Man in the Middle Attacks

Man in the Middle attacks are surprisingly straightforward given how much they can ruin your life.

How do they work?

MitM attacks rely on ARP Cache poisoning.

ARP

ARP is the Address Resolution Protocol. It consists of 4 basic messages:

1. ARP request -- Computer A asks the network: who has IP B?
2. ARP reply -- The computer with IP B replies: I do! (Everyone else ignores the message)
3. RARP request -- Computer A asks the network: who has MAC address B?
4. RARP reply -- The computer with MAC address B replies: I do!

Every device on the network has a cache of ARP records so that it doesn't have to do this constantly.

ARP Cache Poisoning

Naturally, the ARP protocol contains no method for authentication. Even worse, machines don't check if they even sent an ARP request when receiving a reply.

In other words, to poison the ARP cache all you need to do is send replies with incorrect information.

Man in the Middle Attacks

To do a man in the middle attack then, all you need to do is tell the computers you want to be inbetween that you are the other computer.

For example, you're computer M, and want to find out or modify what A is sending to B.

You tell B that you're A, and A that you're B, and watch the packets flow.

How do we do it?

We use a tool called arpspoof from dsniff. In our example attacks, we intercept all traffic between the target machine and the gateway. See src/scripts/mitm-attack.bash.

How do we detect it?

The Man in the Middle Threatomata queries our pre-cached (and therefore assumed safe) ARP tables, and compares every packet to those.

If a packet source/destination IP or MAC address is in the ARP tables, but it doesn't match what it should, we have an attack. Or something has gone horribly wrong, but we treat it like an attack anyways.

Or a machine was replaced and has a new MAC address for the old IP, and we still think it's an attack. If there were to be a real IDS, we'd have a more convenient way to update ARP records. As it is, eh.