MITM Part 1 : ARP Poisoning

Just a Cool Looking Picture

Before I start this article answer see if you can answer this simple question. What is hacking? if you google this question it will give you a lot of answers with advanced English words. Simply put hacking is just thinking outside the box. Hacking is all about making a software do what it isn’t supposed to be doing with the commands and services that is provided by the software itself.

Before we go any further you guys be thinking MITM? ARP? what are these. First I will talk a little about MITM and some real life scenarios that will look close to what it is.

MITM

MITM stands for Man In The Middle and MITM attacks are a common type of attack that computers get affected when connecting to a network. First what is a man in the middle? Imagine this scenario, you have to upload a document to your workplace or university but currently you are in a place where you can not have access to device that can edit and upload your document. At this moment you give you friend your mail credentials and ask them to upload. Your friend does that but also reads your other and private emails as well. In this scenario your friend is seeing your conversations with another person by being in the middle. This comes under No Tech hacking but this is the type of scenario that Man In The Middle attack will create. MITM attack will be looking into the messages and conversations between two end points without their knowledge.

Now that we know what MITM is now lets take a look into one of a well known MITM attack ARP Poisoning.

ARP Poisoning

Sample Network

Look at the above simple network diagram. The following sections will explain a scenario with this network diagram.

Before we talk about ARP poisoning lets take a look into how a device that is connected to the router will be connecting to the internet. If a device is needed to be connected to the internet it needs three things.

1. IP Address : Logical Address that is given to the computer.
2. Subnet mask : Defines the range of IP addresses.
3. Default gateway : The IP address that will be directly connecting to the internet. (Normally this would be the IP address of the router.)

And to identify the devices on a network we use IP addresses but IP addresses can be changed and in modern routers it is set to be changed constantly for security purposes, for that reason for a device that is connected to the network will have a table of MAC address (Hardware Addresses) to uniquely identify each device. To do this there is a protocol called ARP (Address Resolution Protocol)which will map IP addresses of a device to its MAC address. In order to connect to the internet PC1 should know the MAC address of the router. That is where the ARP cache comes in. Before doing anything PC1 will check its ARP cache to see if Router’s IP address is located in that. If it is located then PC1’s internet traffic will directly go through the router as seen from the below diagram. (Green line is the path)

PC1 connecting to Internet

Now if the ARP cache is empty the machine will invoke the ARP protocol. Each computer that is connected to a network will have the above 3 things. Lets say that computer 1 wants to connect to the internet. PC1 will broadcast the default gateway asking who this address belongs to. It will send a message containing PC1’s IP address asking the owner of the default gate way (Router) to return its Mac Address. Then all the other PC’s will simply ignore this message besides the router which will in turn send its MAC address back to pc1. Here PC1 will update its ARP cache with this address and will be able to connect to the internet and go to youtube.com

Note: You also can find your ARP cache in your machine by simply typing in the command arp -a in your command line. See the below picture for reference.

My Arp Cache

Everything works fine right but do you guys see the problem here. When we broadcast the message we are basically telling everyone in the system that we are trying to connect to the internet. We are also sending our IP address as well. So if an attacker lets say in this instance is PC4 He will first clear out the ARP cache in PC1 by using arp-d command. Then PC4 will respond to the ARP protocol by sending PC4’s MAC address. Now PC1 will think that PC4 is the router and will forward its messages to PC4. PC4 will forward it to the true router and will do it in the reverse for the responses. Look at the below diagram for the flow of data.

MITM Attacked Data Flow.

How to protect from these types of attacks.

Now that you all know how these attacks work lets see someway to detect and even protect our self from these attacks.

1. Use arp -a command : This command will be showing the ARP cache. If you see any two IP addresses having the same address that means that your system has been attacked by ARP poisoning.
2. Two way SSL : If you are communicating with two way SSL, that means even if the attacker is able to get your messages, he won’t be able to decrypt it.
3. Static ARP table : Statically creating ARP table means that no attacker can access the system but it puts a huge burden on the network administrator as if one of the devices is to be changed he must change the ARP cache on every system. (Basically increases micromanagement)
4. Use monitoring tools : Monitoring tools can be used to monitor the system and track any unusual data flow. Wireshark is such type of tool that can be used to monitor your system.

Wireshark

ADDITIONAL KNOWLEDGE

SSL

I talked about two way SSL in the prevention method so I will briefly explain about what SSL. SSL is a certificate that is provided to both clients and servers to verify them. When using SSL data will be transferred after encrypting it. The sender and receiver will both have a key to encrypt and decrypt the message. There are two ways encryption can happen.

One Way SSL

In one way SSL if two parties are to send a message, client will verify the server certificate but server will not verify the client certificate. One way SSL is not transport safe or message safe. Look at the following diagram.

One way SSL(Sorce:dzone)

Imaging a scenario where Person A will be communicating with the server, but if person B is to initiate MITM attack they will be able to intercept the messages coming from the server and decrypt it using server’s public key.

One way SSL is not transport safe or message safe.

Two Way SSL

In two way SSL unlike one way SSL both the server and the client will be sending each other certificates to verify each other and then only will be starting the communication. Each will have two different keys, a public and a private key. Both parties will be transferring their public keys via the network. Then they will be encrypting the message with their private key and then decrypting the message with the other party’s public key. Look at the below diagram for two way SSL.

Two way SSL (Soruce : dzone)

As you can see above this is the process of two way SSL. If person A and server are now in a communication, even if person B intercepts the communication with the MITM attack, person B will not be able to read the message as the server will not accept Person B’s certificate(key) for transport.

Two way SSL is not transport safe but is Message Safe.

Note : You can see if the website your visiting is safe by checking the URL in the browser. If it has https and has a padlock it means that site is SSL protected. Click Here for more information regarding SSL.

REFERENCES

What is ARP Spoofing | ARP Cache Poisoning Attack Explained | Imperva

What Is Address Resolution Protocol (ARP) | Fortinet

https://dzone.com/articles/implementing-one-way-and-two-way-ssl-mutual-authen#:~:text=In%20one%20way%20SSL%2C%20the,also%20known%20as%20Mutual%20Authentication.