In this practice that we can do with our students in class, we will do it not on a specific tool, if not
about a small Audit Suite known as DSNIFF.
Do you know the technique of Phising ?, or how you can intercept packets between the communication of two teams, or even cheat a Switch with your ARP table. This type of techniques can be performed using DSNIFF, in this article I will teach you to set up a simple test scenario to test these techniques and that you can know these attacks a little better.
What is DSNIFF?
Dsniff is a set of tools created to audit networks and
perform penetration tests created by Dug Song
With this tool we will realize the really important
what can be the encryption in our communications
Although the Suite has a comprehensive toolset, in this
I am only going to focus on 2 of them.
ARPSPOOF and DNSSPOOF
Arpspoof and dnsspoof which facilitate the interception of traffic in
the network, normally not available to an attacker
arpspoof It is the tool we will use to poison ARP tables.
It is responsible for sending the fake “arp reply” packages to the machine that
indicate as "target" to supplant the MAC address of the
Second machine that we indicate.
dnsspoof allows to build false DNS responses. It is used a lot to
skip controls based on host names or to implement a
great variety of Man in the Middle attacks (HTTP, HTTPS, SSH,
Also in this case study we will deal with the tool tshark
because it is a terminal oriented tool and we
It will serve as support in our detailed testing laboratory
in the last point of this document.
TShark It is designed to capture and display packages when it is not
An interactive user interface is required or not available. It is
compatible with the same options as wireshark.
For the installation of these three tools we will use the Kali Linux system.
Kali Linux is the updated and optimized version of the distro
BackTrack developed by Offensive Security.
Installing Kali Linux on the computer is an easy process. First,
We will need compatible computer hardware. Kali is
compatible with i386, amd64 and ARM platforms. The requirements of
hardware are minimal, as indicated below, although a
Better hardware will naturally provide better performance.
The i386 images have a default PAE kernel, so
You can run them on systems with more than 4GB of RAM.
Download Kali Linux and burn the ISO to DVD, or prepare a memory
USB with Kali Linux Live as an installation medium. If you do not have
a DVD drive or USB port on your computer, check the
Kali Linux network installation.
• A minimum of 20 GB of disk space for Kali Linux installation.
• RAM for i386 and amd64 architectures, Minimum: 1 GB, recommended: 2 GB or more.
• CD-DVD drive / USB boot support
The objective of our tests is to verify the integrity of communication between computers connected to the Local Network (LAN), for that purpose we will use Tshark to intercept packets and see their encryption, if they have one.
A second part will be the security of the DNS server to intercept IP requests and modify them, redirecting the user to another IP.
Finally, we will end the tests by impersonating the MAC addresses that our network Router has in its ARP table, in this way we will change the identity of the equipment in the communication. These tests are performed in scenarios with Layer 2 switches.
For the proof of concept we have created a Laboratory scenario to be able to use the tools. We detail the scenario below:
We build a Public Wifi network (without password) for an easy and fast connection of different devices.
In this Wifi network we have a Router with Internet access and a Linux machine with a Kali Linux system for testing and auditing environments.
Kali Linux works as DHCP and assigns a range of valid IPS for the different devices connected by Wifi.
As an extraordinary measure, the gateway assigned by Kali Linux is not the Router, but Linux itself, which will function as an intermediary in the exit and entry traffic to the internet.
This Kali Linux has two interfaces to perform the Bridge function.
In order for this system to filter the packets and function as a bridge (false gateway) we must make a small configuration in the IPTABLES.
To make it more comfortable in this laboratory environment we create a small script with the following commands.
In this way, our devices will navigate through our Kali Linux.
Once we have our test scenario, we will connect a device to that Wi-Fi network and through Tshark we will filter the packets.
This will allow me to capture packages from the device connected to the Wifi Public through the eth0 interface of Kali Linux.
We show an example of Capture
In this particular capture we are auditing your DNS port 53 to see your web browsing.
Now we are going to use one of the tools of our DSNIFF Suite. With DNSPOOF we will audit and verify the integrity of the DNS service of the connected clients.
The test will consist of integrating (sniffer) an invented DNS address and that the client thinks it exists and also redirects a specific IP.
In this case the DNS will be http://my.loginfacebook.es and we will send it to Kali Linux itself.
In this audit test we are going to send fake packets to our switches to confuse the MAC of our client. In this specific case, our connected device has the IP 10.5.5.14 and we will supplant its MAC with a random one in the IP 10.5.5.18
arpspoof -t 10.5.5.14 10.5.5.18