WIXLIB

Video Project:Man-In-The-Middle AttackIST 454, Section 0014/14/11Team Upsilon:Fran Casale, Jeff Dean, Pat Devine, Dan Umberger, Dan Smale, Mike Spivak

PurposeARP poisoning is a network attack which allows an attacker to eavesdrop on network trafficbetween two network devices. ARP poisoning (APR) is a form of the common man-in-the-middle attack.The ARP protocol was created to make communication between the data link layer and the networklayer easier. Through ARP requests and ARP replies, the ARP protocol can easily match MAC addressesand IP addresses, making networking much more efficient. The problem with this protocol is that it wasbuilt with efficiency, not security, in mind. When ARP request is sent, there is no form of authenticationto insure that that request was sent by the appropriate host. This makes it so that ARP requests can besent by a malicious user and trick a host into thinking it is talking to another host. This is the basis of theARP poisoning attack.When a malicious user sends an ARP request to a networking device, they can make it so their IPaddress is associated with another MAC address. Since ARP is built on efficiency, this type of ARPrequest is allowed (usually, how the ARP table handles this request depends on how it is configured towork). Once the malicious user has made this connection, they set their host up in a way so theyforward the traffic they have intercepted to the host the traffic was intended for. This allows themalicious user to view the traffic in between the networked devices, making the malicious user the manin-the-middle.ARP poisoning is a risk which can be mitigated in various ways. One way to prevent ARPpoisoning is to statically add ARP addresses to the ARP cache. By doing this, you set up your devices torespond to the local ARP cache and not to dynamic ARP requests. Since statically adding ARP addressesis different on each operating system, it is a good idea to test that your ARP cache operatesappropriately. This can be done by conducting an ARP poisoning attack on your machine. It is also agood idea to monitor your networks to insure that an ARP poisoning attack has not occurred. Anintrusion detection system like Snort can be a good way of monitoring for potential ARP poisoningattacks. Due to the way ARP was designed, it can be difficult to stop ARP poisoning attacks. Staticallyassigning ARP addresses to the ARP cache is your best means of stopping ARP poisoning attacks, but youmust test your system to insure that this works properly. A program like Cain and Abel can be used tocarry out an ARP poisoning attack to ensure that your static ARP cache works properly during an attack.The beginning of any lesson in how to prevent and recognize a man-in-the-middle attack is toknow how it works and how to do it. People studying computer forensics, particularly those in this class,can benefit from this video. It is easy to understand and the instructions can be followed as you try ityourself. Not only does it introduce an instance of a man-in-the-middle attack, it also introduces thevaluable tool Cane and Abel, which is capable of more than just this type of attack. It can be used tocrack WEP, calculate hashes, and much more. Most of its uses involve retrieving passwords. Exposure tonew applications and methods of hacking is vital in the computer forensics field, especially for collegestudents about to graduate. The more applications you can say your familiar with, the better chance acompany will take notice of you.

IntroductionFor this lab demonstration, we will be using Cain and Abel, a wireless network, a web browser(we use Mozilla Firefox for the video), http and https login systems, and Yahoo! Mail.Cain and Abel is a password recovery tool specifically designed for Microsoft Windows, and itmost commonly recovers passwords via network packet sniffing, or by cracking password hashes. Forthis lab, we will be using Cain and Abel in order to sniff network packets and execute Address ResolutionProtocol Poison Routing (APR).APR is a technique used to attack an Ethernet or wireless network. Such an attack is onlypossible on networks that use the ARP (Address Resolution Protocol), and when initiated, the attackercan use spoofing to sniff the data and even modify the network traffic.Spoofing is the act of sending fake ARP messages to an Ethernet LAN. In this demonstration, thegoal is to associate the MAC address of the attacker with the IP address of the default gateway. Thisway, the traffic intended for the default gateway will instead be directed to the attacker’s machine. Theattacker can then either not allow the information through to the default gateway, which would result ina man-in-the-middle attack, or the attacker can send the traffic to the default gateway, so they can sniffthe packets without the user having any idea, since the information still is received by the defaultgateway.Https differs from http in that it uses Secure Sockets Layer (SSL). This allows sites to provideencrypted communication and identification over the internet. Both are commonly used for loginsystems, although https is becoming increasingly popular and the new standard.Yahoo! Mail is a common email service that uses https in its login system.This lab will begin with the setting up of attacker and victim machines, ensuring that each isconnected to the same network. Next, Cain and Abel will be used to sniff packets and capture HTTP logincredentials. Finally, Cain and Abel will be used to sniff packets and capture HTTPS login credentials.Step-by-Step Instructions for LabTask 1: Setting up the Attack and Victim MachinesSetting up the Attacker Machine:1. Log on to the attacker machine. Ensure it is connected to the Local Area Network (LAN) ofchoice, either wirelessly or through an Ethernet. For this lab demonstration, the attacker isconnected directly to the Default Gateway. Open the Cain and Abel application.Configuring Cain and Abel:2. Click ‘Configure’ at the middle of the top toolbar.

3. Select the appropriate network interface from the choices given. Note: The appropriate networkinterface will have the IP Address box filled in with values other than zeros. Click ‘Apply’ and thenclick ‘OK’.Setting up the Victim Machine:4. Ensure the victim machine is connected to the same network as the attacker machine. For thislab demonstration, the victim is wirelessly connected to the network called “IST 454-Test”.5. Open a web browser. For this demonstration, we use Mozilla Firefox. The machines are now setup.Task 2: Capturing HTTP Login Credentials6. On the attacker machine, click the ‘Sniffer’ tab on the lowest toolbar (just below the icons at thetop). Notice the toolbar at the bottom, and ensure the ‘Hosts’ tab is selected.7. Click the ‘Start Sniffer’ icon on the middle toolbar (toolbar of icons). This will have Cain begin tosniff the network for any active hosts.8. Click the blue cross icon in the middle toolbar. Click the ‘All Tests’ checkbox, and click ‘OK’. Cainand Abel will then search the network for hosts. Cain and Abel will only discover two hosts forthe purposes of this lab. You are interested in the victim machine, not the default gateway ofthe network. In this case, the IP address of interest is 192.168.0.101. Right click on the victimmachine, and click “Resolve Host Name”.Setting up APR Poisoning9. On the attacker machine still, click the APR toolbar at the bottom of the screen. Next, click in theupper pane. Finally, click the blue cross icon in the middle toolbar.APR Poisoning allows for network traffic between two hosts to be intercepted.10. Select the default gateway from the left side and the victim host in the right window (SeeScreenshot #1). Click ‘OK’. To enable the configuration, click the APR icon on the middle toolbar(the small yellow icon). You are now intercepting packets sent between the default gateway andthe victim machine.

Screenshot #1 – ARP Poisoning Routing (APR) Setup in Cain & Abel11. On the victim machine, login to the default gateway by typing the IP address into their webbrowser. The IP address for the demonstration is 192.168.0.1. The victim then enters theusername (admin) and password (password2). Successful login will be shown with a screendetailing the default gateway.12. Back on the attacker machine, the captured results are shown under the APR tab that shouldstill be up. The rerouted traffic is displayed in the bottom window pane.13. Click the ‘Passwords’ tab at the bottom of the screen. Select “HTTP” from the large list in the leftwindow pane. The results will be shown in the window pane on the right, displaying anyusername and password login on any simple HTTP login.Task 3: Capturing HTTPS Login Credentials14. On the attacker machine, the setup is the same as in Task 2, and the victim machine is alreadyset up, and APR Poisoning has been enabled to intercept traffic again.15. On the victim machine, the victim uses a website that requires a login using Secure SocketsLayer. For this demonstration, we have the victim machine login to Yahoo! Mail. You will notice awarning message stating that the SSL Certificate Server cannot be confirmed and security is notcertain (see Screenshot #2). Many users will click through this and proceed to login anyway.

Screenshot #2 – Untrusted Connection Warning (Mozilla Firefox)16. The victim logs in to Yahoo! Mail, and we used the ID ist454@yahoo.com with the password ofpassw0rd. The victim successfully logs in.17. On the attacker machine, under the APR tab at the bottom, the re-routed traffic is seen.18. Click the ‘APR-Cert’ option in the left window pane. Cain and Abel intercepted the SSLcertificates from the Yahoo! Server, and then sent false certifications to the victim. This is howthe attacker can decrypt the victim’s username and password.19. Click the ‘Passwords’ tab at the bottom of the screen, and then click the ‘HTTP’ option in the leftwindow pane. Here the information is given about the victim’s login, including the usernameand password (see Screenshot #3).

Screenshot #3 – User Credentials Captured Over an HTTPS ConnectionNote: If the user is experienced or has knowledge in the area, he may not go through with thelogin because of the warning message that is displayed before logging into Yahoo!.

ReferencesFouant, Stefan. "Man in the Middle (MITM) Attacks Explained: ARP Poisoining." ShortestPathFirst. 18Nov. 2010. Web. 24 Feb. 2011. -the-middle-mitm-attacks-explained-arppoisoining/ .Description: An excellent technical description of ARP spoofing. The author walks us through an ARPspoofing attack using Ettercap. Source has a good diagram showing an ARP poisoning attack.Montoro, Massimiliano. "Introduction to ARP Poison Routing." Oxid. 14 June 2001. Web. 4 Feb. 2011. http://www.oxid.it/downloads/apr-intro.swf Description: This is an SWF slide show from the creators of Cain and Abel (the software we plan to use inthe video). The slide show demonstrates how ARP poisoning works.Nachreiner, Corey. "Anatomy of an ARP Poisoning Attack." WatchGuard Technologies. Web. 5 Feb. 2011. 324.asp .Description: This is an article which discusses ARP poisoning and some mitigation techniques.Riser, Neil B. "Spoofing: An Overview of Some the Current Spoofing Threats." SANS Institute. 1 July 2001.Web. 27 Feb. 2011. http://www.sans.org/reading -spoofingthreats 321 Description: A SANS paper which discusses various types of spoofing. There is a short section on ARPspoofing. This section is a good summary of what ARP is used for, how an ARP spoofing attack works,and various ways to defend/monitor for ARP spoofing.Sanders, Chris. "Understanding Man-in-the-Middle Attacks – ARP Cache Poisoning." WindowSecurity. 17Mar. 2010. Web. 4 Feb. 2011. ng-Man-in-the-Middle-Attacks-ARP-Part1.html .Description: Another article discussing ARP poisoning. This article contains descriptions and imagesdetailing what an ARP poisoning attack looks like.