On-Path Attacks – SY0-601 CompTIA Security+ : 1.4

An attacker in the middle of a conversation can access information and modify data flows. In this video, you’ll learn about on-path attacks on the network and in the browser.

<< Previous Video: Randomizing Cryptography Next: MAC Flooding and Cloning >>

 

 


An on-path attack is an attacker that sits in the middle between two stations and is able to intercept, and in some cases, change that information that’s being sent interactively across the network. This is a type of attack that can occur without anyone knowing that anyone is sitting in the middle of the conversation. In fact, you might hear this referred to often as a man-in-the-middle attack. The key to the on-path attack is that the original data stream will be intercepted by the person in the middle of the conversation, and that information will then be passed on to the destination. This allows the attacker who’s sitting in the middle to read everything going back and forth between these two devices, and it may also allow the attacker to modify the information as it’s being transmitted.

A common on-path attack on a local IP subnet is an ARP poisoning. This is an Address Resolution Protocol poisoning. And that’s because ARP, as a protocol, does not have any type of security associated with it. Devices receive and modify ARP tables without any type of authentication or any type of encryption. This would allow an attacker to send ARPs to any device on the local subnet, and those local devices would interpret the ARPs as if they were coming from a legitimate source.

Here’s the way ARP normally works. You’re on a workstation, and you’re communicating to a router that’s on your local subnet, and you can see the workstation here is 192.168.1.9, and the router is 192.168.1.1. Also, you can see that the Mac address of this device and the Mac address of the router are also listed. Those will be important when we go through the ARP process.

When this device first connects to the network, it needs to know the Mac address of this router, but all it has is the IP address, so it will send an address resolution protocol, or ARP, message out, and that message will ask who is 192.168.1.1 in the expectation they will receive the Mac address in return. Well, since this router is on this local subnet and it can see all of these broadcasts, it will see this request for 192.168.1.1, which is its IP address, and it will send back its Mac address to that requesting station. At that point, the requesting station will store that information in a local ARP cache. This is a cache that’s in the memory of this device, and that means that every time this device wants to transmit, it won’t have to go through that address resolution protocol process again. It can simply check its cache, know what the Mac address is, and send that information directly.

For an on-path attack using ARP poisoning, that attacker will need to be on the local network. And in this case, the attacker has an IP address of 192.168.1.14, and you can see the Mac address of that attacker’s device. To perform this ARP poisoning, the attacker will send an address resolution protocol response message to the device that it would like to poison.

This device did not ask for this information. This is completely unprompted. But because ARP doesn’t have any security associated with it, those types of messages will be received and interpreted by the receiving device.

This victim device receives the ARP message, changes the information in the cache, and going forward, anything that’s sent to 192.168.1.1 will not be sent to the router directly, but instead will be sent to this Mac address, which is belonging to the attacker. The poisoning is now complete on the victim computer, and now to complete the conversation and be in the middle of the conversation in both directions, the attacker will perform exactly the same poisoning to the router. Once that poisoning is complete on both sides, anything sent between the victim’s machine and the router will be relayed through the attacker’s device.

An on-path attack is not an easy attack to execute. In the example with ARP poisoning, you saw that we needed to be on the local network, and that’s not always something that’s accessible to an attacker. It would be much easier if the attacker was on the same computer as the victim. With an on-path browser attack, the malware that is the relay between the victim and the other devices exists on the same computer as the victim. It’s effectively in the browser of the victim’s computer.

This type of attack has malware that’s running on the victim’s machine, and it’s usually not a person that’s handling the relay, but an automated process within the malware. Having malware on the same machine perform this on-path attack provides a number of advantages. Over the network, any encrypted data, even though it was proxied or relayed through a secondary device, would still be encrypted.

There’s no way for someone to be able to decrypt that data as it’s going by without one side or the other knowing that that’s happening. But if you’re on the same computer as the victim, you’re able to see all of the data in its raw, unencrypted form. It’s these types of on-path browser attacks that sit behind the scenes, wait for you to log into your bank, for example, and then begin transferring information out of your account because they’re able to grab all of that data on your machine.

With the on-path browser attack, the malware simply sits in the background and waits for you to log into your bank. Once you log into your bank, the bank trusts the browser that you’re using, it trusts the computer IP address that it’s coming from, and the authentication is now complete. The malware behind the scenes can capture login credentials, capture keystrokes, understand that you’re logged into your bank account, and then begin transferring information from one bank account to another or making modifications to your bank account. This is another good example of why keeping your antivirus and anti-malware up to date so that it can always be looking for an on-path browser attack.