ARP Spoofing

Network Security Spring 2021

The goals of this lab are to:

  1. Familiarize yourself with common tools to manually analyze packet traces
  2. Identify evidence of an ARP attack using Wireshark

Feel free to follow along with the video that accompanies this lab in Canvas.

Wireshark Basics

Packet captures are incredibly useful for identifying attacks or diagnosing network problems. In this lab, we’ll be using Wireshark to examine a packet trace that contains an ARP attack. In addition to a copy of Wireshark, you’ll want to download a copy of arp_spoofing.pcap from the current Canvas module.

Wireshark has several main areas: the packet list, a protocol dissection of the currently-selected packet at different layers, and the raw bytes of the current packet. There is also a display filter input, which is exceedingly useful to restrict the set of packets that are displayed.

Wireshark ships with many analyses that can give you a better overview of what a capture contains than trying to look at each packet one-by-one. One useful view is Statistics -> Conversations, which allows you to sort endpoints based on different fields at each layer. For instance, you can filter based on byte or packet volume to quickly highlight nodes that send or receive the most data.

Finding the Attack

In order to find the ARP cache poisoning attack in this trace, let’s think about how it might appear. If the attacker does not start the attack until after the capture begins, then there might be legitimate ARP requests involving the victim in some way. ARP spoofing involving the victim would then result in “duplicate IP addresses” in Wireshark parlance – in other words, multiple ARP packets that share the same IP address but map to different MAC addresses.

Returning to the display filter input, we can easily formulate queries over protocol fields like IP addresses or TCP ports (e.g., tcp.srcport == 443). We can also filter on the results of a Wireshark analysis, for instance to show TCP segments that have arrived out-of-order (i.e., tcp.analysis.out_of_order). In fact, there is a filtering predicate that can be used to show ARP messages with duplicate IP addresses.

Lab Objectives

Answer the following questions to complete this lab:

  1. What website is contacted in the TLS stream that begins at packet 11?
  2. How can packets arrive out-of-order as found in this capture?
  3. What is the Wireshark filtering predicate one can use find ARP packets with duplicate IP addresses?
  4. What MAC address belongs to the attacker?
  5. What IP address belongs to the victim?

Submission Instructions

Submit your answers to the above questions to Canvas.