The redirection of traffic without the knowledge of the endpoints is a significant security concern. In this video, you’ll learn about man in the middle attacks and how a bad guy can use ARP poisoning to spoof and redirect network traffic.
<< Previous: Social EngineeringNext: VLAN Hopping >>
One of the security challenges around a man-in-the-middle attack is that a bad guy can sit in the middle of a conversation and see all of your traffic. And you have no idea it’s occurring. This is all done with redirection by the third party.
They’re receiving information from you and simply redirecting it somewhere else. And the process on the way back follows the same path. It receives the response, and then redirects it to your device. And by sitting in the middle, it’s able to see all of the traffic that you’re sending through the network.
One common method of performing a man-in-the-middle attack on a local subnet is to use something called ARP poisoning. This is where a device is spoofing itself and pretending to be someone else and using the ARP protocol to be able to sit in the middle of a conversation.
Spoofing is used in a number of methods to circumvent security measures. When you’re spoofing, you’re pretending to be someone else who’s on the network. You’re not really that IP address or you’re not really that MAC address, but you are certainly sending information as if you really were.
You can modify a MAC address easily in most drivers so that if you wanted your MAC address to match another device on the network, you simply change a configuration that’s inside the driver of your network card.
IP addresses can be easily spoofed. You can make a request pretending you’re someone else. And you can look at the response going back to the real IP address instead of going back to your specific IP address. We see this often for things like denial of service attacks, especially those that are using distributed denial of service attacks. In this way, you’re able to send information to one location, but have all of the responses go to someone else.
Here’s exactly how the bad guys use an ARP poison on a local subnet to be able to sit in the middle of a conversation. First, let’s look at the normal conversation you might have.
Here’s your device on the network. You’re 192.168.1.9. Here’s your MAC address. And then on the network is the router that you communicate to to send all of your internet traffic. And that router is 192.168.1.1. And you can see its MAC address here.
Well, when you first hit the network, you have no idea where your router is. So you’re going to send an ARP request asking, who is 192.168.1.1? I need the MAC address so that I can then send information to you. And you can send it off to the internet.
At this point, the router responds with, I’m 192.168.1.1. And this is my MAC address. Your device then takes that information and stores it in a cache. This is the ARP cache. And you can see it matches 192.168.1.1. And it matches that MAC address we just received. And everything matches up.
This is where the bad guy steps in. They’re going to now send an ARP response to your device that you never asked for. But most devices are recognizing when an ARP comes in and updates the cache for these new values.
So this bad guy is 192.168.1.14. And you can see his MAC address of a, b, c, d, e, and f. He sends an ARP response to 192.168.1.9 saying, no, no, I’m 192.168.1.1. And here is my MAC address. Notice that the MAC address is really listed as the one that’s associated with the bad guy.
Your device sees this update to the ARP, says, oh, well, I need to change my ARP cache. 192.168.1.1 is really this MAC address. And at this point, all of your traffic that would normally go to the internet, instead of going to the correct router, is now going to the bad guy’s device.
He’s going to receive your traffic, examine it, look for information that’s valuable to him, send it to the original router, and the normal communication takes place. So you’re still able to surf the internet. You’re still able to contact the different websites that are out there. And you have no idea that somebody is sitting in the middle of the conversation and looking at everything that goes by.
Category: CompTIA Network+ N10-006