Introduction This paper will lay out for you the basics of an ARP Poison Routing (APR) attack and Man in the Middle (Mitm) attacks. These are very simple attacks, but can be very powerful on unsecured networks. These attacks are so easy I could provide you a walkthrough of how to do this in Cain in about one paragraph, but you wouldn’t learn anything and would become a skiddy.
Before reading this, I suggest you learn a little about networks and the OSI 7-layer model (http://www.webopedia.com/quick_ref/OSI_Layers.asp) and media access control (MAC) addresses, as these attacks take advantage of protocols that work on OSI layers other than what you are usually used to (ie, HTTP on layer 7 and TCP on layer 4, whereas ARP works on layer 2) and do not use only IP addresses for identifying computers.
Address Resolution Protocol:
The Address Resolution Protocol (ARP) is a layer 2 protocol that maps IP addresses to hardware MAC addresses. When a computer wants to find another computer on its network, it uses the ARP to identify where that computer is and how to reach it. There are 9 types of ARP packets, but only 4 are relevant here:
1. ARP – What MAC has this IP address?If you are trying to contact a computer on another network (ie, over the internet) then ARP is used to contact your border gateway and route packets to it. The gateway is then responsible for routing the packets to the desire network using IP addresses and various routing protocols instead of ARP. Once the packet has arrived at the correct network, the router that received it will then use ARP again to route the packet around the network to its final destination.
2. ARP Response – This MAC has this IP address.
3. RARP – What IP has this MAC address?
4. RARP Response – This IP has this MAC address.
The address resolution protocol works on a stateless broadcast request/single reply communication model. This means when one computer wants to know the address of another; it will broadcast a request for the address across the whole network in the form of What computer is 123.123.123.123? Tell 00:FF:AC:C5:56:3B. The computer that has the IP address of 123.123.123.123 would then send a directed reply, NOT broadcast, saying 90:F5:63:CA:BB:32 has 123.123.123.123. The MAC address in the reply is then added to the local computer’s cache, or if a mapping already exists for either the IP or MAC being used, the cache is updated to reflect this new info. The MAC/IP mapping is then used to route traffic around the network.
ARP Poison Routing (APR)
Now that you know the basics of how ARP works, let’s explore some pitfalls in the protocol. As I’ve said before, ARP is a stateless protocol. This means that each computer does not remember the state of its ARP requests/replies, and thus, does not remember if it sent a request or if it is waiting for a reply or has already received a reply to a previous request. So if we send an ARP reply, the host will accept it and alter its cache accordingly, even if the host didn’t send out a request! So if we send a reply to a target computer saying that our MAC address corresponds to the local gateway’s IP, then any traffic coming out of the target computer bound for the internet will be instead routed to your computer. You can use this to execute a DoS attack and prevent any packets from the target computer reaching the internet or you can sniff the packets for passwords and then pass them on to the real gateway. The second method is a very effective way of getting sensitive information and is fairly undetectable unless the target is monitoring their ARP cache constantly. APR can be setup with either 1-way or 2-way poisoning. 1-way poisoning will only poison the cache of a single target and will only intercept traffic coming from that computer, as shown below:
Figure 1: 1-way APR
2-way poisoning effectively puts your computer directly between 2 target computers so that you can intercept network traffic coming from either host, as shown below:
Figure 2: 2-way APR
Some interesting attacks that can be used with APR include DoS attacks, Network sniffing/Packet stealing, and phishing.
DoS attacks can be accomplished using a 1-way poison and by redirecting traffic from a target computer to a gateway that doesn’t exist so they get ICMP Host Unreachable errors for all their network traffic, or you can redirect it to your computer and simply refuse to forward it to the proper destination. Network sniffing and packet stealing as well as Man in the Middle (Mitm) attacks require a 2-way poisoning scheme. Network sniffing and packet stealing would allow you to steal passwords and hashes that are passed over the network. With the proper filters, you can easily pick out plaintext passwords such as FTP, SMTP, HTTP form data, and hashes such as AIM and Yahoo messenger and SQL. You can even listen in on NetBios sessions and Telnet connections. With some simple phishing filters on your APR tool, you can redirect people from one website to one you control that looks the same where the victim will type in their login info unsuspectingly. This is often useful for grabbing plaintext passwords rather than having to brute force password hashes
One of the greatest hazards to be aware of when using APR is unintentional DoSing of the target or the entire network; because your computer is most likely NOT a dedicated router, and because the packets must travel all the way up the OSI model, be analyzed by your sniffer, then repackaged and sent all the way down the OSI model again, your computer can not handle packet routing as efficiently as a dedicated hardware router. This costs a great amount of time and CPU cycles and slows down the flow of traffic that may end up backing up and DoSing the target, the network, your computer, or any combination of the three. This is a serious issue and should not be taken lightly. If you APR a router on a large network, you may have hundreds of thousands of packets going thru your computer each second. Another hazard that is of interest to hackers is the fact that proxies cannot effectively be used, because ARP and APR works on layer 2 and proxies work on either layer 5 or 7 (depending on the amount of anonymity used) and usually require traveling outside the network to a proxy server. This may seem like a huge safety issue for a hacker, but there is hope! While IP addresses are difficult to spoof over the internet while keeping traffic flowing to and from your computer, both the IP address and MAC address can be effectively altered on a LAN. Many tools exist for changing your MAC and IP during APR attacks. Cain provides an option to do this under the “Configure” menu item.
Man In The Middle (Mitm) Attacks
Mitm attacks include a range of possible attacks, from DoSing, to sniffing, phishing, and rerouting for SE purposes. Mitm is started with a 2-way APR attack that in effect inserts your computer between 2 targets (often a host and a gateway). You can then begin the real meat of the mitm by using customized programs and packet filters to gain the effect you need.
For a simple sniffing attack, a network sniffer such as Ethereal with an IP or MAC filter applied to only capture packets to or from the target is sufficient. For more advanced attacks like password grabbing and phishing, you need more advanced filters. In the case of grabbing passwords, you need to have a filter that disassembles the packet to get to the layer 4 data and above, then scan that data for plaintext passwords or hashes such as HTTP POST or GET data, FTP, SMTP, or SQL login info, or you can use a filter to capture an entire NetBios, Telnet, or VoIP session to record conversations and gather potentially sensitive information. Sometimes it is not always desirable to have a password hash, especially when you can get the plaintext password in less time. This is where phishing comes in. Phishing is the art of constructing a website to look exactly like another, then redirecting traffic from the real site to the one you control in the hopes that no one will notice and will happily type in their real login info, assuming that everything is as it should be. Great care should be taken in conducting a phishing style attack, and I will offer some pointers and methods later on.
Because mitm attacks are built on the back of an APR attack, then all the limitations of an APR attack also apply to a mitm attack. But with the increased complexity of a mitm attack, you must also be aware of further limitations. Using complex filters or packet scanners consumes a lot of CPU cycles and can further increase the risk of unintentional DoSing or breaking of the network. Phishing should be used with care as well, because even the smallest difference between your site and the legitimate one will be noticed by daily users and may raise suspicion.
Phishing
Phishing, as already stated, is making a fake site to fool people into giving you their plaintext passwords and login info. There are several methods for creating a phishing site (phishing lure :D). You can attempt to create your copy site from scratch and code it yourself, but chances are people who use the site regularly would know the difference. Another way would be to copy the source code, images (keeping the directory structure in tact), and any stylesheets, javascripts, or embedded objects, then just make a few small changes to the code. Make sure to change all relative directories to absolute URLs when you do this! If you don’t, a form may not direct to the right page or produce a 404 error or an image may not display right and will raise suspicion. This method produces a site that looks and behaves nearly identically to the original, but because it is still being hosted on another server under a different domain name, observant users may spot the anomaly and report it. For low profile targets, this method is fast and effective. The final method I will discuss is how to do it without making a fake site at all. Because you are executing a mitm attack and have full access to every packet that moves to and from the target, you can create a packet filter that will change the ACTION property of a