Man in the middle (MITM) attack (Part 01 — ARP poisoning & DNS spoofing)
Most of the young people play online games right? There is a time where we played a game called “Barn buddy”. In that game, we had our own farm, a small house, and other animals like horses, cows, and etc. And also we can have a dog to protect the farm from other player stealing goods from our farm. It was school time back then, so some of my friends didn’t have PC at their home. So they give their Facebook credential to a friend who had PC and said to open the his facebook daily and feed the dog in the game or else the dog will sleep. In here, how can he guarantee that his friend won’t look into his messages or maybe texting to someone by acting like his friend. Do you think this is hacking? technically no.
MITM
This stands for Man In The Middle attack and it occurs when a perpetrator places himself into communication between a user and an application, either to listen in or to mimic one of the parties, making it look as though a regular information exchange is taking place. The attack is usually to steal personal information, like account details, card details, and credentials. Most of attacks are done to business, financial websites where logging in is requested.
It’s a form of eavesdropping attack in which an attacker interrupts a conversation or data transfer in progress. The attackers pose as both genuine parties after placing themselves in the “middle” of the transfer as showed in the above figure. This allows an attacker to intercept data and information from both parties while also providing malicious links or other information to both genuine participants in a way that may not be discovered.
There are several types of MITM attacks,
- ARP Cache Poisoning
- DNS Spoofing
- IP Spoofing
- Wi-Fi Eavesdropping
- Session Hijacking
Lets discuss some of these MITM attack types.
ARP Cache Poisoning
What is ARP?
ARP stands for Address Resolution Protocol. In a local-area network (LAN), it is a protocol that links a dynamic Internet Protocol (IP) address to a fixed physical machine address (MAC address). This process is very important because the IP and MAC addresses lengths differ, so there must be a proper translation is needed so the systems can identify each other. Mostly IPV4 is used nowadays which is 32 bit long but MAC addresses are 48 bit long. So ultimately, ARP is translating IP address(32 bit) to MAC address(48 bits) and vice versa. ARP works between Data Link layer and Network layer because MAC address in mostly considered in the Data Link layer and IP address is referred in the network layer.
How Does ARP Work?
mapping process begins when a data packet arrives at the gateway to a host machine and the data packets prompts the ARP to select the MAC address which matches the IP address. The host will look into it’s ARP cache for preexisting translation for that particular IP address and if it doesn’t exist then the ARP process will take place.
Lets say, there are PC1 and PC2 and PC1 wants to send data to PC2 in a LAN network. For that PC1 should know the MAC address of PC2 and it is done by translating PC2’s IP address. Once it has the PC2’s MAC address, PC1 will store it in its ARP cache (to load it quickly when its needed). And then its send the data package.
ARP only translates 32bit IP addresses to 48 bit MAC addresses so this is only suitable for IPv4. But when the packages are sent with IPv6, the Neighborhood Discovery Protocol will be used. Click here to study more about NDP (Neighborhood Discovery Protocol)
ARP Poisoning
This is where the attackers intercept the communication between target user and the router. To do this, attacker must have the access to the specific network. In a data transferring process, there are three things need to be considered such as IP Address (logical address), Subnet mask(range of IPs) and Default gateway(IP address of the router which is endpoint of a specific network). Lets say there are PC1(target) and PC2(attacker) in a network including a router A. Now in this scenario, lets say PC1 wants to search something on the web so it will broadcast the default gateway with its IP address by asking which device has this specific gateway address. Every device will ignore except the Router A. Now this router will acknowledge by sending its MAC address to PC1 so PC1 will store this in its ARP cache. So PC2 knows that PC1 wants to connect with the internet since it broadcast the message. Now PC2 can clear the target’s ARP cache since it already knows the IP address of PC1 from the broadcast message. (There are specific tools to send forged ARP responses such as Arpspoof or Driftnet) So the PC2 will send it’s MAC address after deleting the APR cache of PC1. So now PC1 will think that PC2’s MAC address is Router’s address and it will update the ARP cache. Now all the network traffic will be sent to PC2 and PC2 will send it to router and do the vice versa. So technically PC1 don’t know that PC2 is in the middle of the network traffic and monitoring everything.
It can be identified by checking the ARP cahe (type apr -a in the cmd and it will show the IPs and the MACs). So if there are two IP address having the same MAC address then it means the system was attacked. Using Two way SSL is also one of the method to prevent this attack. If they two way SSL, attacker can’t decrypt the message even though they get the messages. Next way is using static ARP, so this will prevent devices from listening ARP responses. All we have to do is just defines the static ARP mapping. We also use packet filtering solution to identify poisoned ARP by checking whether is there any conflicting source information or not.
DNS spoofing
what is DNS
It stands for Domain Name System and this is like a contact list in your mobile phone which matches peoples name with their phone number. Every website has its unique IP address so when the network population increases, it is impossible for people to memorize all the IP address oh the websites. That is where DNS comes in. This will match the unique ID of a website to a human readable domain name. There are several websites where we can buy domain names, so that we can assign that to our own sites. For example,
if you want to know the IP address of google, there are several ways to find out and I’ll show you one. All you have to do is open your Command prompt and type ping google.com and you will get something like follows,
as you can see when I ping the google it response with the IP address(This is a dynamic one and DNS will have large number of IPs for google. The OS and browser will shuffle the list time to time) within the box bracket.
How DNS works ?
There are four main DNS server involved when loading a website such as,
- DNS recursor — This is responsible for receive queries from the client through web browsers and making additional requests.
- Root nameserver — This is responsible for translating human readable domain into IP address. Basically this works as a reference to other specific locations.
- TLD nameserver — This is the Top Level Domain nameserver and this is the next step in searching the specific IP. This holds the last part of the hostname. (In www.google.com, the Top Level Domain server is “com”)
- Authoritative nameserver —This is the last place where the search will happen and if the specific server has access to the requested website then it will return the IP to the hostname back to the initial place(DNS recursor) which made the initial request.
So lets say the user is requesting for google.com(just an example) in the browser. The request will first go to recursive resolver (DNS recursor) which usually operated by the Internet Service Provider. So this will talk to Root server. Then the Root server will connect with all other DNS servers in the world which know DNS details about TLD. Most importantly there are so many servers that are supporting the Root server so the DNS will make sure that user sent to a server which is close to him. So every TLD nameservers store both TLD and second level domain. So the TLD nameserver will return the IP address of the domain’s name server. Now domain’s name server will get the query from the recursive resolver and DNS server knows the IP for the entire domain. Now the google.com will be sent to the recursive resolver. So now browser will be able to load the IP address which is given by the recursive resolver. At the end browser can show content of the site by requesting to that website.
Now lets see how an attack can happen using DNS,
DNS spoofing also known as DNS cache poisoning. In here an attacker will change the DNS record that helps to redirect online network traffic to a fake website which looks like the original webpage. Lets say the attacker creates a fake Facebook login page and altered the DNS record. And also he created a sample food discount poster as a click bait. So now when the client seeing the poster he might want to get the discount. So when he clicks that it redirect to the fake website which is a fb login page in this scenario. So the client will enter his username and password with a bright smile in face to redeem the discount. Now through the fake site the attacker will be able to get the username and the password and sometimes the attacker again redirect it to the official web page to login again. Usually we don’t mind right? We may think like oh maybe I typed the wrong password and try again and obviously it will open his profile because that is the official page.
So if you are visiting a website for the first time those details will be saved in your local DNS cache you can view that by typing ipconfig/displaydns in the command prompt.
How can we prevent DNS spoofing
- Using DNS spoofing detection tools — this will scan all the incoming data, before sending the responses.
- Using Domain name system security extensions (DNSSEC) — It is a set of protocols that act as a extra layer to the DNS and monitor its data exchanges.
- Using End-to-end encryption (SSL)
- As a user we can flush the DNS cache if you find anything suspicious. To flush the DNS cache, simply go to CMD and type
ipconfig/flushdns. - Its is also better to use a VPN so it provides a private DNS server which uses End-to-end encryption already.
So this is it and I will talk about the rest of the attack and prevention method in the upcoming articles.
