1 | Page Spoofing and Man-in-the-Middle Attacks Date Assigned: mm/dd/yyyy Time Due: mm/dd/yyyy by hh:mm Educational Objectives This lab will introduce you to both ARP spoofing and man-in-the-middle attacks and how they are carried out within a networked environment. Lab Environment The following machines are needed to conduct this lab: CentOS Linux, CentOS6.4 Backtrack 5, BT5R3 Windows 7, Win7 Fedora 18, FC18 All computers must be networked and accessible to each other. Summary When you connect to a computer you often take for granted the protocols used to find the destination machine. In a LAN the method of resolving an IP address to a MAC to send a packet to its destination is by ARP (Address Resolution Protocol). In this lab you will learn how to poison victims ARP cache and passively sniff connections. Before software can be used to poison an ARP cache you must first do some preliminary exercises to better understand how to use and manipulate your ARP cache. Once you understand ARP and how your ARP cache is utilized, the next few exercises use ARP poison to sniff and attack connections. The first exercise is to understand a powerful tool used to perform ARP poison and various LAN attacks. This tool is Ettercap. Next you will be passively and actively sniffing a connection between two victim machines. After completing these exercises you will have a good understanding of how man-in-the-middle attacks occur. Background What is ARP? Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address that is recognized in the local network. For example, in IP Version 4, the most common level of IP in use today, an address is 32 bits long. In an Ethernet local area network, however, addresses for attached devices are 48 bits long. (The physical machine address is also known as a Media Access Control or MAC address.) A table, usually
12
Embed
Spoofing and Man-in-the-Middle Attackspages.mtu.edu/~xinlwang/itseed/labs/Spoof_MiTM.pdf · This lab will introduce you to both ARP spoofing and man-in-the-middle attacks and how
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1 | P a g e
Spoofing and Man-in-the-Middle Attacks
Date Assigned: mm/dd/yyyy
Time Due: mm/dd/yyyy by hh:mm
Educational Objectives
This lab will introduce you to both ARP spoofing and man-in-the-middle attacks and how they
are carried out within a networked environment.
Lab Environment
The following machines are needed to conduct this lab:
CentOS Linux, CentOS6.4
Backtrack 5, BT5R3
Windows 7, Win7
Fedora 18, FC18
All computers must be networked and accessible to each other.
Summary
When you connect to a computer you often take for granted the protocols used to find the
destination machine. In a LAN the method of resolving an IP address to a MAC to send a packet
to its destination is by ARP (Address Resolution Protocol).
In this lab you will learn how to poison victims ARP cache and passively sniff connections.
Before software can be used to poison an ARP cache you must first do some preliminary
exercises to better understand how to use and manipulate your ARP cache. Once you understand
ARP and how your ARP cache is utilized, the next few exercises use ARP poison to sniff and
attack connections. The first exercise is to understand a powerful tool used to perform ARP
poison and various LAN attacks. This tool is Ettercap. Next you will be passively and actively
sniffing a connection between two victim machines. After completing these exercises you will
have a good understanding of how man-in-the-middle attacks occur.
Background
What is ARP?
Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP
address) to a physical machine address that is recognized in the local network. For example, in IP
Version 4, the most common level of IP in use today, an address is 32 bits long. In an Ethernet
local area network, however, addresses for attached devices are 48 bits long. (The physical
machine address is also known as a Media Access Control or MAC address.) A table, usually
2 | P a g e
called the ARP cache, is used to maintain a correlation between each MAC address and its
corresponding IP address. ARP provides the protocol rules for making this correlation and
providing address conversion in both directions.
How ARP Works?
When an incoming packet destined for a host machine on a particular local area network arrives
at a gateway, the gateway asks the ARP program to find a physical host or MAC address that
matches the IP address. The ARP program looks in the ARP cache and, if it finds the address,
provides it so that the packet can be converted to the right packet length and format and sent to
the machine. If no entry is found for the IP address, ARP broadcasts a request packet in a special
format to all the machines on the LAN to see if one machine knows that it has that IP address
associated with it. A machine that recognizes the IP address as its own returns a reply indicating
so. The ARP program updates the ARP cache for future reference and then sends the packet to
the MAC address that replied. Since protocol details differ for each type of local area network,
there are separate ARP Requests for Comments (RFC) for Ethernet, ATM, Fiber Distributed-
Data Interface, and other protocols. There is a Reverse ARP (RARP) for host machines that don't
know their IP address. RARP enables them to request their IP address from the gateway's ARP
cache.
What is ARP poison and a man in the middle attack?
The Address Resolution Protocol serves the function of determining the mapping between IP
addresses and MAC hardware addresses on local networks. For example, a host that wants to
send a message to IP address 10.0.0.2 on the local network sends a broadcast ARP packet that
requests the MAC for that IP. The host that owns the IP 10.0.0.2 returns an ARP reply packet
with its MAC address. The requesting host then sends the message, and stores the IP-to-MAC
mapping for future packets.
In order to minimize network traffic, ARP implementations update their cache of ARP-to-IP
mappings whenever an ARP request or reply is received. If the MAC address reported in the
packet for the given IP has changed, the new value will overwrite the old one in the cache. ARP
replies are unicast packets directed at one machine, and cause only that machine to update its
cache.
Figure 1. Setting up a man in the middle attack by C against A and B.
3 | P a g e
The particular kind of ARP attack examined in this lab is the use of ARP reply packets to
perform cache poisoning. This attack makes possible many sorts of man-in-the-middle attacks.
Consider an example depicted in Figure 1. The attacker, Host C, sends an ARP reply to B stating
that A’s IP maps to C’s MAC address, and another ARP reply to A stating that B’s IP maps to
C’s MAC address. Since ARP is a stateless protocol, hosts A and B assume that they sent an
ARP request at some point in the past and update their ARP caches with this new information.
Figure 2. Computer C performs a man in the middle attack against A and B.
Now, when A tries to send a packet to B it will go to C instead. Host C can use this unique
position to forward the packets on to the correct host and monitor or modify them as they pass
through C (Figure 2). This man in the middle attack allows C to monitor or modify telnet
sessions, read mail passing over Post Office Protocol (POP) or SMTP, intercept SSH
negotiations, monitor and display Web usage, and commit many other malicious activities.
The ARP cache poisoning attack can be used against all machines in the same broadcast domain
as the attacker. Hence, it works over hubs, bridges, and switches, but not across routers. An
attacker can, in fact, poison the ARP cache of the router itself, but the router won't pass the ARP
packets along to its other links. Switches with port security features that bind MAC addresses to
individual ports do not prevent this attack since no MAC addresses are actually changed. The
attack occurs at a higher network layer, the IP layer, which the switch does not monitor.
The tool that was used in demonstrating and testing the effectiveness of these attacks was
Ettercap. Developed as an open source project, Ettercap provides both a menu based and
command line tool to perform ARP cache poisoning and man in the middle attacks against