example, when i’m on my schools public WIFI, I connect to my home pc via ssl tunnel.

      • dangertux says:

        It’s still possible though you would likely notice a certificate error that should give you a head’s up as to what is going on. Of course, this method would also work for detecting the redundant ARP’ing of ettercap or whatever they were using to ARP poison.

  2. Tushar Kumar says:

    This is the first post that I loved so far on entire wordpress. Thanks DT πŸ™‚

  3. leoquant says:

    please do not use wirshark as root it is very unsafe, and their are alternatives:…turePrivileges

    Setting network privileges for dumpcap
    1. Ensure your linux kernel and filesystem supports File Capabilities and also you have installed necessary tools.
    2. “setcap ‘CAP_NET_RAW+eip CAP_NET_ADMIN+eip’ /usr/bin/dumpcap”
    3. Start Wireshark as non-root and ensure you see the list of interfaces and can do live capture.
    Limiting capture permission to only one group
    1. Create user “wireshark” in group “wireshark”.
    2. “chgrp wireshark /usr/bin/dumpcap”
    3. chmod 754 /usr/bin/dumpcap
    4. “setcap ‘CAP_NET_RAW+eip CAP_NET_ADMIN+eip’ /usr/bin/dumpcap”
    5. Ensure Wireshak works only from root and from “wireshark” user.

    sudo apt-get install libcap2-bin wireshark
    sudo chgrp admin /usr/bin/dumpcap
    sudo chmod 750 /usr/bin/dumpcap
    sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap

    • dangertux says:

      Great info. Sorry your comment almost got eaten by akismet. It doesn’t like links; even though yours is relevant.

      This is absolutely correct, and sometimes I forget my audience. Generally I do run Wireshark as root (because I usually use it on BT). That being said I also understand the risks of doing so. Again thanks for the info πŸ™‚

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s