MITM/ARP Poisoning
From charlesreid1
ARP = address resolution protocol = the protocol for mapping MAC addresses to IP addresses
Some Background
How ARP Works
This refers to some concepts about network communications protocols covered on the Packet Analysis page.
ARP is a way of using Layer 2 addressing, MAC addresses, with Layer 3 addressing, or IP addresses.
To communicate with other devices on a network, you use their IP addresses. But routers operate on Level 2, MAC addresses. That means that communicating with other devices on a network also requires knowing their MAC address. Getting a MAC address from an IP address is done through ARP.
When computer A is crafting a packet to computer B, it begins by seeing if computer B is in the ARP cache, meaning computer A would already have computer B's MAC address. If not found, computer sends a broadcast packet to FF:FF:FF:FF:FF:FF and asks for which computer at which IP address owns a particular MAC address.
Computers C, D, and E discard the packet. But the recipient, computer B, crafts a reply with its MAC address with an ARP reply. When computer A receives the reply, it stores that information in the computer's ARP cache.
How ARP Poisoning (Spoofing) Works
This is the process of fooling a switch or router into thinking your computer has a MAC address that it actually doesn't.
One way to use ARP poisoning is to tap the wire of a network, and intercept traffic from a router to a target computer. In this case, you're fooling the router into sending you the traffic instead, and you forward the traffic on to the target computer like nothing ever happened.
Another way to use ARP poisoning is to cause denial of service attacks. In this case, client requests are sent to a router, which then forwards traffic to a particular MAC address at a particular IP address. Except, the destination computer isn't who it's supposed to be, and so isn't ready for the traffic.
A note that when you start intercepting packets on the computer with the spoofed MAC address, you should be ready for whatever bandwidth those requests are coming in at - by inserting yourself between the router and the target, you become the bottleneck.
Important Caveats About ARP Spoofing
Restrictions
ARP attacks occur at the Network layer, Layer 3, and by nature the attack can only occur from/to computers on the same subnet.
Warnings
ARP attacks generate a massive amount of traffic, and are easy to spot if the network is being actively monitored or if there are any IDS systems in place. Also, if you try and ARP spoof an entire subnet, that can quickly overwhelm your hardware. Be careful and know what you're doing.
Optimal Targets
Optimal targets for ARP spoofing attacks are unmonitored networks, low-traffic networks, home networks.
Power of ARP Spoofing
ARP spoofing is only possible on a local network, and is easily detectable. But that doesn't mean it isn't potent - it is a serious flaw that exists in every properly-implemented network stack. It also poses a risk for extending security breaches - if someone can break into a single machine on a subnet, ARP spoofing can be used to compromise the rest of the subnet.
Pauls Security Podcast Wiki Notes
The best ways to Arp cache poison?
send_arp
Program called send_arp (http://insecure.org/sploits/arp.games.html), very simple example given below in which the ARP cache entry for the DNS server is poisoned.
DNS Server: 192.168.1.10
Attacker: 192.168.1.67
Victim: 192.168.1.61
./send_arp \
192.168.1.10 00:1f:c6:7b:4e:a2 \
192.168.1.61 00:0c:6e:20:6b:4e
In this example, 192.168.1.10 is our DNS server, followed by its Mac address.
192.168.1.61 is our victim, followed by its MAC address.
The above command sends the arp entry for 192.168.1.10 to 192.168.1.61. In my example, I am tell the client "Hey, your DNS server's MAC address is really 00:1f:c6:7b:4e:a2". This now means that all of that traffic will be forwarded to that mac address.
The target should be totally fooled. Check by firing up tcpdump on the attacker machine:
16:17:24.561166 IP 192.168.1.61.2073 > 192.168.1.10.53: 3+ A? amazon.com. (28) 16:17:24.561179 IP 192.168.1.61.2073 > 192.168.1.10.53: 3+ A? amazon.com. (28)
But wait! There's more! The client is not happy, let's found out why!
packet forwarding
From the perspective of the attacker, things are not going to go down smoothly. In the tcpdump traffic shown above, you can see requests going to our computer (since we poisoned the ARP table entry, everything will go to our hardware). But the traffic, when it arrives, is addressed to 192.168.1.10, which is the IP address the DNS server is supposed to have. But the attacker machine has an IP address of 192.168.1.67. Layer 2 was set up properly, but Layer 3 wasn't.
DNS requests have been properly routed to our hardware on Level 2, but even if a DNS server were running, the traffic isn't addressed to us, so the network card will, by default, ignore the packets unless they're addressed to 192.168.1.67.
To fix this, enable packet forwarding in the Linux kernel:
echo "1" > /proc/sys/net/ipv4/ip_forward
By enabling packet forwarding, the Linux kernel will forward, unmodified, any packets it receives for any non-192.168.1.67 addresses. This way, your computer will receive all network traffic, but will pass it along as though nothing happened. This makes passive attacks that intercept traffic and sniff packets possible.
Manipulating DNS
If you want to modify the DNS traffic, there are multiple options (e.g.?)
Windows folks can use the program Cain and Abel to modify DNS entries as they go by. Cain and Abel does ARP poisoning of the routing layer, allowing you to rewrite responses to DNS queries and change DNS entries.
Countermeasures
You can detect and mitigate attacks with a program like Arpwatch, or by using Snort to monitor the ARP table.
This can be a good way to control hosts on a network.
Resources/Links
Designing/implementing more secure ARP variation: http://www.cs.sjsu.edu/faculty/stamp/students/Roney298report.pdf
ARP and ICMP redirection games: http://insecure.org/sploits/arp.games.html
Flags
 |
monkey in the middle attacks in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker.
Wireless Attacks: MITM/Wireless Wired Attacks: MITM/Wired
Layer 1 and 2 MITM Attacks: Network Tap: MITM/Wired/Network Tap Evil Twin Attack: Evil Twin · MITM/Evil Twin
Layer 3 and 4 MITM Attacks:
ARP Poisoning: MITM/ARP Poisoning Traffic Injection/Modification: MITM/Traffic Injection DNS Attacks: MITM/DNS · Bettercap/Failed DNS Spoofing Attack · Bettercap/Failed DNS Spoofing Attack 2 DHCP Attacks: MITM/DHCP WPAD MITM Attack: MITM/WPAD Port Stealing: MITM/Port Stealing Rushing Attack: MITM/Rushing Attack Attacking HTTPS: MITM/HTTPS
Session Hijacking: MITM/Session Hijacking
Toolz:
SSLSniff · SSLStrip · Frankencert
MITM Labs: {{MITMLabs}}
Category:MITM · Category:Attacks · Category:Kali Attack Layers Template:MITMLabs · Template:MITMFlag Flags · Template:MITMFlag · e |
|
Networking pages and notes about computer networks.
Man in the Middle attack vectors on wired networks: Man in the Middle/Wired Packet analysis with Wireshark: Wireshark Packet Analysis Linux networking: Linux/Networking
Using Aircrack: Aircrack Many Ways to Crack a Wifi: Cracking Wifi
Linux/Networking · Linux/SSH · Linux/File Server
Notes on OpenVPN: OpenVPN Setting Up a Static Key VPN: OpenVPN/Static Key
Domain Name Servers: DNS · Linux/DNS IP Version 6: IPv6
Wireshark · SSH · Stunnel · Tor · Ettercap · Aircrack · Tcpdump
Tunnels · HTTP and HTTPS · SSH Tunnels · Linux/SSH
|