Jordan University of Science and Technology Network Engineering and Security Department NETWORK SECURITY LABORATORY NES553 PreLab#4: ARP Poisoning MITM ________________________________________________ _ 1) What is ARP protocol? Address Resolution Protocol (ARP), is a telecommunications protocol used for resolution of network layer addresses into link layer addresses and is used to convert an IP address to a physical address such as an Ethernet address. ARP performs a required function in IP routing. ARP finds the hardware address, also known as Media Access Control (MAC) address, of a host from its known IP address. ARP maintains a cache (table) in which MAC addresses are mapped to IP addresses. 2) What is ARP poisoning? Address Resolution Protocol (ARP) poisoning is a type of attack where the Media Access Control (MAC) address is changed by the attacker. Also, called an ARP spoofing attacks, it is effective against both wired and wireless local networks. Some of the things an attacker could perform from ARP poisoning attacks include stealing data from the compromised computers, eavesdrop using man-in-the middle methods, and prevent legitimate access to services, such as Internet service.
3) What is the function of the following commands? arp –n
arp -n, - - numeric : Shows numerical addresses instead of trying to determine symbolic host, port or user names.
tshark –n –I ethx arp
tshark : Dump and analyze network traffic -n
: disable all name resolutions (default: all enabled)
-i <interface> :name or idx of interface (default: first non-loopback)
arping –I ethx 126.96.36.199
arping : send arp request -I means name of network device where to send ARP request arping -i ehtx 188.8.131.52 Means send arp request to interface that has ip 184.108.40.206 •
echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind ? why we need to do that?
Set this if you want your applications to be able to bind to an address which doesn't belong to a device on your system. This can be useful when your machine is on a non-permanent (or even dynamic) link, so your services are able to start up and bind to a specific address when your link is down.
4) Give the command used to send ping requests to all nodes on subnet 220.127.116.11/24. On windows: FOR /L %i IN (1,1,254) DO ping -n 1 192.12.10.%i | FIND /i "Reply">>c:\ipaddresses.txt
On linux: #!/bin/sh COUNTER=1 while [ $COUNTER -lt 254 ] do ping 192.12.10.$COUNTER -c 1 COUNTER=$(( $COUNTER + 1 )) do
Or by the command : fping –g 18.104.22.168/24