Sometimes it’s nice to know what kind of people you’re sharing a LAN with. This hack will allow you to sniff packets from other users on the Local Switched network. What we accomplish by ARP spoofing is tricking a host on the LAN into forwarding us packets that normally would only be sent to the gateway (or the machine or router thats going to send them off to the internet)
This should only ever be done on a network that you run or otherwise have permission to monitor other users activities.
This tutorial should apply to any *nix based Operating system with little modification
The first thing we need to do this is the dsniff suite of applications you can install this via darwin ports for OS X. In Linux you can normally install it via the package manager for your os (eg, yum or apt ).
Next we need to turn on IP forwarding in the OS. This is so packets are forwarded on to their intended destination so whoever we’re spying on won’t get suspicious.
sysctl -w net.inet.ip.forwarding=1
echo 1 > /proc/sys/net/ipv4/ip_forward
Next we begin ARP spoofing using the “arpspoof” command from the dsniff suite
arpspoof -t xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
xxx.xxx.xxx.xxx is the target of our ARP spoof (The host who’s packets we want to capture) and yyy.yyy.yyy.yyy is the host we want to pretend to be (This should be the default gateway for the network).
You should see output similar to the following
0:1b:63:b6:df:b1 ff:ff:ff:ff:ff:ff 0806 42: arp reply yyy.yyy.yyy.yyy is-at 0:1b:63:b6:df:b1 0:1b:63:b6:df:b1 ff:ff:ff:ff:ff:ff 0806 42: arp reply yyy.yyy.yyy.yyy 0 is-at 0:1b:63:b6:df:b1
Now open up your favorite packet sniffer and you should see traffic from the target going out to the internet.
Or if you’re just after password or other login information fire up dsniff and it’ll keep watch for any passwords sent over the connection.
Note that we’ve setup a one way ARP spoof here so we’re only going to see traffic from the target out to the internet. If we want to see things the other way as well open up another console window and run a second instance of arpspoof in reverse.
arpspoof -t yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx
Where yyy.yyy.yyy.yyy is again the gateway and xxx.xxx.xxx.xxx is the target this way we see traffic in both directions.
As always let me know if you have any questions or comments in the comments of this post.