CS338 Computer Security
Friday, 14 November 2025

+ Questions?

+ ARP poisoning homework from CS338 Fall 2023
- https://cs.carleton.edu/faculty/jondich/courses/cs338_f23/assignments/13-arp-poisoning.html
- "Metasploitable" is a small Linux VM used as the target of the attack in this homework exercise

+ Routing decision
- I (a computer on the network) have an IP packet
- Its destination address is not me
- I need to give it to the next machine along its journey
    (i.e., its "next hop")
- Which of my immediate neighbor machines is the best next hop?
- [What's the hardware address of that machine so I can
    actually perform the handoff]

+ So, given an IP packet P...
- What's the destination IP?
    it's in the IP header of the packet P
- What's the IP of the next hop?
    routing table (people can see it with "netstat -r")
- What's the hardware address of the next hop?
    ARP cache (see it with "arp -a")
- Wrap P in a hardware/"ethernet" header and send it

+ Demo
- Target (Ubuntu VM)
- Attacker (Kali VM)
- Gateway (host system macOS)
- Action to observe
    - Target visits http://cs338.jeffondich.com/
- Before
    - Everybody: look at routing tables
    - Everybody: look at ARP caches
    - Attacker: sniff ARP packets with tcpdump
    - Attacker: sniff cs338.jeffondich.com packets with wireshark
    - Target: visit http://cs338.jeffondich.com/
    - Attacker: can I see the TCP and HTTP traffic from Target?
- Attack
    - Attacker: keep sniffing ARP packets with tcpdump
    - Attacker: keep sniffing cs338.jeffondich.com packets with wireshark
    - Attacker: launch ettercap and initiate the ARP spoofing/poisoning
    - Target: visit http://cs338.jeffondich.com/
    - Attacker: can I see the TCP and HTTP traffic from Target?
    - Everybody: look at ARP caches

+ Follow-up questions
- Why couldn't we demo this with just our laptop host system
    and our Kali VM?
- Could Attacker acted as Eve without ARP poisoning?
- How can we tell the difference between being Eve and being Mal?
    look at the hardware destination address in the capture packet
    if it's me, the attacker, then I'm being Mal; if it's not,
    I'm just spying and I'm Eve