Man in the Middle/ARP Poisoning
ARP = address resolution protocol = the protocol for mapping MAC addresses to IP addresses
How ARP Works
This refers to some concepts about network communications protocols covered on the Packet Analysis page.
ARP is a way of using Layer 2 addressing, MAC addresses, with Layer 3 addressing, or IP addresses.
To communicate with other devices on a network, you use their IP addresses. But routers operate on Level 2, MAC addresses. That means that communicating with other devices on a network also requires knowing their MAC address. Getting a MAC address from an IP address is done through ARP.
When computer A is crafting a packet to computer B, it begins by seeing if computer B is in the ARP cache, meaning computer A would already have computer B's MAC address. If not found, computer sends a broadcast packet to FF:FF:FF:FF:FF:FF and asks for which computer at which IP address owns a particular MAC address.
Computers C, D, and E discard the packet. But the recipient, computer B, crafts a reply with its MAC address with an ARP reply. When computer A receives the reply, it stores that information in the computer's ARP cache.
How ARP Poisoning (Spoofing) Works
This is the process of fooling a switch or router into thinking your computer has a MAC address that it actually doesn't.
One way to use ARP poisoning is to tap the wire of a network, and intercept traffic from a router to a target computer. In this case, you're fooling the router into sending you the traffic instead, and you forward the traffic on to the target computer like nothing ever happened.
Another way to use ARP poisoning is to cause denial of service attacks. In this case, client requests are sent to a router, which then forwards traffic to a particular MAC address at a particular IP address. Except, the destination computer isn't who it's supposed to be, and so isn't ready for the traffic.
A note that when you start intercepting packets on the computer with the spoofed MAC address, you should be ready for whatever bandwidth those requests are coming in at - by inserting yourself between the router and the target, you become the bottleneck.
Important Caveats About ARP Spoofing
ARP attacks occur at the Network layer, Layer 3, and by nature the attack can only occur from/to computers on the same subnet. While this does mean the attacker must carry out the attack "locally" (network-wise), it also means that an attacker can use a single infected node on a network to attack an entire subnet, meaning attacks can propagate extremely quickly. Given that ARP poisoning also provides the opportunity to inject content into traffic, it makes embedding malicious scripts and installing malware very easy and can cause infections to spread quickly if it is part of a kill chain.
ARP attacks generate a massive amount of traffic, and are easy to spot if the network is being actively monitored or if there are any IDS systems in place. Also, if you try and ARP spoof an entire subnet, that can quickly overwhelm your hardware. Be careful and know what you're doing.
Optimal targets for ARP spoofing attacks are unmonitored networks, low-traffic networks, home networks, very trusting people who have little familiarity with technology, let alone security certificates. They're likely to have an older browser without many of the built-in trust mechanisms. Their browser might even have a "Proceed Anyway" button with a checkbox that says "Store this exception permanently." This would mean the HTTP proxy's certificate has been added to the list of servers this computer trusts utterly and absolutely.
Power of ARP Spoofing
ARP spoofing is only possible on a local network, and is easily detectable. But that doesn't mean it isn't potent - it is a serious flaw that exists in every properly-implemented network stack. It also poses a risk for extending security breaches - if someone can break into a single machine on a subnet, ARP spoofing can be used to compromise the rest of the subnet.
ARP Poisoning Procedure
Understand what we're getting into: what kind of network, how many sheep, whether you're MITMing HTTP or HTTPS? Note that if you wish to MITM HTTPS, you should be targeting old browsers, trusting people, and the technologically unsavvy - not enterprise networks and paranoid people.
Then continue: MITM Labs/Bettercap SSL Over Wifi
Designing/implementing more secure ARP variation: http://www.cs.sjsu.edu/faculty/stamp/students/Roney298report.pdf
ARP and ICMP redirection games: http://insecure.org/sploits/arp.games.html
man in the middle attacksin which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker.
Wireless Attacks: Man in the Middle/Wireless
Wired Attacks: Man in the Middle/Wired
Layer 1 and 2 MITM Attacks:
Network Tap: Man in the Middle/Wired/Network Tap
Layer 3 and 4 MITM Attacks:
ARP Poisoning: Man in the Middle/ARP Poisoning
Traffic Injection/Modification: Man in the Middle/Traffic Injection
DHCP Attacks: Man in the Middle/DHCP
WPAD MITM Attack: Man in the Middle/WPAD
Port Stealing: Man in the Middle/Port Stealing
Rushing Attack: Man in the Middle/Rushing Attack
Attacking HTTPS: Man in the Middle/HTTPS
Session Hijacking: Man in the Middle/Session Hijacking
Man in the Middle Labs:
Dsniff ARP Poisoning:
Bettercap ARP Poisoning: MITM Labs/Bettercap Over Wifi
Bettercap to Replace Images: MITM Labs/Bettercap to Replace Images
MITMf to Backdoor Browsers: MITM Labs/MITMf to Backdoor Browsers
Browser + Wireshark/SSLSniff to Decrypt HTTPS: MITM Labs/Decrypting HTTPS Traffic with Private Key File
Browser + Wireshark to Decrypt HTTPS: MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info
Bettercap to MITM Android Phone: MITM Labs/Bettercap Android EvoFlags · Template:MITMFlag · e
Kali Linux"The quieter you become, the more you are able to hear."
Penetration testing Linux distribution.
1 Physical Attacks: Kali/Layer 1 Attacks
2 Data/MAC Attacks: Kali/Layer 2 Attacks
3 Network Attacks: Kali/Layer 3 Attacks
4 Transport Attacks: Kali/Layer 4 Attacks
5 Session Attacks: Kali/Layer 5 Attacks
6 Presentation Attacks: Kali/Layer 6 Attacks
7 Application Attacks: Kali/Layer 7 Attacks
Kali on Raspberry Pi:
Flags · Template:KaliFlag · e
Networkingpages and notes about computer networks.
Man in the Middle attack vectors on wired networks: Man in the Middle/Wired
Packet analysis with Wireshark: Packet Analysis
Linux networking: Linux/Networking
Using Aircrack: Aircrack
Many Ways to Crack a Wifi: Cracking Wifi
Notes on OpenVPN: OpenVPN
Setting Up a Static Key VPN: OpenVPN/Static Key
IP Version 6: IPv6
Flags · Template:NetworkingFlag · e