A project for BUET security course UGCSE406.
This repository contains an implementation of Man in the Middle attack in C. The
directory spoofer/ contains the codes related to ARP poisoning and sniffer/
contains the codes related to sniffing and relaying the packets.
First, you'll need two hosts in your network. For the hosts I used docker
containers, whose configuration is stored in ./labsetup/docker-compose.yml.
The compose file is configured according to my personal use case, so you'll have
to read through it and change necessary parts (specially volumes section for
Host M).
| Host Name | IP Address | MAC Address |
|---|---|---|
| Host A | 10.9.0.5 | 02:42:0a:09:00:05 |
| Host B | 10.9.0.6 | 02:42:0a:09:00:06 |
| Host M | 10.9.0.105 | 02:42:0a:09:00:69 |
Here are some useful aliases and commands to make the experience of using docker a breezier. Put the following codeblock in your bashrc.
alias dcbuild='docker-compose build'
alias dcup='docker-compose up'
alias dcdown='docker-compose down'
alias dockps='docker ps --format "{{.ID}} {{.Names}}"'
docksh() { docker exec -it $1 /bin/bash; }This project can handle both ICMP and TCP protocl. (Handling UDP protocol are in
the plan for future.) So, first you'll want to set up a ICMP or TCP
communication between two hosts in your network. Use ping for ICMP and nc
for TCP.
The following codeblock is an example of setting up a ICMP communication between Host-A and Host-B.
# At Host-A
ping 10.9.0.6 # where 10.9.0.6 is the IP address of Host-B
# At Host-B
tcpdump -i eth0 -n icmpAnd the codeblock below is an example of similar communication but with TCP protocol.
# On Host-B (server, IP address is 10.9.0.6)
nc -lp 9090
# On Host-A (client)
nc 10.9.0.6 9090In both these cases, it looks like Host-A is the sender and Host-B is the receiver, but actually both hosts are sending and receiving packets simultaneously, so we'll have to poison both their ARP caches and relay both of the hosts' packets to each other.
A makefile exists at the project root folder, which in turn invokes the
makefiles for each of the two programs in spoofer/ and sniffer/. The
makefiles are specifically crafted for Linux, so you'll have to figure out a
building mechanism if you're in Windows or MacOS.
In order to launch a mitm attack, we'll first have to poison the ARP caches of both the hosts. To do that simply run the following command from the project directory.
# binary_file Host-A Host-B Interface
./spoofer/spoof 10.9.0.5 10.9.0.6 eth0The spoofer will then repeatedly send ARP replies to Host-A and Host-B claiming that Host-M (the attacker) is Host-B and Host-A respectively. So, when Host-A sends a packet to Host-B, or when Host-B sends one to Host-A, it'll arrive at Host-M.
Now that we've successfully poisoned the ARP caches of the victim hosts, we'll need to sniff the incoming packets and relay them back to their intended target, so that the victims will not know they have been attacked.
Before launching the sniffer, remember to turn IP forwarding off. Normally, you'd turn it on because it would automatically relay the sniffed packets to their target, but that will also send an additional ARP reply with actual MAC addresses of the hosts which will clash with our ARP spoofing. So, we'll have to relay the packets ourselves.
# Turn IP forwarding off
sysctl net.ipv4.ip_forward=0
# Turn IP forwarding on
sysctl net.ipv4.ip_forward=1After turning the IP forwarding off, you can now launch the sniffer, which will
sniff the packets and log them down in a file named snifflog and then relay
the packets to their intended target.
Note The sniffer doesn't take input. It reads from a file generated by the
spoofer. If the sniffer can't find file ipmacinfo, ensure you launched the
spoofer from root folder with ./spoofer/spoof and not with cd spoofer/ && ./spoof
./sniffer/sniffThis project would not have been completed without the following resources: