ARP Cache Poisoning

The goals of this assignment are to:

1. Learn about ARP spoofing and ARP cache poisoning
2. Implement an ARP-based man-in-the-middle attack

Address Resolution Protocol

The Address Resolution Protocol, or ARP, is used to dynamically map link layer addresses such as Ethernet MAC addresses to Internet layer addresses. Unfortunately, ARP does not provide any mechanism for authenticating messages, and thus is vulnerable to spoofing. An attacker that is able to inject ARP messages onto the wire can thus poison the ARP caches of neighboring nodes on the local network and redirect traffic intended for other nodes to the attacker. Thereafter, the attacker can

• inspect those messages (violating confidentiality),
• tamper with those messages (violating integrity), or
• drop those messages (violating availability).

In this assignment, you will play the role of an active network attacker and use ARP cache poisoning to attack a vulnerable service. The attack you will implement is an instance of a man-in-the-middle (MitM) attack.

Vulnerable Service

Canvas contains a container image named netsec_arp_victim.img.xz that contains a network client. The client simply loops forever, executing periodic HTTP POSTs to a remote service at http://class.diverge.dev:1200/login. To run the image, you should first create an isolated virtual network. You can then run the client image and attach it to that network.

# Create the network
docker network create arp

# Run the victim container
docker run -it --rm --name=netsec_arp_victim --network=arp netsec_arp_victim

With the victim running, your first goal is to poison its ARP cache to redirect its HTTP requests to an attacker container also attached to the arp network. In order to inject traffic using raw sockets, you will need to add the requisite Linux capability to the attacker container. Your attacker image, when graded, will also be provided with several MAC and IPv4 addresses as command-line arguments.

# Run the attacker
docker run -it --rm --name=netsec_arp_attacker \
    --network=arp                              \    # Attach to arp network
    --cap-add=net_raw                          \    # Add raw socket capability
    netsec_arp_attacker                        \
    ${attacker_mac_address}                    \    # Attacker MAC address
    ${victim_mac_address}                      \    # Victim MAC address
    ${gateway_mac_address}                     \    # Gateway MAC address
    ${attacker_ip_address}                     \    # Attacker IPv4 address
    ${victim_ip_address}                       \    # Victim IPv4 address
    ${gateway_ip_address}                           # Gateway IPv4 address

Attack Container

The attack container should carry out the following steps.

1. Use ARP cache poisoning to redirect the victim’s traffic destined to the vulnerable service to the attacker
2. Forward the remote service DNS query and response
3. Steal the user credentials present in the victim’s HTTP POST request
4. Forward the POST request unaltered to the remote service
5. Steal the secret returned in the HTTP response
6. Rewrite the secret to be your NU email address instead
7. Forward the rewritten HTTP response to the victim

The attack container should print the following JSON object to stdout, and nothing else. Feel free to write to stderr for debugging purposes.

{
    "id": "{{NU email address}}",
    "username": "{{victim username}}",
    "password": "{{victim password}}",
    "secret": "{{server secret}}"
}

Submission Instructions

Package your solution as a gzipped TAR archive. Your solution should expand to the following directory structure.

$ tree -F arp
arp
├── Dockerfile
└── src/

The source code to your solution should be contained in src/. Your Dockerfile should, when processed using docker, create a container image that runs your solution using the aforementioned command-line interface.

Submit the solution archive to Canvas.