A man-in-the-middle attack allows the attacker to invisibly watch everything you’re doing. In this video, you’ll learn about man-in-the-middle attacks and how one type of man-in-the-middle attack can take advantage of ARP traffic.
<< Previous Video: Zero-day Attacks Next: Brute Force Attacks >>
What if there was a way for an attacker to get in the middle of a conversation that you’re having, to be able to view the information you’re sending, or to change the information as you’re sending it from one place to the other? This type of attack is called a man-in-the-middle attack. Most man-in-the-middle attacks are designed to get that attacker between you and another device. And neither you, nor the receiving station, knows that there’s someone in the middle who is intercepting all of this information, looking to see what information is inside of your network traffic, and then forwarding it to the correct location.
One common way to perform a man-in-the-middle attack is something called an ARP poisoning. This is using the lack of security in the Address Resolution Protocol to be able to sit in the middle of two devices. In normal network communication, there are devices that are communicating to others on the network.
Normally, we know the IP address of the device we’d like to communicate with. For example, this laptop at 192.168.1.9 would like to communicate with this router at 192.168.1.1. But in order for this communication to occur, this laptop needs to know the MAC address, or Media Access Control address, of this router.
To be able to find that information, this laptop sends a broadcast to everyone on the network and says, if you happen to be 192.168.1.1, please reply back with your MAC address. This router will see that broadcast and send back the reply, saying that I am, indeed, 192.168.1.1. And here is my MAC address, that you can now use to communicate directly with me.
Once the laptop receives that information, it caches it so it doesn’t have to keep asking over and over again. Instead, it keeps this information on its local device for a certain amount of time. And now we can see that 192.168.1.1 is listed in the cache with its appropriate MAC address.
For a man-in-the-middle attack, we need to have a third party that sits in the middle of the conversation. In this case, our attacker is 192.168.1.14. And you can see the MAC address here, made up of aa:bb:cc:dd:ee:ff. To start this attack, our attacker sends an unsolicited ARP response to our laptop device. This ARP response is now going to say that the attacker is actually 192.168.1.1. And here is the new MAC address you should be using instead.
When this laptop receives that ARP response, it changes the cache to update to the newer MAC address. There’s no security built into the Address Resolution Protocol. And all devices receiving these ARP responses will take them as being legitimate.
The attacker could perform another ARP poison to the router and therefore, sit in the middle of the conversation. This means the communication flow continues between these two device, except now it’s being intercepted by someone in the middle. And neither the laptop nor the router know that there is a man-in-the-middle attack.
The ARP poisoning is just one of many ways to perform a man-in-the-middle attack. One way that you could mitigate these types of attacks is to use encrypted protocols. If you’re communicating with a web browser, make sure you use https. If you’re communicating to the console of a device, use SSH instead of Telnet. Instead of encrypting based on the application, we could use a client-based VPN, and encrypt an entire virtual private network, so that all of the data center from your device will be encrypted.
Although this doesn’t mitigate the actual ARP poisoning, or allowing someone to sit in the middle of a conversation, it does make all of your information private. And even if someone was able to see it, they wouldn’t be able to make out anything that was being communicated through the network. Unencrypted wireless networks are another great place to find man-in-the-middle attacks. So it’s always a good idea to use an encrypted wireless network, instead of one you might find on an open network, such as a coffee shop or a hotel.