I am currently reading the network exploitation section of the book Hacking: The art of exploitation
. The book covers ARP spoofing attack in brief, but doesn't go over much detail.
Before starting I would like to tell what kind of system/peripherals I would be using.
- I use a System that accesses internet via Ethernet Cable. i.e. I don't have a router, due to which I directly connect the ethernet cable to my pc (PPPOE)
- That cable goes to the electric pole, where it is connected to a switch. That switch also acts as an endpoint for other users like me as well
- A lot of these switches are interconnected with one another
I do have a fundamental understanding of the attack (rectify if wrong), which in brief goes as follows:-
Run ARP protocol to get MAC addresses of all the live hosts in the local network
Poison the ARP cache of hosts by sending them ARP responses (on regular interval) stating that the IP address of another system is at our mac address
This will make them send packets which would have our MAC address in the Data-Link layer, and would reach us
I have many doubts (some regarding the above process, others are conceptual)!!
In order to execute the attack we needs to have IP address of other local hosts. Which I just can't seem to have.
- I ran a Windows machine and tried using Advanced IP scanner, but ended up getting IP addresses associated to my pc (VM, Ethernet, Default Gateway).
- Tried
arp -a
command, ended up getting a huge list of IP addresses of which 99% were static, few were dynamic. Some of them had MAC address entries, on others which was blank.
So, How am I supposed to get the IP addresses of other hosts?
The book mentions default gateways as a target. So what exactly is a default gateways (for my setup), And how does it work?
Since we can poison the ARP cache to add entries to it, Is it (asking from a security perspective) possible to create entries to addresses that aren't local!! For Example. Let's say we have the IP address of 192.168.1.12 having mac 00:00:00:01, and a Facebook server has IP address 10.0.0.23. Is it possible to send a ARP response i.e. it will poison the ARP cache of a local user to make it seem like the address 10.0.0.23 is at mac address 00:00:00:01. Then would the packet sent over to the Facebook IP be delivered over to us? Or would it be filtered by the router?
What is the address of the first node (to me) where my data is sent over to? Like for most users it would be their router (at a basic level), but since I don't use one, what would be the first node through which my data goes?
P.S.:- Initially I posted this question on network engineering, but it got closed over there as they thought I am trying to hack a network. Firstly, I am using the above test in a controlled environment. Secondly, the questions are related to a lot more to securing stuff then to exploiting them. All I am trying to do is get a understanding about the underlying protocols.