To complete this chapter, you will require the following:

• Kali Linux version 2022.1 x64 (a virtual machine available for both VirtualBox or VMware: https://www.kali.org/get-kali/)
• Windows 10 (can be downloaded from the Microsoft Evaluation Center: https://www.microsoft.com/en-us/evalcenter/)
• pfSense v2.6.0 (https://www.pfsense.org/download/)
• Hypervisor (VirtualBox or VMware)
• Basic knowledge of Linux and hypervisors is recommended

At the onset of this book, I mentioned just a few examples of how networking plays a role in our daily lives. I remember many years ago I purchased a cross-over network cable to play multi-player StarCraft with my brother sitting in the next room. This was a time when network switches were not so easy to come by. Back then, networking was relatively simple but looking at how it has evolved is amazing. In today’s world of big data, cloud networks, quantum computing, blockchain technology, smart homes, and more, we are surrounded by networks that range from simple to highly complex. If I had to sum up a few reasons why networking is crucial, here they are:

• Enables collaboration and information sharing
• Overcomes geographic separation
• Enables communication across the world
• Enables voice telephony over long distances
• Enables the sharing of media and enables gaming

Let’s dive into the building blocks of networks. Here, we will cover various components of networks that range from software, hardware, and standards. This chapter will not go into detail on networking because networking is such a broad topic, and some books just focus on networking. We will cover the necessities to ensure that you understand networking in the context of ethical hacking.

When you start to communicate on a network, the information that you are sending needs to be translated into something that computers can understand. Yes, ultimately, it’s all 0s and 1s, but let’s focus on the various pieces before that. We will begin by looking at packets.

Packets

When information is transmitted across a network or the internet, it needs to be formed into a unit that can be carried across a network. This is called a packet, or a network packet. This network packet contains information that ultimately gets routed to destinations on the internet. Think of a packet as an envelope that you would send using the postal service. You would put something inside that envelope, provide a return and destination address, and the postal service would sort and route it to the destination.

In terms of networking, the packet would contain a similar composition.

The contents inside the packet would be your data, the return address would be your Source MAC address and IP address, and the destination address would be your destination MAC and IP address. Now, there will be some routing involved, all of which is handled by hardware such as routers, which will make modifications to the different MAC and IP addresses.

MAC address

All devices that communicate on a network will have a networking interface card (NIC). This can be either an Ethernet or wireless adapter. Every single NIC has a unique identifier, which is called a media access control (MAC) address. This address aims to uniquely identify your machine on the network. MAC addresses are used by routers or switches (OSI Layer 2) to send packets to a specific destination. MAC addresses consist of 48-bit numbers that are written in hexadecimal format; for example, 00:00:5e:00:53:af. Every MAC address will have an organizationally unique identifier (OUI), which is the first 24 bits of the MAC address. The remaining 24 bits are used to uniquely identify the device. Looking at our example MAC address, if we had to break it down into the OUI and the device identifier, it would look like Figure 1.1:

Figure 1.1 – Breakdown of a MAC address

IP addresses

Internet Protocol (IP) addresses enable data to be transferred across networks (OSI Layer 3). They are crucial to networking because they contain information that enables devices to communicate. Such information may be things such as location information, which enable devices to communicate with each other in dissimilar environments.

Tip

If you are looking for a refresher on the OSI model, please take a look at this link: https://www.networkworld.com/article/3239677/the-osi-model-explained-and-how-to-easily-remember-its-7-layers.html.

The makeup of an IP address contains numerals that are separated by a period. For example, 192.168.1.1 is an example of an IP address. Within an IPv4 network, the numbers can vary from 0 to 255 for each piece of an IP address, which means that an IP address can range from 0.0.0.0 to 255.255.255.255. Some of the addresses within that range are reserved for various purposes; you can find more information about these reservations in the following note. In an Internet Protocol version 6 (IPv6) network, an IPv6 address is a 128-bit alphanumeric value. This 128-bit value is arranged into eight groups of 16 bits. Each group is separated by a colon. IPv6 is the successor to IPv4, a previous addressing infrastructure with limitations that IPv6 was created to remedy. In comparison to IPv4, IPv6 has significantly more address space. Consider the following example of an IPv6 address: 684D:1111:222:3333:4444:5555:6:77. Here, you will notice how it differs from IPv4. Due to its size, it allows a significantly larger IP address space.

Note

IP addresses are assigned by the Internet Assigned Numbers Authority (IANA).

IP addresses are split into two categories: public and private. Private consists of IP address ranges that are not routable on the internet. These are generally what you would have on your local network, such as your Wi-Fi network and so forth. Public IP addresses are routable on the internet. Your internet provider would assign you a public IP address on your home network for you to access the internet. You can easily check what your public IP address is by searching for what's my IP on Google Search.

Now that we have the very basics of networking covered, let’s move on to cloud computing.

Cloud computing

Today, the term cloud computing is not unheard of. Many people working in the IT industry know about cloud computing and probably make use of it daily. When you work on email services, social media, online gaming, and so forth, this is all cloud computing in action. Major software companies such as Google, Microsoft, and Amazon offer cloud computing and a range of cloud services.

Note

There are a lot of other providers who offer cloud services, apart from those that I have mentioned. Performing a quick internet search for Cloud Service Providers will give you a comprehensive list.

In terms of cloud computing, various types of cloud setups exist. The most common ones today are the public cloud, private cloud, and hybrid cloud. There are differences between them, as described next.

Public cloud

A public cloud is administered predominantly by a third party. These cloud environments provide easy access to the public (hence the term public cloud) via the internet. Resources that are available here entail storage, compute, applications, and more. The key here is that anyone who wants to use these services can make use of them. Public clouds are cost-effective, relieving you from the expensive costs of having to purchase hardware, manage it, and so forth. With the public cloud, anyone with an internet connection can make use of the services. There are several security concerns with public clouds, especially when it comes to data residency and who has access to the data. However, many public cloud providers provide solutions to address this.

Private cloud

Private clouds offer services either over the internet or via a private internal connection. These are limited to selected users and not the public. You may find the terms corporate cloud or internal cloud often used interchangeably with public cloud. This cloud setup aims to provide the benefits of a public cloud with additional controls and, to an extent, additional customization where possible. Private clouds are said to provide a higher level of security concerning data confidentiality – it limits access to third parties. The drawback of a private cloud is that it requires staff to maintain it.

Hybrid cloud

A hybrid cloud combines both public and private cloud solutions. It enables data to be shared between them. This cloud aims to enable organizations to scale where needed, but also provide limited access to restricted data where possible.

If I had to describe cloud computing in simple terms, it is the delivery of computing services that make use of servers, databases, networking, software, storage, and more. All of this is delivered across the internet, referred to as the public cloud. Cloud computing aims to offer faster innovation, flexibility when it comes to resources, and scalability, enabling you to up or downscale your resources with ease. Cloud computing offers various operating models:

• Infrastructure-as-a-Service (IaaS)
• Platform-as-a-Service (PaaS)
• Software-as-a-Service (SaaS)

Cloud computing providers often have a shared responsibility model that describes the responsibility and security tasks that are handled by the provider and the customer. These responsibilities and tasks change as you use different operating models.

The following figure is a sample of Microsoft’s shared responsibility model. Notice how the responsibilities change between SaaS to on-premises:

Figure 1.2 – Microsoft shared responsibility model (Source: https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility)

All cloud providers will provide some type of responsibility matrix – for example, Amazon Web Services has theirs (https://aws.amazon.com/compliance/shared-responsibility-model/), and the same goes for Google Cloud (https://cloud.google.com/architecture/framework/security/shared-responsibility-shared-fate).

Let’s cover these briefly so that you understand what each model offers. It is important to have a good understanding of these as you prepare for an ethical hack because it gives you insight into who handles the security of the target components such as the operating system and application updates and so forth.

Infrastructure-as-a-Service

IaaS is a standardized method of obtaining computing resources on demand. These services are delivered through the internet via a cloud provider. These services include storage facilities, networks, computing power, and virtual private servers. These are invoiced on a pay-as-you-go basis, which means you are billed based on different criteria, such as how much storage you use or how much processing power you utilize over a set period. Customers do not need to maintain infrastructure under this service model; instead, the provider is responsible for ensuring the contractual quantity of resources and availability.

Some of the advantages of IaaS include the following:

• Very flexible cloud computing model
• Ability to easily automate the deployment of services such as storage, processing power, network, and so forth
• Highly scalable
• Resources can be purchased as needed

As with everything in the computing world, there are security concerns. With IaaS, the following can be seen as security concerns:

• Security threats to system vulnerabilities
• Legacy operating systems in the cloud
• Multi-tenant security, whereby you rely on the vendor to ensure the separation of customer environments

Some examples of IaaS include compute services purchased from cloud vendors. Common use cases of IaaS can be found in large organizations that want to purchase and pay for what they consume, or organizations that are rapidly expanding and need the scalability of hardware.

Software-as-a-Service

SaaS aims to provide web-based solutions. These solutions are controlled by the supplier, which is great as it relieves the pressure of maintaining the software, infrastructure, security of the application, and so forth. SaaS services are often billed by the amount of data stored, number of transactions, number of users and usage, and so on.

The advantages of SaaS include the following:

• Reduce overhead in time and money spent on installing, managing, and upgrading software
• Providers upgrade the solutions, thereby putting you on the latest solution all the time
• Baked-in best practices enable you to test the solution with a good security posture from the get-go

The limitations that exist with SaaS can include the following:

• Data security in terms of large volumes of data exchanged by backend data centers. These transfer business-sensitive data that, if not properly secured, can lead to exposure.
• Lack of control since this is handled by the provider or third parties.
• Reliance on the vendor’s security controls to ensure that the application is secured.

Typical examples of SaaS solutions include Dropbox, Cisco Webex, and Salesforce. The use cases of SaaS can be seen in applications that need both web and mobile access, collaboration solutions that exist on the internet, and more.

Platform-as-a-Service

PaaS provides a bridge between IaaS and SaaS services. PaaS aims to provide customers with a platform that is cloud-based that can be used to build and distribute applications without the need to install integrated development environments (IDEs). Users can also typically specify whatever features they want to be included in their subscription.

There are advantages to PaaS, some of which are as follows:

• Cost-effective deployment of applications
• Easy of deployment with high scalability
• Apps can be customized without the need to maintain the underlying software

Concerning the advantages, there are also limitations and concerns. Some of these are as follows:

• Integrations with outside data centers or on-premises increase, increasing the possible attack surface.
• Third-party data residency poses security risks as to who might be able to view that data. A lack of security controls on the data could be possible.
• Integrations with existing applications could become problematic.

Typical examples of PaaS in the cloud are Heroku, OpenShift, and App Engine. PaaS is beneficial when it comes to streamlining workflows that are leveraged by multiple developers. It also provides speed and flexibility to these workflows.

This section aimed to give you an overview of cloud solutions, the different operating models, and how the shared responsibility of the cloud works. As you craft your ethical hack methodology, you should take this into account in the event your target is making use of cloud services.

In this section, we will start to cover some of the attacks that exist and the tools that you can use to carry them out. As traffic traverses a network, you can perform various attacks, such as capturing the traffic and looking at what it contains, intercepting traffic and misdirecting it, acting as a man in the middle, poisoning results, and more. Let’s begin with capturing packets as they traverse the network.

Packet capturing

Packet capturing is also known as sniffing. This is the process of capturing packets as they traverse the network to look inside and discover any valuable information. By performing packet capturing, you can see all sorts of traffic. This can be both protected and unprotected traffic. Various tools exist that can perform packet capturing. The most common tool that you will hear people talking about is Wireshark. There are more tools, including native tools, within routers and switches that allow you to capture packets. The key is not to understand how each tool works, but rather how packet capturing works and what the benefits are. We will cover packet capturing in more depth in Chapter 2, Capturing and Analyzing Network Traffic.

Wireshark can be downloaded from https://www.wireshark.org/download.html and supports almost all operating systems, but best of all, it’s free! Installing Wireshark is straightforward; let’s focus more on the tool itself and how to use it. If you are using Kali Linux, Wireshark will already be installed. The following figure shows the main dashboard of Wireshark:

Figure 1.3 – Wireshark dashboard

The dashboard may seem a bit daunting but let me explain all the components. We will begin with the toolbar, where I will highlight the icons and their functions in the following tables.

In the first table, we will cover the functions that you will interact with when starting a packet capture:

Table 1.1 – Wireshark icons used for packet captures

The next set of functions enables you to work within the packet capture file:

Icon	Name	Description
	Find Packet	This button can be used to find specific packets based on various criteria that you define
	Go Back	This button allows you to go one step back in the packet history
	Go Forward	This button allows you to jump one step forward in the packet history
	Go To Packet	This will enable you to move to a specific packet
	Go to First Packet	Jumps to the first packet in the capture file
	Go to Last Packet	Jumps to the last packet in the capture file

Table 1.2 – Wireshark icons for working with the capture file

Next, you have the main interface view, as per the following figure. This will show you which interfaces have active traffic on them, and which ones are not seeing any traffic. This is depicted by a line next to the interface number. In the following figure, you can see that the Ethernet0 and Adapter for loopback traffic capture interfaces are seeing traffic:

Figure 1.4 – Wireshark interfaces that have traffic

Starting a packet capture with Wireshark is simple. First, you need to select the interface that you would like to capture traffic on. Next, you must click on the Start button to start capturing packets. You will then see results appear in the main display window. The following figure is an example of ARP requests on the network:

Pro tip

ARP stands for Address Resolution Protocol. It is used to discover the local MAC address of the endpoint by using its IPv4 address.

Figure 1.5 – ARP requests

When you perform packet captures, you need to filter the output to look for your specific results. The display filter within Wireshark does just that. You can see it when you look at Figure 1.5 – specifically the text in the green bar, stating eth.dst == ff:ff:ff:ff:ff:ff:ff:ff. When you type text in the display filter, Wireshark will offer a list of suggestions based on what you have typed in. It also provides a way for you to see if the filter will work or not – for example, if the bar turns yellow, this means that the display filter was accepted but may not work as you expected. If it turns red, it means that the filter was not accepted and will not work. If it turns green, then the filter has been accepted

The following table defines a few useful filters:

Table 1.3 – List of useful filters to use

There is an extensive list of filters that are well documented on Wireshark’s documentation page. You can find the complete list here: https://www.wireshark.org/docs/dfref/.

Now that we have an idea of how to capture packets with Wireshark, let’s move on to spoofing. We will focus on MAC address and ARP spoofing techniques.

MAC address spoofing

As we have identified, every network interface has a unique MAC address. MAC address spoofing is a type of computer identity theft that involves altering the MAC address on the NIC. MAC address spoofing techniques are commonly used when attempting to break into a LAN environment by assuming the identity of an authorized computer. For example, some networks may whitelist MAC addresses. If you can discover that whitelisted MAC address, you can assume its identity. You can spoof your MAC address to masquerade as a different device on the network.

Let’s look at how to perform MAC address spoofing. For this, we will use Kali Linux and the macchanger tool.

From a Terminal window, issue the macchanger --help command. This will show you all the options that are available to use with the tool, as shown in the following screenshot:

Figure 1.6 – macchanger usage options

Before we use the tool, let’s verify our current MAC address. You can do this by using the ifconfig command, followed by your interface. In my case, this is eth0, as per the following figure:

Figure 1.7 – Current allocated MAC address

Currently, my MAC address (called ether in Linux) is 00:0c:29:77:2c:99. Now, let’s modify this to some random value. This can be done in one easy step:

We will issue the sudo macchanger -r eth0 command. I am using the sudo command since my current user does not have root permissions. You can also make use of the sudo -i command, which will move you to the root user, after which you won’t need to prepend the commands with sudo. -r is used to generate a random MAC address; I could use other options if required. For example, I could set a random MAC address of the same kind using the -a switch, though keep in mind that this switch will keep the same vendor OUI as your current vendor. Lastly, I define my interface, which is eth0.

Tip

If you experience an ERROR: Can’t change MAC: message, then you will need to execute the ifconfig eth0 down command before running the macchanger command (this will switch your network interface OFF).

Once you run the macchanger command, remember to turn the interface back ON by using the ifconfig eth0 up command.

The results presented in the following figure show that the interface now has a new MAC address of 06:1d:9f:2f:db:f6:

Figure 1.8 – Using macchanger to set a random MAC address

If you want to define your own MAC address, you can use the following command:

$ sudo macchanger  --mac XX:XX:XX:XX:XX:XX Set the MAC XX:XX:XX:XX:XX:XX

Note

If you are using a Windows environment, some network cards provide the functionality to change your MAC address within the interface properties.

As you have seen, randomizing your MAC address is a simple yet very effective task when it comes to either stealing an identity or masquerading on a network. Now, let’s move on to ARP spoofing.

ARP spoofing

Before we dive into ARP spoofing, let’s put the ARP into perspective. Think of MAC addresses that identify who you are; these are physical identifications. IP addresses are used to identify where you are. ARP tables are used to manage the relationship of who and where you are.

The ARP is used to discover the MAC address related to an IP address. For example, if a router needs to send data to a computer that holds the IP address of 192.168.1.20, it needs to know the MAC address and to discover this, it will send an ARP query. ARP queries are not limited to routers; other devices, such as wireless routers, switches, and computers, all work with the ARP protocol.

In an ARP spoofing attack, the attacker sends fake ARP responses to a victim. These responses essentially tell the victim that the attacker’s MAC address maps to something else, such as a router’s IP. This means that the victim would send packets that were originally destined for the router to the attacker as the router’s MAC address would be replaced with the attacker’s MAC address. ARP spoofing is a typical example of a man-in-the-middle (MITM) attack.

Note

An MITM attack occurs when an attacker listens in on the communication between a user and an application. The intent could be to either spy on the conversation with the intent to gain valuable information or to modify the conversation and redirect the communication to devices that the attacker controls.

The following diagram shows how an MITM attack works:

Figure 1.9 – Man-in-the-middle attack (Source: https://www.imperva.com/learn/application-security/man-in-the-middle-attack-mitm/)

Pro tip

Remember that for Kali Linux to forward packets on behalf of other machines, you need to enable IP forwarding. This needs to be done by issuing the echo 1 > /proc/sys/net/ipv4/ip_forward command as root.

To perform an ARP spoofing attack, you need to leverage additional tools within Kali Linux. The tool suite that we will need to use is called dSniff. dSniff contains several tools that can be used to listen to and create network traffic.

The tool can be installed using the following commands:

1. First, we must switch to the root user using the following command:

   sudo -i

2. Next, we must ensure that we have the latest package updates by issuing the following command:

   apt-get update

3. Finally, we must install the tool suite using the following command:

   apt-get install dsniff

Within the toolset, we will make use of arpspoof, a tool that will execute the ARP spoofing attack.

Let’s break down this command. The -i flag represents the interface that you want to use to spoof ARP requests, while the -t flag specifies the target that you would like to poison. You can leave this option out but then arpspoof will poison all targets on the network.

When you run the command, the output would look like what’s shown in Figure 1.10. Within the output, you will find the first MAC address (0:c:29:77:2c:99), which belongs to the Kali Linux machine. The second MAC address (0:c:29:ec:1e:7b) belongs to the target machine. You then have the type field (0806), which indicates that an ARP packet is contained inside the Ethernet frame. Next, you have the byte size (42) of the Ethernet frame. The ARP reply section shows what the ARP message looks like when it is seen by the target. Essentially, it forces the victim to update its ARP table so that the IP address of the router (192.168.111.2) is now at the MAC address of the Kali Linux machine:

Figure 1.10 – Results of using the arpspoof command

When you perform an ARP spoofing attack, you need to also trick the router into believing that you are the target. To do that, you need to issue the same command but this time, reverse [ROUTER_IP] and [TARGET_IP]. The command would be as follows:

$ sudo arpspoof -i [INTERFACE] -t [ROUTER_IP] [TARGET_IP]

You will get a chance to perform an ARP spoofing attack in the upcoming section. But first, we need to build a working lab environment that we will use throughout this book. As we progress through this book’s chapters, we will add additional components to the lab; these components will be introduced at the start of each chapter.

To perform the various exercises throughout this book, you will need to have a lab environment setup. In this section, I will walk you through building the lab environment. We will add to this environment as we progress through this book. So, let’s begin with the initial setup.

First, you will need to use a virtualization platform if you are building this locally on your PC. Common virtualization platforms include VirtualBox, which is free and can be downloaded from https://www.virtualbox.org/wiki/Downloads, and VMware Workstation. VMware Workstation has two editions: the VMware Workstation Player, which is free and can be downloaded from https://www.vmware.com/nl/products/workstation-player/workstation-player-evaluation.html, and a paid-for version called VMware Workstation Pro.

Pro tip

I do not recommend using Microsoft Hyper-V since this platform does not allow you to natively interact with hardware. For example, if you had to use a wireless network card for packet capturing, you would not be able to do this with Microsoft Hyper-V.

For this chapter, we will set up the lab as per the following diagram. We will use pfSense as an open source router, which will provide internet access to the lab environment. All devices will have a private IP address in the 192.168.1.0/24 range. The pfSense virtual router will have two network interfaces, one in bridged mode and the other connected to the private subnet of the lab environment.

Figure 1.11 – Lab diagram

We will begin by setting up our virtual network within the hypervisor. Within VMware Workstation, this can be done from EDIT | Virtual Network Editor, as per the following figure. Ensure that this is set to Host-only since we want this network to simulate a private subnet of 192.168.1.0/24:

Figure 1.12 – Virtual network configuration on VMware

For VirtualBox, this can be done at File | Host Network Manager, as shown in the following screenshot:

Figure 1.13 – Virtual network editor in VirtualBox

Once you have the networks configured, you can proceed to install pfSense. The installation is straightforward. You will need to download the ISO file from https://www.pfsense.org/download/; remember to select the architecture according to AMD64. Once you have downloaded this, you will proceed to create a new virtual machine on your hypervisor. Remember to set your ISO file as the boot image so that you can install pfSense.

Pro tip

The steps to set up a new virtual machine for VMware are detailed here: https://kb.vmware.com/s/article/1018415.

The steps to set up a new virtual machine for VirtualBox are detailed here: https://docs.oracle.com/cd/E26217_01/E26796/html/qs-create-vm.html#:~:text=To%20create%20a%20new%20virtual,VirtualBox%20command%20in%20a%20terminal.

Ensure that your pfSense setup has two network interface cards – one set to bridged mode (this will enable it to communicate with the internet) and one set to your host-only network. Once you have installed pfSense, ensure that you remove the ISO file from its boot sequence; otherwise, you will have a setup loop. When pfSense boots up, you should see something like what’s shown in the following screenshot – one interface card bridged with your network (WAN) that has internet access and the other connected to your host-only network (LAN):

Figure 1.14 – pfSense IP configuration

Once you’ve done this, you can leverage the pre-built virtual machines from Kali Linux. Kali makes both VMware and VirtualBox images readily available for download. Simply download the one that matches the hypervisor you are using. Once extracted and booted up, you should be able to log in using the default username and password of kali/kali. Remember that your Kali Linux network interface card should be set to Host-only.

The last step is to set up Windows 10. I recommend that you make use of Windows 10 Pro throughout this book. Your Windows 10 virtual machine should also make use of the Host-only network.

Note

You may need to manually configure an IP address on the private subnet for both the Kali and Windows virtual machines in case DHCP does not assign any IP address.

At the end of your lab setup, you should have three virtual machines configured. You should be able to ping each of them on their local private IP subnet and be able to browse the internet from the Kali and Windows machines. Now that we have set up the lab, let’s work on some exercises based on what we have covered in this chapter.

With the lab set up, let’s perform an ARP spoofing attack. In this attack, we will send malicious packets to the Windows 10 machine spoofing the MAC address of the pfSense router. In my environment, the pfSense router has an IP address of 192.168.1.1 and the Windows 10 machine has an IP address of 192.168.1.20.

Before we begin, we will enable Kali to perform packet forwarding using the following commands:

$ sudo -i
$ echo 1 > /proc/sys/net/ipv4/ip_forward

From the Kali machine, open a Terminal window and issue the following command. This will begin to spoof ARP packets toward the Windows 10 machine:

$ sudo arpspoof -i eth0 -t 192.168.1.20 192.168.1.1

The command will continue to run indefinitely until you cancel it with the Ctrl + C key sequence. The output will look as follows:

Figure 1.15 – ARP spoofing the Windows 10 machine

Since we want to intercept traffic and perform an MITM attack, we will conduct an arpspoof attack toward the router. Here, we are telling the router that all traffic destined to the MAC address belonging to 192.168.1.20 (Windows 10 machine) is our MAC address (Kali Machine). Kali will then perform the packet forwarding between the router and the Windows 10 machine.

In a new Terminal window, run the following command. This will start to spoof ARP packets towards the pfSense router:

$ sudo arpspoof -i eth0 -t 192.168.1.1 192.168.1.20

The output will look as follows:

Figure 1.16 – ARP spoofing the pfSense router

As the two commands run, both the pfSense router and the Windows 10 machine should now have poison ARP entries. From here, we can intercept the packets and see all the communication between the Windows 10 machine and the router.

A great tool to quickly view web traffic is called URLSnarf, which is part of the dSniff suite. You can try this out in your lab by entering the following command:

$ sudo urlsnarf -i eth0

This command will inspect all web traffic and provide you with the URLs that are being accessed. A sample of this can be seen in the following screenshot:

Figure 1.17 – Viewing URLs accessed by the target with urlsnarf

If you want to capture all the traffic, this is where you can make use of Wireshark. Using what you have learned earlier, launch Wireshark on Kali Linux and perform a packet capture on the interface that you are using for the ARP spoofing attack. Do you see anything interesting? Generate some web traffic from the target machine and look at the packet capture – for example, browse to a website, log in, and look at the packet captures.

When it comes to detecting attacks such as an ARP spoofing attack, things can become tricky. Having encryption in place for all internet traffic can help protect your session from any eavesdropping. Many browsers now require that websites support some type of encryption. There are also web extensions that can easily notify you if you are browsing a non-encrypted website. An example of such an extension is the HTTPS Everywhere extension (https://www.eff.org/https-everywhere). You will also find that modern network appliances have some sort of anti-spoofing techniques available that can, to some extent, protect against spoofing.

In this chapter, we covered some concepts of networking at a high level. We looked at cloud environments and the differences between various offerings. We also dove into networking tools that can be used to capture packets and looked at some spoofing techniques and tools that are available today. In the next chapter, we will focus on packet capturing in more depth and dive deeper into the tools before introducing wireless packet captures.