[Common Network Attacks Series] Man-in-the-middle (MiTM)

swarmdeco

Member
Feb 27, 2016
25
48
48
Hey there!

Since the Security Research > Network section is pretty empty I'll start this first post about the Man-in-the-middle network attack. The intention of this is to explain how the attack works, but not how to execute it (If you understand how it works, the execution is trivial, I'm strongly against Script Kiddies).

I'm just writing as stuff pops-up on my mind, so expect several edits over time... And please give me your feedback/comments/questions and I'll add it to the post!

Ok...so let'sgo!

How a network works?
Well, in order to understand ANY network attack it's important to understand how a network works. Short story short, devices communicate between them with "packets" of information. A Packet (imagine a little box with information inside) travels through this network using cables or wireless communication, but in both cases they need a Network device that interconnect everything and decides the destination/route of the packet (Router, Switch, Access Point, etc...).

Note: I'll leave aside old/rare network implementations (Stars, Everyone-with-everyone, etc..), I'll just focus on the most common network topology (where the MiTM make sense) and I'm going to ignore some tech-details (like OSI Packet Layer) to make this easy to follow. Ok, lets continue!

ZfOO8UL.png

Common network house/office topology

How the communication between two computers work?
So computer A wants to PING computer B... when you open a console (cmd.exe /Terminal) and type ping computer_b and press enter... what's happening from that moment?? Ok, let me break it down for you.

Here there are two concepts that you need to know before hand, what is MAC and what's an IP address. A MAC (Media Access Control) it's an 48bit hexadecimal identifier of you physical network card (maybe you have seen them before, it's something like AA:BB:CC: DD:EE:FF). The IP (Internet Protocol) address it's an 128bits (IPv4) identifier of you computer in a network.
Why I'm telling you this? Because there's something that's really important (and where the MiTM attack resides) for network communications and that's the ARP table.
YeW8r4M.png

ARP Table
The ARP Table (as you can see above) it's a translation table where you can identify which is the MAC Address of a determined IP (and vice-versa), this table is "dynamically" generated during the time you are on the network, it start as empty and it fills white ARP request.

Whenever you want to send a packet over network you need to send that packet to the network router/switch and that guy will route that packet through the network properly... So, computer A sends a packet that is labeled to Computer C, the router/switch receives this packet, reads the label and it send the packet to Computer C, voila! Computer C got it's packet... but what is THAT label.

Well, that label it's the MAC address of COMPUTER C. That's how the switch knows which computer route the packet. Ok, so who put that label in the packet? it was Computer A... in simple words, the packet label says: Send it to Computer C (Location: AA:BB:CC: DD:EE:FF), and where does Computer A get the MAC address of Computer C, from Computer's A ARP Table.

But wait Swarmdeco, you told us before that that ARP Table is empty when you connect to the network, how does Computer A knows which is the IP Address or the MAC Address of Computer C? Well good question sir! Let me explain...

Let say that you ping 192.168.0.5 (IP of Computer C) from 192.168.0.3 (IP of Computer A) (That was the example Swarm... you are complicating things! - I know I know, please try to follow me, it's hard to write this ok??)... so the first thing that Computer A needs to label the packet is to get the MAC Address of Computer C (because you already have the IP) so Computer A sends an ARP Broadcast packet (FF:FF:FF:FF:FF:FF) to the switch (A Broadcast packet it's a packet that is sent to everyone on the network) asking: "Who is 192.168.0.5?"

sEuTR96.png

6D8mCiD.png

Wireshark capture of an ARP Broadcast Packet and it response
Above you have an ARP Broadcast packet asking who has the 192.168.10.164 and to tell to 192.168.10.161... So if SOMEONE on the network has that IP address, that computer sends an ARP packet (like the second picture).

Quick note: The MAC address and IP must match, here I just took a random pcap that I had... If someone can take better screenshots please send it to me and I'll update
)

Ok, so when the computer receive and ARP response it fills our ARP Table...So let's continue with our example... you wanted to ping computer_b, so your computer needs to send a PING packet and label it using the information on the ARP table. The same situation works on the other side of the communication, Computer C needs to ask Who is Computer A and get it's MAC address to fill it's own ARP Table and label the packet properly...

By any chance, did you detect where the attack occurs?? Well... the ARP Broadcast packet is for EVERYONE on a Network and ANYONE can answer that call... you can even receive more than ONE answer. What the computer is going to do is to update/register the LAST answer he receives...

Developing the Attack
Since as you can see, the receiver of the ping packet (or any local-network packet) is the one who is on the label of this box, and the label is determined by the ARP table of the computer that is sending the message, so let's do the following.

Let's envenom the ARP table of Computer A and the ARP table of Computer C!
How to do that? It's quite simple. Let's imagine the following scenario:
  • You are attacking from computer B with the following MAC address 00:00:00:00:00:BB and the following IP 192.168.0.3,
  • Computer A has 00:00:00:00:00:AA with 192.168.0.2
  • Computer C 00:00:00:00:00:CC with 192.168.0.4
Let's perform an attack doing the following:
  • Computer B sends an ARP Response to Computer A saying that the MAC address of 192.168.0.4 it's 00:00:00:00:00:BB
  • Computer B sends an ARP Response to Computer C saying that the MAC address of 192.168.0.2 it's 00:00:00:00:00:BB
Now the every packet that computer A sends to Computer C it's going to be labeled with the MAC address of computer B and viceversa, that means that we are going to receive EVERY-PACKET of communication between those computer in our machine and access all the information they are saying. In order to not interrupt the communication, we read the packet and forward it to the real receiver of the packet (that way we are undetected). Now we are a "man-in-the-middle" between these two network devices, because we are In the middle of the communication eavesdropping everything.

With this kind of attack you can steal Username/Passwords from users, tamper HTTP request (also HTTPS but it's way more difficult), redirect traffic, change the behaviour/look of webpages to troll friends, replace all the images of the browsers victim with cats, and even install malware/virus on your friends computer (don't do that... don't be the guy we hate).

This attack is REALLY powerful, but most IDS/IPS will detect it if you don't do it properly, so try it at home!

It's a LOT to swallow in the first read, and maybe I'm missing TONS of points and details... but anyway! did my best... I'll improve the guide based on the questions that I receive and the feedback of the community.

Mandatory disclaimer:
Any actions and or activities related to the material contained within my POSTS is solely your responsibility.The misuse of the information on my posts can result in criminal charges brought against the persons in question. The authors will not be held responsible in the event any criminal charges be brought against any individuals misusing the information on my posts to break the law. (I'm going to use it as my form signature).

- Swarm!
 
Last edited:

shockli

Contributor
Jan 29, 2016
243
194
111
Hey, excellent post!
Just a few notes :)
  • Your wireshark image doesn't load.
  • Emoji's caught you here: C (Location: AA:BB:CC:DD:EE:FF),
  • Italic text overused is cancer
  • Mentioning IPV6 will be a great help, as we should have been using it since <1996
  • A proper MiTM is impossible with windows because many scripts you would run alongside with a MiTM do not work properly
  • Maybe go into detail with DHCP?
  • Router != Switch.. http://www.webopedia.com/DidYouKnow/Hardware_Software/router_switch_hub.asp
  • By any chance, did you detect where the attack occurs?? Well... the ARP Broadcast packet is for EVERYONE on a Network and ANYONE can answer that call... you can even receive more than ONE answer. What the computer is going to do is to update/register the LAST answer he receives... You never answered your question..
Other than that it's a very well-done and detailed guide :)
 

swarmdeco

Member
Feb 27, 2016
25
48
48
Hey, excellent post!
Just a few notes :)
  • Your wireshark image doesn't load.
  • Emoji's caught you here: C (Location: AA:BB:CC:DD:EE:FF),
  • Italic text overused is cancer
  • Mentioning IPV6 will be a great help, as we should have been using it since <1996
  • A proper MiTM is impossible with windows because many scripts you would run alongside with a MiTM do not work properly
  • Maybe go into detail with DHCP?
  • Router != Switch.. http://www.webopedia.com/DidYouKnow/Hardware_Software/router_switch_hub.asp
  • By any chance, did you detect where the attack occurs?? Well... the ARP Broadcast packet is for EVERYONE on a Network and ANYONE can answer that call... you can even receive more than ONE answer. What the computer is going to do is to update/register the LAST answer he receives... You never answered your question..
Other than that it's a very well-done and detailed guide :)

Thank you! I'll do the respective modifications when I get home! ;)
Btw I know that Router != Switch, but as I said on the first disclaimer I didn't wanted to go into THAT amount of details to confuse the reader, same with DHCP, but maybe I can explain myself a little bit further on those topics on different posts, to not overload a guide ;)
 

hannadgdgd

New Member
Jun 7, 2023
2
0
2
Hey, excellent post!
Just a few notes :)
  • Your wireshark image doesn't load.
  • Emoji's caught you here: C (Location: AA:BB:CC:DD:EE:FF),
  • Italic text overused is cancer
  • Mentioning IPV6 will be a great help, as we should have been using it since <1996
  • A proper MiTM is impossible with windows because many scripts you would run alongside with a MiTM do not work properly
  • Maybe go into detail with DHCP?
  • Router != Switch.. http://www.webopedia.com/DidYouKnow/Hardware_Software/router_switch_hub.asp
  • By any chance, did you detect where the attack occurs?? Well... the ARP Broadcast packet is for EVERYONE on a Network and ANYONE can answer that call... you can even receive more than ONE answer. What the computer is going to do is to update/register the LAST answer he receives... You never answered your question..
Other than that it's a very well-done and detailed guide :)
I'm grateful. I'll make the appropriate changes when I get home!
Router!= Switch, but as I stated in the first caveat, I didn't want to go into THAT much depth to confuse the reader. The same is true with DHCP, but perhaps I can expand a little on those issues in other postings so as not to overburden a guide.
 
Top