LoudHush Icon

LoudHush
Overview

info@loudhush.ro



© Modulo Consulting 2005-2010



ArPoison, in the words of its creator (Steve Buer), is a network analysis tool that sends ARP packets to/from specified hardware and protocol addresses. What that short description does not tell you is you can use arpoison to analyze ethernet traffic inside a local network that uses a switch.

Those of you who remember the good old days when a switch was far too expensive to route a small local network, know that hubs make it possible to analyze all the packets on the local network, no matter the source or destination. That's because a hub shares everything to everyone - it's the connected computer's responsibility to only read and send interesting packets on the network. Nowadays a switch is very cheap. So cheap that even the Chinese voice-over-ip phone sitting on my desk has one built in. This makes it hard to sniff packets traveling between the phone and our Asterisk server. This article will describe how to achieve this.

Onions have layers

The nice thing about the way networks work is that they use layers. Simply put, we are looking to read an IAX packet that is transported within a IP packet that in turn is transported within an Ethernet packet. So how does a computer know what ethernet address to use when trying to send an IP packet? It uses ARP (address resolution protocol).

Each computer builds a table of correspondence between IP addresses and MAC addresses.

cristi:~ diciu$ arp -a
ns.modulo.ro (192.168.199.1) at 0:50:bf:b7:6f:c1 on en0 [ethernet]
bog.modulo.ro (192.168.199.28) at 0:11:11:36:c4:37 on en0 [ethernet]

 

The ARP table is built via questions that are broadcasted on the local network. In the example I've captured below host74 asks the guy named ns.modulo.ro to disclose his MAC address.

cristi:~ diciu$ sudo tcpdump arp
12:36:14.125566 arp who-has ns.modulo.ro tell host74.modulo.ro
12:36:14.125669 arp reply ns.modulo.ro is-at 00:50:bf:b7:6f:c1

 

So what happens if someone other then ns.modulo.ro answers? Surprise, host74 will believe it. This is what ArPoison does: it allows you to send bogus arp replies on the local network.

So how do we use it?

The first step is to tell the server (192.168.199.20 in our case) that the phone's MAC address is in fact our own MAC address. Let's tell 192.168.199.20 (with MAC 0:e0:29:62:cd:88) that 192.168.199.69 has the MAC 0:a:95:b9:44:f4.

sudo ./arpoison -i en0 -d 192.168.199.20 -s 192.168.199.69 
  -t 0:e0:29:62:cd:88 -r 0:a:95:b9:44:f4

Then we tell the phone that the server's MAC address is in fact our MAC address.

sudo ./arpoison -i en0 -d 192.168.199.69 -s 192.168.199.20 
  -t 0:9:45:40:b4:fb -r 0:a:95:b9:44:f4

Now all we need to do is route these packets correctly using IP forwarding. We turn on Internet Sharing for the main ethernet card, and we delete the divert rule that gets in the way.

cristi:~ diciu$ sudo ipfw list
00010 divert 8668 ip from any to any via en0
65535 allow ip from any to any
cristi:~ diciu$ sudo ipfw delete 00010
cristi:~ diciu$ sudo ipfw list
65535 allow ip from any to any

Now all the IP conversations between the server (192.168.199.20) and the phone (192.168.199.69) flow through our network card.