MITM Part 1 : ARP Poisoning

Just a Cool Looking Picture

Before I start this article answer see if you can answer this simple question. What is hacking? if you google this question it will give you a lot of answers with advanced English words. Simply put hacking is just thinking outside the box. Hacking is all about making a software do what it isn’t supposed to be doing with the commands and services that is provided by the software itself.

Before we go any further you guys be thinking MITM? ARP? what are these. First I will talk a little about MITM and some real life scenarios that will look close to what it is.

MITM

Now that we know what MITM is now lets take a look into one of a well known MITM attack ARP Poisoning.

ARP Poisoning

Sample Network

Look at the above simple network diagram. The following sections will explain a scenario with this network diagram.

Before we talk about ARP poisoning lets take a look into how a device that is connected to the router will be connecting to the internet. If a device is needed to be connected to the internet it needs three things.

  1. IP Address : Logical Address that is given to the computer.
  2. Subnet mask : Defines the range of IP addresses.
  3. Default gateway : The IP address that will be directly connecting to the internet. (Normally this would be the IP address of the router.)

And to identify the devices on a network we use IP addresses but IP addresses can be changed and in modern routers it is set to be changed constantly for security purposes, for that reason for a device that is connected to the network will have a table of MAC address (Hardware Addresses) to uniquely identify each device. To do this there is a protocol called ARP (Address Resolution Protocol)which will map IP addresses of a device to its MAC address. In order to connect to the internet PC1 should know the MAC address of the router. That is where the ARP cache comes in. Before doing anything PC1 will check its ARP cache to see if Router’s IP address is located in that. If it is located then PC1’s internet traffic will directly go through the router as seen from the below diagram. (Green line is the path)

PC1 connecting to Internet

Now if the ARP cache is empty the machine will invoke the ARP protocol. Each computer that is connected to a network will have the above 3 things. Lets say that computer 1 wants to connect to the internet. PC1 will broadcast the default gateway asking who this address belongs to. It will send a message containing PC1’s IP address asking the owner of the default gate way (Router) to return its Mac Address. Then all the other PC’s will simply ignore this message besides the router which will in turn send its MAC address back to pc1. Here PC1 will update its ARP cache with this address and will be able to connect to the internet and go to youtube.com

Note: You also can find your ARP cache in your machine by simply typing in the command arp -a in your command line. See the below picture for reference.

My Arp Cache

Everything works fine right but do you guys see the problem here. When we broadcast the message we are basically telling everyone in the system that we are trying to connect to the internet. We are also sending our IP address as well. So if an attacker lets say in this instance is PC4 He will first clear out the ARP cache in PC1 by using arp-d command. Then PC4 will respond to the ARP protocol by sending PC4’s MAC address. Now PC1 will think that PC4 is the router and will forward its messages to PC4. PC4 will forward it to the true router and will do it in the reverse for the responses. Look at the below diagram for the flow of data.

MITM Attacked Data Flow.

How to protect from these types of attacks.

  1. Use arp -a command : This command will be showing the ARP cache. If you see any two IP addresses having the same address that means that your system has been attacked by ARP poisoning.
  2. Two way SSL : If you are communicating with two way SSL, that means even if the attacker is able to get your messages, he won’t be able to decrypt it.
  3. Static ARP table : Statically creating ARP table means that no attacker can access the system but it puts a huge burden on the network administrator as if one of the devices is to be changed he must change the ARP cache on every system. (Basically increases micromanagement)
  4. Use monitoring tools : Monitoring tools can be used to monitor the system and track any unusual data flow. Wireshark is such type of tool that can be used to monitor your system.
Wireshark

ADDITIONAL KNOWLEDGE

SSL

One Way SSL

One way SSL(Sorce:dzone)

Imaging a scenario where Person A will be communicating with the server, but if person B is to initiate MITM attack they will be able to intercept the messages coming from the server and decrypt it using server’s public key.

One way SSL is not transport safe or message safe.

Two Way SSL

Two way SSL (Soruce : dzone)

As you can see above this is the process of two way SSL. If person A and server are now in a communication, even if person B intercepts the communication with the MITM attack, person B will not be able to read the message as the server will not accept Person B’s certificate(key) for transport.

Two way SSL is not transport safe but is Message Safe.

Note : You can see if the website your visiting is safe by checking the URL in the browser. If it has https and has a padlock it means that site is SSL protected. Click Here for more information regarding SSL.

REFERENCES

https://dzone.com/articles/implementing-one-way-and-two-way-ssl-mutual-authen#:~:text=In%20one%20way%20SSL%2C%20the,also%20known%20as%20Mutual%20Authentication.

Associate Software Engineer at Virtusa