ARPspoofing and MiTM
One of the classic hacks is the Man in the Middle attack. In this attack, the hacker places themselves between the client and the server and thereby has access to all the traffic between the two.
In general, when an attacker wants to place themselves between a client and server, they will need to spoof the ARP of the two systems. This is not the only method to conduct an MiTM attack, but it is probably the most common on Local Area Network (LAN).
The MiTM attack is one of the most popular and effective attacks in hacking. In its simplest form, MiTM is simply where an attacker places themselves between a client and server and allows all the traffic to pass transparently through their system. This requires that the attacker convince the server that they are the client and convince the client that they are the server. Of course, the risk to those two systems is that the man in the middle can see all their traffic and, if they choose to, alter the packets.
The risks of MiTM attacks are;
* sniffing passwords
* espionage
* corrupted or altered communication
* impersonation
I. What is ARP?
ARP is Address Resolution Protocol and it translates between 40-bit physical MAC addresses and 32-bit logical IP addresses. It essence, it translates network layer 3 addresses to layer 2 data link layer addresses. This enables network switches and other network devices to identify which NIC card has which IP address and thereby send the proper traffic and only the proper traffic to each system.
The switch collects MAC addresses and maps them to IP addresses by sending out broadcast ARP requests. These ARP requests are not checked or verified in any way, so any system can respond with whatever information they want. An attacker can use this system to send a spoofed ARP reply telling the switch that it has been assigned an IP address of another machine. Once that is done, the switch will send the NIC with the spoofed IP the packets intended for the victim.
II. arpspoof
ARPspoof is tool from a suite of tools known as dsniff developed by Dug Song at the University of Michigan. This suite of tools includes;
* arpspoof
* dsniff
* macof
* tcpkill
* filesnarf
* mailsnarf
* urlsnarf
* webspy
* sshmitm
* webmitm
* and others.
ARPspoof and many of the others are built into our Kali Linux distribution, so we don't need to download and install anything. In this demonstration and lab, we will be using primarily arpspoof and dsniff.
III. MiTM using arpspoof and dsniff
In this lab, we will be using three machines;
(1) a client, Windows 7
(2) a server, Debian Linux
(3) an attacker,Kali system
I will be doing it using Virtual Machines.
The diagram below illustrates what we will be doing in the coming lab.
First, let's use a Windows 7 system as our client system as seen below. Let's note that it's IP address is 192.168.1.116.
Then, let's use a Debian Linux system as our server. I will use a yellow background on the Debian system to clearly distinguish it from the attacker system in the middle. Here, let's start a ping of the Windows 7 system. As pings in Linux are continuous, just allow it to continue indefinitely. If you are using a Windows system, pings only continue for four pings, so you will need to set up a continuous ping by typing;
kali > ping 192.168.1.116 -t
The pings are now hitting the Windows 7 system and are being echo-ed back.
In our next step, we will need three (3) terminals on our Kali system. What we will be doing is spoofing the ARP cache to;
(1) make the Debian system think we are the Windows 7 system;
(2) make the Windows 7 system think we are the Debian system;
(3) forward the packets through our attacking system so that the connection between these two is transparent and does not disrupt their communication.
First, let's use the arpspoof command to fool the Windows 7 system into believing we are the Debian system.
kali > arpspoof -t 192.168.1.116 192.168.1.118
Next, in a separate terminal, let's use arpspoof to fool the Debian system into believing we are the Windows 7 system. Notice that simply reversed the IP addresses of the above command.
kali > arpspoof -t 192.168.1.118 192.168.1.116
When we do so, we can see that the pings have stopped returning to the Debian system.
If we can get the pings to pass through our attacker (Kali) system to the Windows 7 system, the pings should resume.
From a third terminal on our Kali system, we need to allow packets to pass through our operating system. That can be done by using a command in Linux called ip_forward. We can initiate this type of packet passing by typing;
kali > echo 1 > /proc/sys/net/ipv4/ip_forward
Where:
echo 1 tells the kernel to place a 1 (1=enable, 0 = disable) in the ip_forward field in the proc directory.
When we do so, the pings should pass right through our Kali system kernel to the Windows 7 system. In essence, we have placed ourselves in the middle between the Windows 7 system and the Debian system so that all their traffic passes through us.
When we go back to the Debian system we can see that the pings have resumed and are passing right through our attacker system!
IV. dsniff
Now that we have successfully placed ourselves in the middle between these two computers, we have many options that can be used against the two victims. One of those options is to use a sniffer that is capable of detecting credentials crossing the wire and grab them.
Dsniff is a sniffer--also developed by Dug Sung--that sniffs the traffic now passing through our attack system and looks for credentials. It is capable of identifying and grabbing the following types of credentials;
FTP
Telnet
SMTP
HTTP
POP
poppass,
NNTP
IMAP
SNMP
LDAP
Rlogin
RIP
OSPF
PPTP
MS-CHAP
NFS
VRRP
YP/NIS
SOCKS
X11
CVS
IRC
AIM
ICQ,
Napster
PostgreSQL
Meeting Maker,
Citrix ICA,
pcAnywhere,
NAI Sniffer,
Microsoft SMB,
Oracle SQL*Net,
Sybase
Microsoft SQL protocols.
Now that we have the traffic crossing through our attack system, we can use dsniff to capture the traffic and place it in a file named sniffed.txt.
kali > dsniff -i eth0 -w sniffed.txt
Even if we aren't interested in sniffing credentials, we can use a sniffer like tcpdump to few all the traffic coming to and leaving our system as seen below.
In addition, the dsniff suite of tools includes the following that can be used once you have established yourself in the middle.
* tcpkill used to terminate TCP connections
* mailsnarf captures SMTP mail traffic
* URLSnarf captures and outputs all requested URL's sniffed from HTTP traffic.
If we use URLSnarf on our attack system while being in the middle and one system navigates out to the web, we can view the URL's and other info by typing;
kali > urlsnarf
Conclusion
Man in the Middle is one of the classic hacking attacks. It has many varieties, but on a local area network (LAN) , arpspoof is one of the favorite. In this way, the attacker has total access to all packet traffic and can thereby read and alter the traffic at will.