ICMP redirection with BetterCAP
ICMP is a feature of the internet protocol suite; however, ICMP packets are interesting in that they are themselves IP packets. They are, thus, interesting little nuggets seen on IP networks, and RFC 792 is fascinating reading, a true nail-biter. While just about anyone worthy of the title of techie is familiar with ICMP via the famous ping utility (ICMP ECHO), the protocol has additional power that is understood more by network administrators than the average user.
One of those features is redirect: a message that advertises a better route to a destination based on a set of criteria. In our case, we spoof a message intended to poison a dynamically updated routing table. Whereas with ARP spoofing we created messages designed to trick devices into sending their data to a particular link layer address, with ICMP we're spoofing at the network layer and suggesting a better route for traffic. Naturally, that route passes through our attacking interface. It's like telling the driver of an armored truck, Highway 75 is closed due to an accident, so take this shady back alley instead - it's faster. Meanwhile, our goons are waiting to steal some money from the truck.
I'm willing to take the time and break down this sophisticated attack for you, but again, one of BetterCAP's strengths is allowing us to get straight to work. A single-line command is all we need:
# bettercap -S ICMP --full-duplex --sniffer-output BetterCapICMP
The following screenshot illustrates the output for the preceding command:
- -S ICMP specifies that we're using ICMP to conduct the man-in-the-middle spoofing attack.
- --full-duplex tells BetterCAP to spoof in both directions; generally, you'll want to select this option.
- --sniffer-output [file name] defines our .pcap output for our analysis in Wireshark. (Don't forget to use display filters to clean up that ICMP noise!) The sniffer isn't enabled by default, but defining a .pcap output file enables it automatically.
I know what the hacker in you is thinking: what about target selection? Great point. By default, BetterCAP targets everyone. On our cozy lab LAN, this is desired to see just what this gem of a tool can do. On just about any real-world pen testing engagement, where part of your job is to demonstrate to the client what you can get away with before being caught, this is a great way to get slapped on the wrist on your first day.
For your study, it's nice to pull up the capture in Wireshark to see what's happening under the hood. Note, this is no less obnoxiously noisy than ARP spoofing, as you can see. Of course, just as ARP spoofing can be defended against, ICMP redirection attacks can be defended against – and it's a little easier to stop. For example, routers using static routes will render useless our little sleight-of-hand.