UPDATE: I'm doing a presentation on this topic in my networking class. You can download the presentation here: ARP Spoofing and Session Hijacking.pptx
ARP Spoofing and Session Hijacking: A Comprehensive Demonstration
Disclaimer: This demonstration was created for CS 470 - Intro to Networking at UAH. It was written for education purposes only.
Introduction. ARP Spoofing (also known as ARP Poisoning) is a fairly simple mechanism to attack any user on your current network. It works by manipulating the ARP table on your network and taking advantage of a sniffing tool to find necessary session information. That session information can then be used at the attacker’s will. The session hijacking portion of the demonstration does not work on secure connections (any session that’s using https) as those sessions are encrypted.
What you will need to get started.
1. Cain is a tool traditionally used to recover passwords on your network, but can be used to edit the ARP table on the network. It can be downloaded here: http://www.softpedia.com/get/Security/Decrypting-Decoding/Cain-and-Abel.shtml
2. Wireshark, the packet sniffing tool: http://www.wireshark.org/download.html
3. Google Chrome with Edit this Cookie extension ( https://chrome.google.com/webstore/detail/edit-this-cookie/fngmhnnpilhplaeedifhccceomclgfbg )
4. A connection to the internet if you’re attempting to retrieve data sent along that path (preferred).
Step-by-step guide to ARP Spoofing and Session Hijacking.
1. One application you’ll need is called Cain (and Abel) and you can download it from http://www.softpedia.com/get/Security/Decrypting-Decoding/Cain-and-Abel.shtml .
a. Note: after downloading this software, Windows 8 and 7 will warn you that this software could be a threat. It is not.
2. Once you’re finished downloading and installing Cain, open it up. Go to the ‘Sniffer’ tab.
3. In the Sniffer tab, click the “Start/Stop Sniffer” button found here:
4. If this is the first time you’ve used Cain, you will be asked to identify which NIC to use to sniff the network. The default setting should be okay. Click okay if that dialogue shows up. When this option is on, you’re ready to start sniffing.
5. Now click the “Add to List” button located here:
6. This will bring up another dialogue. Ensure that the target is set to “All hosts on my subnet”, and click “Okay”. (Note: your entire subnet is 192.168.1.1 to 192.168.1.254):
7. Before we start spoofing, there’s something we need to take note of. Now that to tool has turned on the sniffer, and you’ve added all hosts on the subnet, take note of the IPs in the list.
a. You can now confirm that the hosts are on the ARP by opening up a command prompt:
i. Click Ctrl-R, then type “cmd” and hit enter.
ii. Then type “arp -a” (without quotes)
iii. This shows you the ARP table:
c. And here it shows up in the app, and I can confirm the device I want to ARP spoof is available:
8. Now click the ARP tab at the bottom of the application:
9. Clicking the “Add to List” button in this tab will give you a new option for spoofing. This is where all the magic happens. Select your router’s IP on the left side, and the target machine’s IP on the right:
10. You’ll now see an entry for the session:
11. Now download and install Wireshark. (http://www.wireshark.org/download.html)
12. Wireshark is a tool that can sniff packets and cookie data on the network! Once it’s installed, open it up and you’ll be greeted with a ‘home’ screen. Click the preferred NIC device to use during your session, and click ‘Start’.
13. If all is successful, you’ll see a lot of traffic from various sources:
14. Now we’re going to attempt to steal the cookie session from the target host on the network. The source IP we’re interested in is 192.168.1.141 (the iMac on my LAN). To filter out some of the noise from other sources and hosts on the network, let’s filter by source IP. In the Filter field type the following:
15. Now we will only get data POSTS from that IP address as well as other source uploads. Here’s where intuition and creativity comes in. Let’s assume we know that the website the source is trying to access is a .NET application. With this information we can figure out that the session cookie name will have “asp.net” in it. Click Ctrl-F, filter by “String”, and type in “asp.net”. This is what you get in this case:
16. You’ll notice the Ctrl-F picked up on the Cookie ASP.NET_SessionId. This is exactly what we were looking for. This person attempted to GET http://www.balesproject.com/Accounts/Login, and the cookie is the info we need to hijack his account.
a. To be clear, here is the cookie I know to be on my target’s session (the iMac):
17. Now that we’ve confirmed this to be the correct cookie name and value, all we need to do at this point is give our browser the cookie, and the server won’t know the difference between the attacker and the target! In Chrome, you’ll want to add a plugin that will allow you to easily manage your cookies called Edit This Cookie ( https://chrome.google.com/webstore/detail/edit-this-cookie/fngmhnnpilhplaeedifhccceomclgfbg ). Once Edit This Cookie is installed, go to the desired website (here it’s http://www.balesproject.com). Click the cookie icon in your Chrome browser and click “Add a new cookie”. Then add the name and value to the cookie:
18. Now you’ve successfully hijacked that user’s session!
Conclusion. With a basic knowledge of cookies and sessions, with the tools listed here, one can easily hijack any unsecured sessions on a LAN. We demonstrated how to run Cain and ARP Poison Route the host we want to spoof; then, using Wireshark, we were able to find the cookie used during login and with that, the attack was successful.