Antisyphon KB

EavesARP

Nov 04, 20242 min read

Techniques:

Adversary in the middle - T1557 ARP cache poisoning

Getting Started

apt update
apt install python3-virtualenv

Note on virtualenv usage:

  • these containers are used to allow conflicting dependency installs to live side by side harmoniously
  • activate / deactivate dependency containers for proper usage
  • with screen/tmux, multiple dependency containers can be activated at the same time

EavesARP

Overview: Angel’s tool designed to sniff local networks for hosts attempting to establish communications with dead nodes. ARP spoofing target identifier.

Tool located here

Possible Blurb: The tester attempted to locate potentially stale network address configurations (SNACs). The tool used for this review was EavesARP. EavesARP runs on a listening network interface and analyzes ARP (address resolution protocol) traffic. The analysis zeroes in on ARP requests for devices that go unanswered on the local subnet, which can be an artifact of a retired or disabled service that the requesting system is still attempting to use. If the tester spins up a new service at the address requested, that service can collect traffic destined for the retired service and potentially interact with the client system.

The tester then created IP aliases and assumed several of the discovered addresses. Once host addresses were aliased, the testers analyzed that traffic using tcpdump . As shown in the next screenshot, the system at {{ TODO source IP }} was requesting a MAC address for the IP address of {{ TODO destination IP }}. Once the tester configured the IP alias and responded to the ARP requests, the system at {{ TODO source IP }} appeared to be sending {{ TODO insert traffic analysis results }}.

Installation:

cd /opt/
git clone https://github.com/arch4ngel/eavesarp.git
cd eavesarp
virtualenv -p python3 ea-env
source ea-env/bin/activate
python3 -m pip install -r requirements.txt
deactivate
cd /opt/

Basic Usage: The following script could help with automating the aliases.

#!/bin/bash
if [[ $1 == "" ]]; then
    echo "$0 <file_of_ips> [<delete>]"
    exit
fi
echo "Creating aliases..."
for i in $(cat $1); do
    echo "- $i/24"
    if [[ $2 != "" ]]; then
        ip addr del $i/24 dev eth0
    else
        ip addr add $i/24 dev eth0
    fi
done
echo "Finished!"

Adding the aliases to eth0:

./thescript.sh targets.txt

**Removing the aliases from eth0

./thescript.sh targets.txt delete

Graph View

Backlinks

  • No backlinks found