Man in the middle

ARP Spoofing

Assume that Alice and Bob’s hosts are connected into a LAN and Alice wants to send a packet to Bob. Although Alice knows Bob’s IP address, the Data Link Layer in Alice still needs to know the MAC address of Bob to transmit the packet via LAN. To get Bob’s MAC address, Alice first checks if she store Bob’s MAC address in her ARP cache. If it exists, she can use Bob’s MAC address, else, she sends the ARP request to ask for the MAC address corresponding to Bob’s IP address. All the hosts on LAN will receive the ARP request from Alice but only Bob has the IP address described in the ARP request, so Bob will return his MAC address to Alice. When Alice has Bob’s MAC address, the data transmission begins.

Now we assume that there is one more host, Charlie, is connected to LAN with Alice and Bob. Charlie will send Alice the ARP reply message saying that the MAC corresponding to Bob’s IP is Charlie’s MAC and at the same time Charlie sends Bob the ARP reply saying that the MAC corresponding to Alice’s IP is Charlie’s MAC. Both Alice and Bob update their ARP cache and use that information to transmit packet. As the result, the entire conversation between Alice and Bob flows through Charlie (as shown in the Figure 2.)

Lab Network Configuration

As mentioned above, in this project, I will implement the MITM attacks on LAN environment to demonstrate how the attacker can launch the MITM attacks and what he can do with the data of his victim. I setup the simple network for the lab as shown in the Figure 3.

Lab Network Configuration

• Linux server: is used to provide some common Internet services. This machine also plays the roles of the attacker’s host in some scenes and as the victim host in the other scene
  • OS: Ubuntu Linux 7.10
  • Services: HTTP (Apache), FTP (ProFTPD), SMTP/POP3 (Postfix), MySQL
  • MITM Tools: ettercap, dsniff, ethereal
• Windows XP desktop: plays the roles as a attacker’s host in some scenes and as the victim host in the other scenes
  • OS: Windows XP Professional
  • MITM Tools: ettercap, CAIN, Wireshark
• Windows Vista laptop: plays the roles as the victim host

All these machines are connected into switched LAN network and have access to the Internet via router. The router here also plays the roles of victim host since there will be the attack to the communication between a host inside LAN and the router.

Capture Sensitive Data

Attack #1

• Scenario: Windows Vista laptop accesses to Linux server for services like HTTP, FTP, Email, and Database. Windows XP desktop launches the MITM attack to reveal username and password that the laptop uses as shown in Figure 4.

MITM attack inside LAN

• Method: To launch this attack, Windows XP machine first has to poison the ARP caches of Linux machine and Windows Vista machine. There are many software tools available to do ARP poisoning, however I use ettercap in this attack since it is all-in-one tool which can do both ARP poisoning and network sniffing. In addition, I can use ettercap in both Windows and Linux platforms. The attack is described in the following steps

Step 1: Launch ettercap in Windows XP then choose working mode as Promisc mode

Ettercap working mode

and choose Sniff mode as Unified sniffing then select the network card that has connection to lab’s LAN

Ettercap sniffing mode

Step 2: Add Windows Vista machine and Linux machine to the target of ettercap. This can be done by select menu Hosts → Scan for hosts and then select menu Hosts → Host list then select 192.168.5.100 for Target 1 and select 192.168.5.250 for Target 2. Verify the targets by choosing menu Targets → Current Targets

Targets of the attack

Step 3: Poison the ARP caches of Windows Vista and Linux machines by select menu Mitm → Arp poisoning… then choose Sniff remote connections

Poisoning the ARP caches of targets

To verify that the ARP poisoning is successful, I check the ARP caches at both targets by using command: arp –a

ARP cache of Windows Vista machine

ARP cache of Linux machine

We can easily see that both ARP caches are poisoned, in Windows Vista machine, the entry 192.168.5.250 (Linux machine) has the MAC address 00-1D-09-82-22-95 (Windows XP machine) and in Linux machine the entry 192.168.5.100 (Windows Vista machine) has the MAC address 00:1D:09:82:22:95 (Windows XP machine)

Step 4: Sniff the traffic between Windows Vista machine and Linux machine and capture the sensitive information by choosing menu Start → Start Sniffing

Sniffing traffic between two targets

The connections can be seen by choosing menu View → Connections. For each connection, we can see the data by select it and choose View Details

Connections between two targets

• Result: After successfully capturing the data transmitted between two targets, we can now examine it to reveal the sensitive information. In this attack, Windows Vista machine will access the following services which require authentication from Linux machine:
• Online music via web
• FTP
• Email via SMTP/POP3

By viewing the details of each connection between two targets, I can easily see all the usernames and passwords. Furthermore, ettercap automatically records the usernames and passwords transmitted in clear text form.

FTP username and password Email username and password

Usernames and passwords detected by ettercap

Attack #2

• Scenario: Windows XP desktop accesses to an Internet site that uses SSL, Gmail, for example. Linux server launches the MITM attack to capture the username and password of the desktop as shown in Figure 16.

MITM attack between a host inside LAN and the router

• Method: In this attack, I am trying to mislead the Gmail user to accept the fake certificate that is issued by me, not by Google. If the user has some knowledge about computer security and s/he examines the certificate before accepting it. The attack would not be successful.

Fake certificate

To launch this attack, I use the following tools:

• ettercap: to do ARP poisoning
• dsniff software suite:dnsspoof to answer the DNS requests from Windows XP machine with Linux machine as the DNS server and webmitm to relay all the HTTP and HTTPS request from Linux machine to the real servers.
• ssldump: to decrypt the encrypted data with fake certificate
• Wireshark: to capture traffic between Windows XP machine and the router.

Firstly, I need to do the ARP poisoning the ARP caches of Windows XP machine and the router using tool ettercap like the attack presented in section 3.1.1. And then I do the DNS spoofing by using tool dnsspoof. At this stage I launch the webmitm -d tool which is the used to relay the traffic from Windows XP machine to Gmail. Then I use Winshark to capture the traffic and save as gmail.log file.

All the packets captured in gmail.log can be decrypted by using the tool ssldump: ssldump –r gmail.log –k webmitm.cert –d > out

• Result: The username and password of Gmail user can be obtain from the out file by using the command: cat out | grep Passwd

Gmail username and password

Using the same attack method I also get the account information from the SSL connections to my bank’s server:

Bank account information

and also, my HawkID and password in ICON

Iowa Courses Online. http://icon.uiowa.edu

: HawkID and password in ICON

the same result with ISIS

Iowa Student Information Services. http://isis.uiowa.edu

:

HawkID and password in ISIS

Tamper the Data

• Scenario: Windows XP desktop accesses to an Internet site via the router. Linux server launches the MITM attack between the desktop and the router to deface the website that the desktop are surfing as shown in Figure 16.
• Method: The preparation for this attack is similar to the attack mentioned in section 3.1.1 with two targets: Windows XP machine and the router of the lab. In this case, ettercap will modify the data from the router before forwarding to Windows XP machine. To automate this task, I will create the filter, which is a method to extend the ability of ettercap, to automatically alter the incoming data.

The filter is developed based on the original one from [4] as follow:

# Change the Accept-Encoding of the client so server will send data to 
# client in the text plain format.
if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!");
      msg("zapped Accept-Encoding!
");
   }
}

# Replace google’s logo with other image and change Google text into Hacker
if (ip.proto == TCP && tcp.src == 80) {
   replace("/intl/en_ALL/images/logo.gif", "http://hawksec.net/shrek.jpg");
    replace("Google", "Hacker");
   msg("Filter Ran.
");
}

I save the filter source code as img.filter and then use the command etterfilter img.filter –o img.ef to compile it. After doing ARP poisoning to Windows XP and Linux’s ARP cache like in the section 3.1.1, I apply the filter by choosing menu Filters → Load a filter… and select img.ef.

• Result: After applying the filter, the Windows XP machine gets the modified Google page:

Prevent MITM Attacks

As we already saw in the previous sections, the MITM attacks could be prevented if:

• attacker does not have the ability to poison the ARP cache of victim hosts
• even if the attacker can poison the ARP cache of the victim hosts and capture data, he cannot learn anything from that if the data is strongly encrypted

If we encrypt all the data passing over the network, MITM attacks can be avoided however, this is difficult to implement because of the complexity and the overhead processing. There are some methods to help prevent ARP poisoning suggested by the security experts [15]:

• For small network: Using static ARP table. In addition, in Windows machines, I installed the software called Symantec Endpoint Protection and enable the option Enable anti-MAC spoofing and this helps prevent ARP poisoning of your ARP cache.
• For large network: Using switch with Port Security feature which allows only one MAC address for each port
• For all network: Monitoring ARP caches by using the ARP monitoring tools like ARPwatch [16] to detect the changes in ARP cache. From my experience, when we detect some change in ARP cache of the machine, we may find the MAC address of the attacker in that machine and we can use this information to identify the attacker.