The Next Step: Arp Spoofing with Cain and Abel (a tutorial)

Cain and Abel

The next step I did in my project was to find a tool that allows me to do an arp spoof of the device, so that I can monitor the traffic from and to the device. Arp spoof allows me to monitor the device by having the traffic from and to the mobile device pass through my laptop before it reaches its destination.  In this post, I am going to give a tutorial on how to use Cain and Abel before I share my results. This post will serve as a helper to users who don’t know how to arp spoof using this tool. This post begins on the assumption that you have already downloaded the tool (the tool can be found at http://www.oxid.it/cain.html)

Before you can arp spoof with this tool you have to configure the tool to the network that your device is on (Please note that the target device and the device you are using have to be on the same network).

The tool is configured once you have clicked ok. Next, we have to start the sniffer so that the tool can populate all the hosts on the network in a list. To do this, click on the sniffer tab and then click on the “start/stop sniffer” in the toolbar. After that click on the blue cross to add hosts to the list.

A new dialog box should open. Once the dialog box opens make sure “all my hosts in my subnet” is checked and then press OK.  The tool will add all the hosts on the network at the time.  Make sure the target device that you are looking for is in the list before you start arp spoofing. Once you have verified that the target device Is on the network you can start the next step, arp spoofing the device.

On the bottom toolbar, there is a yellow icon called APR, click on this icon. Once the icon is clicked a new tab will show. Next click on the blue cross to add a new “arp Poisoning router” to the list, once you click on the blue cross a window will open.

for this project, before I started arp spoofing my target device, I set up a WireShark capture so that I could monitor the data from the arp spoof. Once WireShark was set up, I poisoned the device and then filtered the packets captured in WireShark by the IP address of the target device that I was currently arp spoofing. for the results i got from Arp spoofing my device, please look for my next blog post.

The next step: Arp spoofing

The next step in this project was to monitor the packets sent over the network from the android and IOS devices.  In order for me to see the packets that were sent over the network, I set up an arp spoof attack using Cain and Abel.

I chose to use an arp spoof attack because when trying to capture the packets over the network with wireShark I wasn’t able to see traffic from my devices.  To overcome this, I did an arp spoof attack on the devices using cain and abel.

Fig. 1 shows what an arp spoof with cain and abel looks like.

While running the arp spoof with cain and abel, I was also capturing the packets that was sent over the network using wire shark.  The traffic from the devices was now visible on wire shark because I did an arp spoof on the devices while monitoring the network.

Fig. 2

Wireshark was able to get a lot of traffic from the android and IOS devices, but to make sifting through the data collected from the network easier I used a tool called Network miner. Using this tool I was able to analyze the data and see the files that were sent over the network.

Using network miner, I was able to look at the data captured with wireshark. When looking at the data I noticed that the data from the app (in this case Bank of america’s app) was sent through port 443 (Red Rectangle), through an SSL protocol (Blue rectangle).

I also noticed that the data from bank of America was sent using the DNS mservice.ecglb.bac.com. This is shown in the orange square in the figure below.

Fig.3

I also noticed that the Bank of America app requests certificates to authenticate when the user signs in. the app asks for Verisign class 3 certificate and theguzoni.apple.com certificate.

fig.4

The network miner tool allows you to view the certificate of that was sent to the host in a new window. From this I was able to see details about the certificate that was sent. Below is a picture of the Verisign and guzzoni certificate.

fig. 5 Certificate for guzzoni

fig. 6 certificate for Verisign