On-Path Attacks – CompTIA A+ 220-1102 – 2.4

An on-path attack can view and modify network traffic without the user knowing an attack is occurring. In this video, you’ll learn about on-path attacks and how ARP poisoning can be used to create an on-path attack.


There’s an interesting attack that allows an attacker to sit in the middle of a conversation and be able to see everything, sit back and forth between two devices, and in some cases, modify the information that’s sent back and forth. We refer to this as an on-path attack. Sometimes you’ll hear this referred to as a man-in-the-middle attack. From the end user’s perspective, they have no idea that someone’s in the middle of their conversation and potentially changing the data that they’re sending to each other.

One of these types of on-path attacks can be done on a local subnet. And it’s called ARP poisoning, where we take advantage of the lack of security associated with ARP, to be able to get into the middle of a conversation. On every device, there is an ARP cache, where this device will have a list of all of the IP addresses and Mac addresses associated with those IP addresses. When you first start your computer, the cache is empty. And as you begin connecting to other devices, you begin adding different combinations of IP addresses and Mac addresses to the cache.

Here’s an example of an ARP spoofing, where we have a laptop. And this laptop will be logging in and using the command line on a router. The laptop has an IP address of 192.168.1.9, and the router is 192.168.1.1. You can also see the Mac addresses of these two devices. The laptop ends in a Mac address of 38 d5, and the router ends in a Mac address of bb fe.

The laptop knows the IP address of the router, but can’t communicate to it until it receives the Mac address. And of course, the way that you resolve that Mac address is sending an address resolution protocol broadcast. So here we’re sending that ARP message, Who is 192.168.1.1? That message is, obviously, sent to everyone on the local network.

The router is, obviously, in the local network. So it sends back a message saying that I am 192.168.1.1, and here is my Mac address ending in bb fe so that you’ll know who to communicate with. When that message is received by the laptop, it adds that information to the ARP cache, so now that we know 192.168.1.1 is equal to that Mac address associated with the router. On most operating systems, that ARP cache sticks around for a number of minutes. And then it drops out of the cache, at which time, that ARP process will need to occur again.

You may have noticed that there was no security associated with that conversation. There were no usernames, no passwords. There was no mutual authentication or any other method that would confirm that we were really communicating to the router. This is the vulnerability that the attackers take advantage of with ARP poisoning.

Let’s say that we have an attacker that’s on this local network. This attacker has an IP address of 192.168.1.14, and the Mac address ends with ee ff. To begin the attack, the attacker sends a spoofed ARP response, saying that the attacker is 192.168.1.1. And the Mac address of this IP address ends in ee ff, which, of course, is the Mac address of the attacker’s computer.

When this is received by the laptop, it realizes the Mac address must have changed. So it modifies the ARP cache to have exactly the same IP address. But now you can see that the Mac address has been set to the Mac address of the attacker. This means that anything that would be sent to the IP address of 192.168.1.1 would not directly go to the router, but instead be sent to the attacker. To complete this attack, this attacker would perform exactly the same ARP poisoning to the router. And now it’s sitting in the middle of a conversation and watching all of the traffic that goes back and forth.

There are a number of limitations to an ARP poisoning attack. Someone first has to gain access to your network and then be on the same IP subnet as the two devices that it would like to intercept. But there are ways to perform an on-path attack that doesn’t have these limitations. One of these attack types is an on-path browser attack, where the middleman is inside the browser that you’re using.

This means that you don’t have to be on the local subnet or gain access to a local network. You just need to gain access to that device, so that you can install the malware that will provide that on-path functionality. This solves a lot of problems that you have when capturing traffic over the network, especially if the network traffic is encrypted. If you’re capturing the information in the browser itself, it hasn’t been encrypted yet, and the attacker can see all of the information sent back and forth.

Now the attacker is monitoring everything you type into the browser, all information sent and received by the browser, and anything else that you’re doing inside of that browser session. So the next time you log into your bank, and you use your username and password, all of that information is provided to the attacker. And now that the attacker has control of this system, they can send information back to this device to open up additional sessions to your bank and begin transferring money from one account to another.