When you guys wants to do packet sniffing what do you do? Just running a packet sniffer? That’ll work if your network is connected using a hub. Not in a switched enviroment. So, the solution is arp poisoning.

Arp Poisoning, one great method of hacking. The basic idea behind arp poisoning is changing the packet destination by fooling the computer. In a local area network the computers are uniqly identifical by the MAC address and IP address. The top level software communicate using the IP addresses. So, when a software wants to connect to another machine, it creates a data packet and put the destination IP address. Then, the kernel takes the packet. The kernel have a table called ARP table which have information about ip address againts the mac addresses. So, the kernel looks at the ARP table and then takes the relevent MAC address. If MAC address is not available in the table, it sends an arp request saying “Hey, xxx.xxx.xxx.xxx, send me your MAC address”. So, the other computer sends an arp reply. At that point first computer update it’s arp table. Then the kernel inject that MAC into the packet and give it to the network card. The network card only look at the MAC address. So, the packet’s final destination is the computer pointed by the MAC address; no matter what the ip address is.

Now think like this. Let’s say there are three computers. A,B and C. You are in the computer A and your MAC address is 00:00:00:FF:FF:FF. So, we want to track messages between computer B and C. What we have to do is create two fake arp replies. One is saying “I’m computer B, my MAC address is 00:00:00:FF:FF:FF” and other saying “I’m computer C, my MAC address is 00:00:00:FF:FF:FF”. So, you keep broadcasting both messages, the first message to the computer C and other to the computer B. Then you have to put an ip forwarding program and configure it to redirect the packets to it’s original destination. Now all packets go through your computer. It’s time to sniff.

You can also do some other interesting stuffs. If you want to ban someone from the network, what you have to do is send an arp reply to the gateway saying “Hey, I’m computer X, my MAC address is 00:00:00:00:00:00″. Since there is no MAC address like that, messages from the gateway won’t reach the computer. Ya, finally, you banned them.

This entry was posted on Wednesday, February 8th, 2006 at 1:18 pm and is filed under Hacking and Cracking. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.