Skip to main content

Cut someone’s network connection with arpspoofing

· 3 min read
Strider

Hi, I had thought about a little troll for a colleague in front of me. Short story he gambles a lot on Steam, I thought how can I torch him a bit, but so that he does not realize that it is me 😄

I thought to myself "Come on kid, just kill his Internet connection, it'll be fun". Good thing that when you do ARP spoofing, the victim's traffic has to go through your own device. That makes the whole thing easier 😄.

Normally you set IP forwarding, but here I left it. The result was no internet.

I had done this a few times at random intervals with him, so he thought his router or Internet would have problems. He then began to restart the router several times to the point that he considered going to the nearest Mediamarkt and buying a new router.

Oh man that was something 😃

Ok, let's get to the technical part. Normally a normal network looks like this. In this case we have a router (our gateway) and 2 hosts in the network that are connected to the router. It doesn't matter how they are connected, the main thing is that there is a connection.

Note that the attack is only possible if the attacker is on the same network as the victim.

dia.png

But if we just do ARP spoofing, what happens is that the attacker keeps sending ARP replies to the victim with his inserted MAC address in combination with the IP address of the gateway, and pretends to be the gateway to the victim. To this the attacker pretends to be the victim to the gateway. This puts the attacker in the position of the middleman. That is all. The result is shown in the picture below.

dia2.png

Under Kali or Debian Stretch as well as in other distributions, you can start it with this command.

$ arpspoof -i <interface> -t <victim_ip> <gateway_ip> 

arp.png

In order for the traffic to pass through the attacker, IP forwarding must be enabled. Otherwise, the victim no longer has a connection or can no longer access the Internet. By default, IP forwarding is disabled on many Linux distributions. However, it can be switched on by writing a 1 in the file /proc/sys/net/ipv4/ip_forward file. To turn it off again just write a 0 in it.

$ echo 1 > /proc/sys/net/ipv4/ip_forward

I hope I could give a little insight in the topic ARP spoofing 😃