2014-08-21

Dsniff and Arpspoof on Mac

This post was originally posted by Lump on machack.org on 24 September 2013 - 12:25 PM.  I have not tested this myself, so no guarantees here.

Using this without authorization is illegal in most places. This guide is for educational and learning use only. Please use common sense and respect personal privacy.


1. What is a Man in the Middle Attack?

As the name describes, you will be the Man in the Middle meaning that you will sneak into the connection between the attacked Device and the Router. This implies that you are inside the same Network (WLAN) of the target.This Attack gives you access to all data running through the attacked Device Internet Connection giving you the possibility to sniff for Chats, Email, Passwords and many many more things.


2. How can I be save from that?

There are Tools that prevent others from flushing your ARP Cache or just use a high encryption while surfing on the Interent such as PGP (Emails) or HTTPS. Theese are just examples, you will find solutions if you search for them.


3. How does the Attack work?

The ARP Protocol is used to map IP Addresses to specific MAC Addresses. Computers do use this to identify other Devices in the local Network.By spoofing ARP Replays you can spoof your identity meaning that your Computer seems to be the targeted Computer (from the view of the Router) and at the same time the targeted Computer thinks you are the Router. Here is a basic schema of this setup:

Posted Image 

4. Before we start:

First of all you need a Tool to spoof theese ARP Replays. There are some but for this Tutorial we will use the Tool ARPSpoof which is part of the DSniff Package.To get this Tool running on Mac OS X your best bet is to use Mac Ports, so go ahead and download the right Version for your Operating System: Download Page. After that you should be able to use the

port
command in Terminal (/Applications/Utilities/Terminal.app)Run
sudo port selfupdate
followed by
sudo port install dsniff-devel
or
sudo port install dsniff
Note that when you type in your Admin Password it will not be displayed!Let the Installation run, this can take some time. After its finished you should be able to use the
arpspoof
command in Terminal.

5. Run the Attack:

Now you'r able to start the Attack, but before that you should choose the Device you want to Attack. To find all Devices in your local Network use this command:

arp -a
Posted Image 

The first IP is most likely your Routers Address.Now if you know the IP of your Victim and the IP of your Router then you have almost all information you need to start the Attack.We only need to do one more thing. There is one problem if you intercept someones Internet Connections: You recive Packets that are not meant to be sent to you, so the Operating System will not forward them to the destination, it will just drop them leaving the attacked one without Internet Connection.To get around this run this Commands in Terminal:
sudo sysctl -w net.inet.ip.forwarding=1
sudo sysctl -w net.inet.ip.fw.enable=1
This will enable Packet Forwarding on OS X Systems.Now open up two new Terminal Windows and run theese two commands:
sudo arpspoof -i YOURINTERFACE -t VICTIMIP ROUTERIP
sudo arpspoof -i YOURINTERFACE -t ROUTERIP VICTIMIP
Replace:YOURINTERFACE with the name of your Interface (For WLAN Connections most likely en1 and for LAN most likely en0)VICTIMIP with the IP Address of your VictimROUTERIP with your Router IPAfter this it should look like this:
Resized to 80% (was 835 x 364) - Click image to enlargePosted Image

Keetheese two windows open until you want to stop your attack! Okay so now this is all you need to do, your now redirecting the Victims traffic over your Computer to the destination, so your able to read all transmitted Data.

6. How can I sniff Data?

The DSniff Package contains some more very nice Tools:mailsnarf - As the name explains, sniffes for Mailsdsniff - For Common Password sniffing (Does for some reason not capture all Passwords)msgsnarf - This is meant for specific messagesurlsnarf - To sniff for browsed Websites and User Agentsdnsspoof - To spoof DNS Request and redirect Websiteswebmitm - Used to decrypt SSL (HTTPS) with faked CertificatesOther usefull Tools:Ettercap-ng - ARPSpoofing and Password Sniffing ToolSSLStrip - To decrypt SSL (HTTPS) Websites (Did not get this one to run on OSX!)tcpdump - Dump all captured Traffic for later analyzis and Cookie Stealinghamster & ferret - Cookie HijackerThere are Scripts for Facebook Chat Sniffing and you will find much more if you search for it.


7. How do I stop the Attack?

Just hit ctrl+c in the opened Terminal, wait 3-4 sec and then the Tool should be terminated.I hope you enjoyed, happy hacking
 
This post has been edited by Lump: 25 September 2013 - 02:32 AM