2019-03-25 ../../

Lab on DNS and ARP Cache Poisoning

Table of Contents

WIP == Work in Progress. Updated for Spring 2019. This was a fully working lab. Details of labs like these change in even a few months.

1 Lab Goals

The purpose of this lab is (i) to show that attacks that are possible in any LAN or Internet can be brought to Android, (ii) to show examples of APKs that are doing network-API-wise sophisticated things, and (iii) to bring awareness to widely present TCP/IP weaknesses.

This is a lab in the course Android Internals and Security.

2 Background + Ethics

Exercise Great Caution re where (physical location and wired or wireless network) you run these experiments. It is possible that sysadmins of your institution and other places will be upset with you.

Rooting and Wifi: The tasks of this lab need (i) wifi router/AP, (ii) a victim device, and (iii) a rooted real device. Rooted because of the privileged operations. Wifi because of the source of code of the apk that we intend to use. [Unfortunately, it is too hard to add wifi to the Android SDK's emulators.]

ARP and DNS poisoning are weaknesses of the TCP/IP suite, wired or wireless. The venerable (i) ettercap, (ii) hunt, and (iii) dsniff are ready-to-install packages on many Linux x86 distros. These are considerably more refined than the apps listed in the References. ARM versions, and hence Android apk, of these are not readily found.

Power cycling the devices, in the worst case, should erase the lingering effects, if any, of these experiments.

3 Tasks

3.1 Task 1: Deliver ARP Poison

Task: One device conducts the ARP poisoning. Another device suffers it. Select an APK from the listed references. Conduct a MiTM attack. Weight 25%.

Deliverables: (i) Describe the MiTM attack you chose. (ii) Transcript of ARP poisoning, and the MiTM session. (iii) Screenshots.

3.2 Task 2: Deliver DNS Poison

Task: One device conducts the DNS poisoning. Another device suffers it. Select an APK (not the same as above) from the listed references. Conduct a MiTM attack. Weight 25%.

Deliverables: (i) Describe the MiTM attack you chose. (ii) Transcript of DNS poisoning, and the MiTM session. (iii) Screenshots. (iv) A table comparing ARP and DNS poisoning – similarites and dissimilarities.

3.3 Task 3: Critique an APK #1

Task: Experiment with any one of the APKs (weight 25%) described in

  1. https://fossbytes.com/10-best-android-hacking-app/ 2019
  2. https://www.hackread.com/2016-best-hacking-apps-for-android-phones/ 2016
  3. https://techviral.net/best-android-hacking-apps/

Deliverables: (i) Screenshots, (ii) Critque (the good + the bad + your constructive suggestions + judgement/opinions).

3.4 Task 4: Critique a second APK #2

You must choose a different one in this task.

Deliverables: As above.

4 Submission

Submit on Pilot into dropbox folder Cache-Poisoning

There should be four APK files, and one pdf file named exactly Report-L3.pdf that includes all screenshots, and your commentary on all aspects of this lab. Scripts are used to check various things – so file names should obey "rules". Suggestions as to what this commentary should focus on are spread out in the above.

5 References

  1. Prabhaker Mateti, (i) Rooting an Android Virtual or Real Device, (ii) ARP Cache Poisoning, (iii) DNS Cache Poisoning, (iv) TCP/IP Exploits, Lecture Notes, 2019.
  2. DroidSheep can ARP poison. The companion DroidSheep Guard monitors the Android's ARP-table. With a few tweaks, the source code builds into an .apk readily. DroidSheep is no longer available on Google Play. DroidSheep was part of a BS Thesis.
  3. http://www.csploit.org/ is a FOSS fork of the discontinued dSploit.apk can do ARP and DNS poison. The dSploit was bought and now revised into zANTI2. This article is a decent tutorial of cSploit. Please download from FDroid.org. Further ./cSploit-details.html.
  4. Network Spoofer can do ARP and DNS poisoning. The site has links to its .apk that can be side loaded. Building from source is slightly difficult. Needs http://jsoup.org, etc.
  5. Android OS Monitor https://github.com/eolwral/OSMonitor is FOSS. Please download from FDroid.org.
  6. https://play.google.com/store/apps/details?id=jolt151.ettercapforandroid Ettercap for Android

6 End

Copyright © 2019 Dr Prabhaker Mateti • 2019-03-25