Introduction

This paper will lay out for you the basics of an ARP Poison Routing (APR) attack and Man in the Middle (Mitm) attacks. These are very simple attacks, but can be very powerful on unsecured networks. These attacks are so easy I could provide you a walkthrough of how to do this in Cain in about one paragraph, but you wouldn’t learn anything and would become a skiddy.

Before reading this, I suggest you learn a little about networks and the OSI 7-layer model (http://www.webopedia.com/quick_ref/OSI_Layers.asp) and media access control (MAC) addresses, as these attacks take advantage of protocols that work on OSI layers other than what you are usually used to (ie, HTTP on layer 7 and TCP on layer 4, whereas ARP works on layer 2) and do not use only IP addresses for identifying computers.

Address Resolution Protocol:
The Address Resolution Protocol (ARP) is a layer 2 protocol that maps IP addresses to hardware MAC addresses. When a computer wants to find another computer on its network, it uses the ARP to identify where that computer is and how to reach it. There are 9 types of ARP packets, but only 4 are relevant here:

1. ARP – What MAC has this IP address?
2. ARP Response – This MAC has this IP address.
3. RARP – What IP has this MAC address?
4. RARP Response – This IP has this MAC address.

If you are trying to contact a computer on another network (ie, over the internet) then ARP is used to contact your border gateway and route packets to it. The gateway is then responsible for routing the packets to the desire network using IP addresses and various routing protocols instead of ARP. Once the packet has arrived at the correct network, the router that received it will then use ARP again to route the packet around the network to its final destination.

The address resolution protocol works on a stateless broadcast request/single reply communication model. This means when one computer wants to know the address of another; it will broadcast a request for the address across the whole network in the form of What computer is 123.123.123.123? Tell 00:FF:AC:C5:56:3B. The computer that has the IP address of 123.123.123.123 would then send a directed reply, NOT broadcast, saying 90:F5:63:CA:BB:32 has 123.123.123.123. The MAC address in the reply is then added to the local computer’s cache, or if a mapping already exists for either the IP or MAC being used, the cache is updated to reflect this new info. The MAC/IP mapping is then used to route traffic around the network.

ARP Poison Routing (APR)
Now that you know the basics of how ARP works, let’s explore some pitfalls in the protocol. As I’ve said before, ARP is a stateless protocol. This means that each computer does not remember the state of its ARP requests/replies, and thus, does not remember if it sent a request or if it is waiting for a reply or has already received a reply to a previous request. So if we send an ARP reply, the host will accept it and alter its cache accordingly, even if the host didn’t send out a request! So if we send a reply to a target computer saying that our MAC address corresponds to the local gateway’s IP, then any traffic coming out of the target computer bound for the internet will be instead routed to your computer. You can use this to execute a DoS attack and prevent any packets from the target computer reaching the internet or you can sniff the packets for passwords and then pass them on to the real gateway.

The second method is a very effective way of getting sensitive information and is fairly undetectable unless the target is monitoring their ARP cache constantly. APR can be setup with either 1-way or 2-way poisoning. 1-way poisoning will only poison the cache of a single target and will only intercept traffic coming from that computer, as shown below:

Figure 1: 1-way APR

2-way poisoning effectively puts your computer directly between 2 target computers so that you can intercept network traffic coming from either host, as shown below:

Figure 2: 2-way APR
Some interesting attacks that can be used with APR include DoS attacks, Network sniffing/Packet stealing, and phishing.

DoS attacks can be accomplished using a 1-way poison and by redirecting traffic from a target computer to a gateway that doesn’t exist so they get ICMP Host Unreachable errors for all their network traffic, or you can redirect it to your computer and simply refuse to forward it to the proper destination. Network sniffing and packet stealing as well as Man in the Middle (Mitm) attacks require a 2-way poisoning scheme. Network sniffing and packet stealing would allow you to steal passwords and hashes that are passed over the network. With the proper filters, you can easily pick out plaintext passwords such as FTP, SMTP, HTTP form data, and hashes such as AIM and Yahoo messenger and SQL. You can even listen in on NetBios sessions and Telnet connections. With some simple phishing filters on your APR tool, you can redirect people from one website to one you control that looks the same where the victim will type in their login info unsuspectingly. This is often useful for grabbing plaintext passwords rather than having to brute force password hashes
One of the greatest hazards to be aware of when using APR is unintentional DoSing of the target or the entire network; because your computer is most likely NOT a dedicated router, and because the packets must travel all the way up the OSI model, be analyzed by your sniffer, then repackaged and sent all the way down the OSI model again, your computer can not handle packet routing as efficiently as a dedicated hardware router.

This costs a great amount of time and CPU cycles and slows down the flow of traffic that may end up backing up and DoSing the target, the network, your computer, or any combination of the three. This is a serious issue and should not be taken lightly. If you APR a router on a large network, you may have hundreds of thousands of packets going thru your computer each second. Another hazard that is of interest to hackers is the fact that proxies cannot effectively be used, because ARP and APR works on layer 2 and proxies work on either layer 5 or 7 (depending on the amount of anonymity used) and usually require traveling outside the network to a proxy server. This may seem like a huge safety issue for a hacker, but there is hope! While IP addresses are difficult to spoof over the internet while keeping traffic flowing to and from your computer, both the IP address and MAC address can be effectively altered on a LAN. Many tools exist for changing your MAC and IP during APR attacks. Cain provides an option to do this under the “Configure” menu item.

Man In The Middle (Mitm) Attacks
Mitm attacks include a range of possible attacks, from DoSing, to sniffing, phishing, and rerouting for SE purposes. Mitm is started with a 2-way APR attack that in effect inserts your computer between 2 targets (often a host and a gateway). You can then begin the real meat of the mitm by using customized programs and packet filters to gain the effect you need.

For a simple sniffing attack, a network sniffer such as Ethereal with an IP or MAC filter applied to only capture packets to or from the target is sufficient. For more advanced attacks like password grabbing and phishing, you need more advanced filters. In the case of grabbing passwords, you need to have a filter that disassembles the packet to get to the layer 4 data and above, then scan that data for plaintext passwords or hashes such as HTTP POST or GET data, FTP, SMTP, or SQL login info, or you can use a filter to capture an entire NetBios, Telnet, or VoIP session to record conversations and gather potentially sensitive information. Sometimes it is not always desirable to have a password hash, especially when you can get the plaintext password in less time. This is where phishing comes in. Phishing is the art of constructing a website to look exactly like another, then redirecting traffic from the real site to the one you control in the hopes that no one will notice and will happily type in their real login info, assuming that everything is as it should be. Great care should be taken in conducting a phishing style attack, and I will offer some pointers and methods later on.

Because mitm attacks are built on the back of an APR attack, then all the limitations of an APR attack also apply to a mitm attack. But with the increased complexity of a mitm attack, you must also be aware of further limitations. Using complex filters or packet scanners consumes a lot of CPU cycles and can further increase the risk of unintentional DoSing or breaking of the network. Phishing should be used with care as well, because even the smallest difference between your site and the legitimate one will be noticed by daily users and may raise suspicion.

Phishing
Phishing, as already stated, is making a fake site to fool people into giving you their plaintext passwords and login info. There are several methods for creating a phishing site (phishing lure :D). You can attempt to create your copy site from scratch and code it yourself, but chances are people who use the site regularly would know the difference. Another way would be to copy the source code, images (keeping the directory structure in tact), and any stylesheets, javascripts, or embedded objects, then just make a few small changes to the code. Make sure to change all relative directories to absolute URLs when you do this! If you don’t, a form may not direct to the right page or produce a 404 error or an image may not display right and will raise suspicion. This method produces a site that looks and behaves nearly identically to the original, but because it is still being hosted on another server under a different domain name, observant users may spot the anomaly and report it. For low profile targets, this method is fast and effective.

The final method I will discuss is how to do it without making a fake site at all. Because you are executing a mitm attack and have full access to every packet that moves to and from the target, you can create a packet filter that will change the ACTION property of a tag, so that when the victim clicks the login button, the data will be sent to a site of your choice where you can log the information. This method may be slightly easier to execute, but it will increase the risk of unintentional DoSing due to the processing power required for the filter.

No matter what method you choose to use, it is almost always a good idea to take the login info that you received from your fake site and pass it on to the real site to log the user on. This makes your attack more hidden and more difficult to detect. When doing this, make sure to catch errors coming back from the real site in case the user entered an invalid password or username. Then pass this information back to the user. This can be done easily and is no big deal to implement, but failing to do so may raise suspicion and may get you caught.

APR with Cain
Most people think of Cain as a simple password hash cracker, but it is actually much more. It is a very powerful network analyzer and password recovery tool as well as a cracker. It can dump protected storages, sniff network connections, enumerate hosts and users as well as network shares, and can even remotely install the backdoor program Abel. Now, on to the good stuff! I will show you a basic password sniffing mitm attack, but first, I assume you have Cain configured properly for your network card. If not, click the “Configure” menu option and read the help files.


Start up Cain and look at the icons in along the top, just under the menu. The 2 icons we will be concerned with here are the nuclear symbol (the APR icon) and the small circuit board with a red arrow (the sniffer icon). If you are not sure which icons I am talking about, hover your mouse over them and find the icons for “Start/Stop Sniffer” and “Start/Stop APR”. Click the sniffer icon to start the sniffer. Now go to the sniffer tab. The table shown in this tab provides you with information about computers currently on your network and should be blank. If not, clear it by right clicking and selecting “remove all”. The most useful columns right now are the first 4: IP Address, MAC Address, OUI Fingerprint, and Host Name.

These should be pretty self explanatory with the exception of the OUI Fingerprint column. When a MAC address is coded into a piece of network hardware, part of the address is used to define the particular computer (like a serial number) and part is used to define the vendor that makes the hardware. Cain has a database of vendors that it checks the MAC address against to discover who made the hardware of that particular host. This is what is contained in the OUI Fingerprint column.

Once the sniffer is started, we need to populate the sniffer tab with host info. Click the “+” button to gather a list of all computers on the current network. If you have Ethereal, you can start that up with “arp” in the filter and watch Cain send out consecutive ARP requests for every IP in your subdomain and watch all the computers respond, freely giving away information about themselves. Once we have a list of possible targets, we need to setup an APR attack. Click on the “Start/Stop APR” icon to start the APR poisoner, then click the “APR” tab at the bottom of the “Sniffer” tab window. There are 2 tables in this tab: the top one is hosts on the LAN that you can directly affect, the bottom table is for computers on the WAN, which, depending on the border router’s settings, may or may not be vulnerable to APR. This list is populated as hosts are discovered thru analyzing packets.

Select the LAN table, and click the “+” icon again. Now select 2 hosts to insert yourself between. After that’s done, sit back and watch the packets roll in. Check the “Passwords” tab on the bottom for various passwords, or the branches under the “APR” symbol on the main APR tab to get HTTPS certificates and other valuable information. The APR-DNS branch can be used in phishing and in redirecting traffic from a website. Well, that’s it. That’s all there is to spying on people’s network traffic when you have access to a computer on the network, which is quite often if you go war-driving behind main street, picking up all the “insekure” business wi-fis

Conclusions
On large or sensitive networks, APR and Mitm can be a very effective way of getting valuable information thru many means, including packet filters and sniffers, phishing, and traffic rerouting. Some of the overall limitations of ARP poisoning are that it cannot cross routers unless they are set up as a single autonomous unit (AU) and are contained in the same subnet. ARP poisoning can be easily thwarted if static caches are being used. Static caches prevent host caches from being updated remotely via the ARP protocol. Some of the interesting things I have actually been able to get from APR and Mitm include:

- Webmail and SMTP logins
- FTP logins to servers running FTPD as root (w00t!)
- FTP logins to websites (pwnt)
- Admin logins to sites
- Student and teacher account logins to my college (I can change their schedules for next year :D)
- AIM convos/hashes and Telnet/SMB/SSH sessions
- Wardriving behind businesses to take over their networks
- Online banking login info and certificates (free moneys!)

Things I’ve learned from my exploits: SECURE YOUR Network! And DON’T do important things on a public network (library, school). You never know when Big Brother is watching

Links, References, and Tools
- Cain
- Ettercap
- Ethereal
- ARPoison
- Dsniff
- Parasite
- WinARPSpoofer
- http://en.wikipedia.org/wiki/ARP_spoofing
- http://www.grc.com/nat/arp.htm