MITM Attack 1: Understanding ARP Poisoning
In the modern world, computers are a very essential part of our life. So, the security of a computer is important because it protects your information. The main purpose of computer security is the detecting and preventing unauthorized access to computer systems. The man-in-the-middle attack is one of the most common cyberattacks. ARP poisoning is an implementation of the man-in-the-middle attack. In this article, I will explain about these cyberattacks, how it works, and how to prevent from it.
Man In The Middle Attack (MITM Attack)
As the name suggests, some unauthorized person inserts himself on communication between two devices and reads the traffic without anyone noticing. Usually, those two devices are your laptop and the WiFi router. If you are not using a secure network, the middle man can spy on your network traffic.
Let’s take an example and simplify it. There should be three devices for this attack. Jee uses her laptop (first device) to browse some websites. He is using public WiFi (second device) in a coffee shop. Then Chris(the bad guy) is trying to spy on this network traffic. As you know, the communication between two devices happens with addressing(IP address and MAC address). When Jee connects to the WiFi, the router address is saved on Jee’s laptop.
Note: I will explain this addressing part under the ARP protocol topic.
Now let’s assume, Chris can change the saved address on Jee’s laptop to his laptop’s address. Then Jee tries to reach a website. Jee’s laptop doesn't know about this change and it sends the HTTP request to Chris’s laptop(because the addresses were changed). Chris’s laptop (third device) reached the website and send the response to Jee’s laptop. Jee doesn't even know about it unless she checks the router’s address. This is called the man-in-the-middle attack.
Actually, this attack can happen in several ways.
- ARP poisoning
- DNS spoofing
- HTTPS spoofing
- Wi-Fi eavesdropping
In this article, I will explain ARP poisoning.
ARP Poisoning
Before jump into the ARP poisoning attack, you need to understand how the ARP works.
ARP (Address Resolution Protocol)
When considering data transmission, there are two types of addressing called ‘logical addressing’ and ‘physical addressing’.
- Logical addressing — using the IP address in the network layer
- Physical addressing — using the MAC address in the data link layer
Note: If you want to know about the ISO model, there is an article on my blog.
Most of the applications are running with the IP address. But the actual communication happens with the MAC address. Whenever your application wants to communicate with another device, the ARP starts its job. Let’s figure out the purpose of ARP.
ARP is a data link layer protocol that maps these IP addresses and MAC addresses. Each device on the network maintains its own ARP table. If a device doesn't know the MAC address for a particular IP address, it sends an ARP request as a broadcast message. If one of the local devices matches the IP address of the request, it sends back an ARP reply that contains its IP-MAC pair. Then the ARP stores these pairs in the ARP cache.
ARP request,
ARP reply,
Actually, the ARP was design based on efficiency, not security. Therefore, some security threads like ARP Poisoning can perform on the ARP. As I explain, pairs of MAC addresses and IP addresses are stored in the ARP cache. When the device gets a new ARP response, the ARP cache will be updated.
Some software can send forged responses to a device and change the cache. In other words, the MAC address will be changed on a particular IP address. If the MAC address already exists in the ARP cache, there are two IP addresses map with the same MAC address. This is called ‘ARP poisoning’.
How to Detect an ARP Poisoning Attack?
You can use this command to check the ARP cache. When the results have two IP addresses(dynamic) for the same MAC address, it means the computer under an ARP poisoning attack.
arp -a
Line with full of ‘F’ — broadcast IP address
Subnet mask — 255.255.255.0
Network IP addresses — 192.168.8.1 - 192.168.254
Basic steps for ARP poisoning
Let’s see the steps to get a basic idea about ARP poisoning. I will take the previous example to explain this attack. You should remember, this is just for your information. Do not try to make trouble anyone.
- First of all, Chris must be connected to the same router. (the router in the coffee shop)
- Then Chris needs to use use a spoofing tool, such as Ettercap, Arpspoof. If he connected to the common network, he can find the targets. (select the Jee’s laptop as one target and the router as another target.)
Note: There is an application called ‘Kali Linux’ that makes an easy way to install Ettercap.
3. Then Chris needs to select the attack method as ARP poisoning. Once it is selected two devices going to update their ARP cache entries.
4. Then Chris needs to have an application called ‘WireShark’. It is used to analyze the traffic on his device. When the attack is started, Jee’s network traffic goes through Chris’s laptop.
5. Now Chris can analyze Jee’s network traffic without knowing her.
How to Prevent ARP Poisoning Attacks?
Static ARP Table — The ARP protocol allows to map manually IP addresses and MAC addresses of all the devices. So, the devices not able to listen to ARP responses from other devices.
Using Virtual Private Network (VPN)— This is the simplest way to prevent ARP Poisoning attacks. But you need to use a secure VPN. It allows your device to connect internet through an encrypted tunnel.
Perform an ARP poisoning attack — you can perform an ARP poisoning attack by yourself. So, you can get an idea about your system and detect the weak points.
I hope you learn something from this article. If I missed any points, let me know your suggestion in the comment section. Keep in touch. My next article will be about DNS spoofing. Happy learning.
