Things You Must Know About the Man in the Middle Attack-ARP Spoofing, DNS Spoofing, and SSL Certificate

Things You Must Know About the Man in the Middle Attack-ARP Spoofing, DNS Spoofing, and SSL Certificate

ARP Spoofing

ARP Poisoning or ARP Spoofing is a Man in the Middle (MitM) attack where the attacker comes between the 2 communicating devices and listens to their communication. Usually, this is happening within the same network. The following defines the way of happening this in Local Area Network (LAN) step by step.

Figure 1. ARP Spoofing.

As in figure 1;

When user Y is trying to access google, it will ask for the MAC address of the router from all the devices within the LAN. Usually, the router will respond to the message with its MAC address. But, in the MiM attack after receiving the response from the router, another device (assume user X is the attacker) within the same network also will respond to the same message with its own MAC address. Then the ARP cache is updated in the Y’s machine and it will consider the attacker’s MAC address as the router’s MAC address. Because of that, the requests sent to google through the router will go to the X first.

The following figure 2 illustrates the ARP cache of a device.

Figure 2. ARP Cache Table.

If the cache table contains the same MAC address for two different IP addresses, this indicates that an ARP attack is taking place on your computer.

DNS Spoofing

Before going into detail about DNS Spoofing let’s clarify the term DNS.

Domain Name System (DNS)

Usually, web browsers use the destination IP address to access the web pages instead of the corresponding online domain name. Because of that, there should be a specific way to convert the online hostnames into corresponding IP addresses. This is performed by the DNS.

Usually, when the user enters the typed address (hostname) on the browser that she or he wants to access, the browser will search for the corresponding IP address on the cache file of his or her computer. But, if the browser couldn’t be found, the browser sends the hostname to the nearest DNS. If this also couldn’t be found, the nearest DNS also sends the hostname to its immediate parent DNS. Assume the immediate parent has this domain name so this will provide the corresponding IP address to the browser through the nearest DNS. Refer to figure 3.

Figure 3. The DNS Lookup (Source: https://retechnic.com/Website/single_service/8).

DNS spoofing is a method used by the attackers to make the victim redirect to a fraudulent website which is designed as the intended website through the DNS records. This is also a type of Man in the Middle attack. This is caused because the attacker injects a malicious IP address entry of the fraudulent website instead of the exact address on the DNS cache. This will lead to route the victim to another destination (server which hosts the fraudulent website) instead of the intended destination (server which hosts the exact website). Refer to figure 4.

Figure 4. DNS Spoofing.

Once the user gets access to the fake website, he or she allows the hacker to steal his or her access credentials and other sensitive information. Also, the hacker may use this opportunity to install malware on the victim’s computer.

SSL

Secure Socket Layer (SSL) is a technology that is used to establish secure communication between the client and the server. Here, binds the identities of the websites and the companies to cryptographic key pairs (private and public) using a digital document called X.509 Certificate. Usually, the private key is kept inside the database and the public key is shared with the certificate (SSL certificate) to build a secure connection between the client and the server. There are 2 ways of implementing the SSL. The following describes each in detail.

One-Way SSL

Here the client is responsible for ensuring whether the client receives the data from the intended server. The following describes the 1-way SSL authentication step by step.

Figure 5. One-Way SSL.

As in figure 5;

1. First, the client sends a request to the server through HTTPS protocol to establish a secure connection between them.
2. The server sends its public certificate to the client.
3. The client verifies this by searching the list of certificates in CA.
4. If the client found the corresponding certificate then, the client will be able to access the resource through the established secure connection (encrypted tunnel).

Two-Way SSL

Here, both client and the server are responsible for ensuring a secure connection between them. The following describes the 2-way SSL authentication step by step.

Figure 6. Two-Way SSL.

As in figure 6;

1. First, the client sends a request to the server through HTTPS protocol to establish a secure connection between them.
2. The server sends its public certificate to the client.
3. The client verifies this by searching the list of certificates in CA.
4. If the client found the corresponding certificate then, the client shares its public certificate with the server.
5. Server Verifies this by searching the list of certificates in CA.
6. If the server found the corresponding certificate then, the client will be able to access the resource through the established secure connection (encrypted tunnel).

Related Terminology

Certificate Authority

This is responsible for issuing digital certificates (SSL certificate, etc.) and certifying the ownership of a public key by the name subject of the certificate. Some examples for CAs are, SSL.com, GoDaddy, RapidSSLonline, Comodo, etc. Figure 7 shows a certificate issued by SSL.com.

Figure 7. Certificate Issued by SSL.com.

SSL Certificate (A type of X.509 certificate)

This is signed by a trusted CA and trusted by the OS, web browser, etc. SSL certificates follow X.509 standards that imply a certificate contains the public key, the identity of the hostname, organization, etc. SSL certificates are shared between the client and the server to build a secure connection between them.

HTTP vs HTTPS

This is the secured version of HTTP. Here all the packets transferred between the client and the server are encrypted with either a public or private key. Because of this, most websites enable HTTPS as the default protocol. Most websites with HTTPS protocols include SSL/TLS (TLS: Transport Secure Layer, the successor of SSL) certificate which is signed by a public trusted CA. Figure 8 shows the difference between websites that are protected and unprotected with a trusted SSL/TLS certificate.

Figure 8. Protected vs Unprotected with SSL Certificate.

Conclusion

• RPA Spoofing and DNS Spoofing are categorized under Man in the Middle (MitM) attack.
• DNSs are used to obtain the corresponding IP addresses of online domain names.
• SSL certificates are shared between the client and the server to build a secure connection between them.
• Certificate authorities are responsible for issuing SSL certificates.

References

• https://www.imperva.com/learn/application-security/arp-spoofing/
• https://www.imperva.com/learn/application-security/dns-spoofing/
• https://dzone.com/articles/ssl-in-java
• https://www.ssl.com/faqs/faq-what-is-ssl/