# SAT Distance Learning 4 | Maunal ARP poisoning and portscans ###### tags: `fh` `SAT` (c) Sebastian Doiber & Johannes Schwinger # 1 ARP Poisoning and Man-in-the-Middle ## Instruction Scapy1 is a Python-based tool, enabling easy forgery, sending and receiving of network packets from Layer 2 and up. You can use Windows or Linux for this task, but will need 3 Machines in total (regardless of how many of them are VMs or physical machines). Should you be unable to have 3 machines running, leave out the actual Man-in-the-Middle and just poison the ARP cache of one host from a second one. Using scapy, construct a packet in order to perform an ARP-Spoofing attack (sudo scapy). ARP (ARP()) over Ethernet (Ether()) Options on Ethernet layer: Target MAC Options on ARP layer: Query-type („who-has“) Source-IP the IP of the device that should be spoofed Source-MAC the Mac that should receive the packets destined for Source-IP Destination-IP the IP of the victim whose ARP table should be manipulated *) Send this packet using sendp(packet) and verify, that the spoofing works *) Amend the script in order to perform an actual Man-in-the-Middle attack. Verify it by using netcat (nc), telnet or similar between the two victims. ## Install ## Packet  Here is the created packet used for poisoning. ## Poisoning ``` MAC(sat) [10.0.0.1] = 00:0C:29:4E:BE:E1 MAC(victim) [10.0.0.2] = 00:50:56:36:E6:4D MAC(attack) [10.0.0.3] = 00:50:56:2D:29:A1 packet = Ether(dst="00:50:56:36:E6:4D")/ARP(psrc='10.0.0.1', hwsrc='00:50:56:2D:29:A1', pdst='10.0.0.2') ``` ### Success Using ping (ICMP) we can show that the spoof was successful.   # 2 Portscan Using a portscan, one can determine which ports of a target system a service is listening on, yet not necessarily which service this is exactly. Several ports are open on the server to be scanned (172.16.51.142), on one of them (not the default port) a webserver is listening. Objective of this exercise is now to find the correct port without using nmap or similar tools. You can access this server after you have logged in to its.fh-campuswien.ac.at using ssh. Scapy on this server can be run using sudo /etc/scapy/run_scapy So what will we need? We are only interested in the ports a service is listening on, i.e. the ones where a TCP SYN gets answered. Construct a packet with the following properties: IP: Destination is the server TCP: Destinationport is a range, from 5,000 to 10,000 (for speed’s sake we limit ourselves to these 5,000 ports) TCP: SYN flag is set Send the packet using sr(paket) and save the answers. (Hint: sr() returns a tuple, consisting of 2 lists; one for the answered, one for the unanswered packets. The list of answered packets then again is a list of tuples: sent packet and received packet.) We are now interested in the destination ports of all the sent packets, whose respective answer packet has the TCP SYN and ACK flag set (since these obviously were the packets having been sent to a port where some service is listening on). Complete the following fragment to filter out these ports: for pout,pin in ???: if pin.getlayer(???).flags & 2: print ??? *) What are the resulting ports? *) On which of these ports is the webserver running? *) What is the webserver’s output when connecting to it? *) (If you have really too much time on your hands): where is this output from? ## Packet How to set the flag? [https://stackoverflow.com/questions/20429674/get-tcp-flags-with-scapy](https://stackoverflow.com/questions/20429674/get-tcp-flags-with-scapy) SYN is default so we do not need to take action. ```=python >>> packet.show() ###[ IP ]### version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= 64 proto= tcp chksum= None src= 172.16.51.102 dst= 172.16.51.142 \options\ ###[ TCP ]### sport= ftp_data dport= (5000, 10000) seq= 0 ack= 0 dataofs= None reserved= 0 flags= S window= 8192 chksum= None urgptr= 0 options= [] ``` ## *) What are the resulting ports?  ## *) On which of these ports is the webserver running? `7538` ## *) What is the webserver’s output when connecting to it?