A man-in-the-middle attack results when attackers place themselves in line between two devices that are communicating, with the intent of performing reconnaissance or manipulating the data as it moves between the devices. This can happen at Layer 2 or Layer 3. The main purpose is eavesdropping, so the attacker can see all the traffic.
If this happens at Layer 2, the attacker spoofs Layer 2 MAC addresses to make the devices on a LAN believe that the Layer 2 address of the attacker is the Layer 2 address of its default gateway. This is called “ARP poisoning.” Frames that are supposed to go to the default gateway are forwarded by the switch to the Layer 2 address of the attacker on the same network. To mitigate this risk, you could use techniques such as dynamic Address Resolution Protocol (ARP) inspection (DAI) on switches to prevent spoofing of the Layer 2 addresses.
A man-in-the-middle attack can occur at Layer 3 by placing a rogue router on the network and then tricking the other routers into believing that this new router has a better path. This could cause network traffic to flow through the rogue router and again allow the attacker to steal network data. You can mitigate attacks such as these in various ways, including using routing authentication protocols and filtering information from being advertised or learned on specific interfaces.
A man-in-the-middle attack can occur by compromising the victim’s machine and installing malware that can intercept the packets sent by the victim and sending them to the attacker. This type of malware can capture packets before they are encrypted if the victim is using SSL/TLS/HTTPS or
any other mechanism.
To safeguard data in motion, one of the best things you can do is to use encryption for the confidentiality of the data in transit. If you use plaintext protocols for management, such as Telnet or HTTP, an attacker who has implemented a man-in-the-middle attack can see the contents of your
cleartext data packets, and as a result will see everything that goes across his device, including usernames and passwords that are used. Using management protocols that have encryption built in, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS), is considered a
best practice, and using VPN protection for cleartext sensitive data is also considered a best practice.
It will also install WinPcap (usually comes with Wireshark installation).
Click Start/Stop Sniffer
Select the Adapter > click OK.
A warning message will pop-up > click OK > click again Start/Stop Sniffer icon.
The active LAN hosts will be displayed under Sniffer > Hosts tab.
Go to Sniffer > APR (ARP Poison Routing).
Click on the area under Status (where the pointer is) > the + symbol will turn from gray to blue > click on the + symbol.
Click on the hosts to hijack the session: click 192.168.1.110 (Kali) on the left and 192.168.1.120 (Metasploitable2) > click OK
Click Start/Stop APR icon to perform a Man-in-the-Middle (MITM) attack between the selected hosts.
Generate traffic between Kali and Metasploitable hosts.
Notice the APR Status will change from Idle to Poisoning and Packets counter increased.
Noticed the displayed password in clear text (msfadmin).
You can remove the APR session by doing a right-click > Remove.
I ran APR again between 192.168.1.100 (Windows 10 machine) and 192.168.1.1 (ASA5506-X).
I tried to SSH to the ASA firewall from Windows 10 machine.
Notice the APR-SSH count became 1 and Cain & Abel detected the routed packets to the Internet.
Go to Sniffer > APR > click APR SSH-1 > right-click on the SSH session > View
Noticed SSH traffic is encrypted and hides the username and passwords. So it's best practice to use secure management protocols such as SSH (or use VPN) in your network.
If this happens at Layer 2, the attacker spoofs Layer 2 MAC addresses to make the devices on a LAN believe that the Layer 2 address of the attacker is the Layer 2 address of its default gateway. This is called “ARP poisoning.” Frames that are supposed to go to the default gateway are forwarded by the switch to the Layer 2 address of the attacker on the same network. To mitigate this risk, you could use techniques such as dynamic Address Resolution Protocol (ARP) inspection (DAI) on switches to prevent spoofing of the Layer 2 addresses.
A man-in-the-middle attack can occur at Layer 3 by placing a rogue router on the network and then tricking the other routers into believing that this new router has a better path. This could cause network traffic to flow through the rogue router and again allow the attacker to steal network data. You can mitigate attacks such as these in various ways, including using routing authentication protocols and filtering information from being advertised or learned on specific interfaces.
A man-in-the-middle attack can occur by compromising the victim’s machine and installing malware that can intercept the packets sent by the victim and sending them to the attacker. This type of malware can capture packets before they are encrypted if the victim is using SSL/TLS/HTTPS or
any other mechanism.
To safeguard data in motion, one of the best things you can do is to use encryption for the confidentiality of the data in transit. If you use plaintext protocols for management, such as Telnet or HTTP, an attacker who has implemented a man-in-the-middle attack can see the contents of your
cleartext data packets, and as a result will see everything that goes across his device, including usernames and passwords that are used. Using management protocols that have encryption built in, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS), is considered a
best practice, and using VPN protection for cleartext sensitive data is also considered a best practice.
I simulated a Man-in-the-Middle (MITM) attack in my Cybersecurity Lab using a tool called Cain & Abel. Download v4.9.56 for Windows NT/2000/XP and just follow the installation wizard.
It will also install WinPcap (usually comes with Wireshark installation).
Click Start/Stop Sniffer
Select the Adapter > click OK.
A warning message will pop-up > click OK > click again Start/Stop Sniffer icon.
The active LAN hosts will be displayed under Sniffer > Hosts tab.
Go to Sniffer > APR (ARP Poison Routing).
Click on the area under Status (where the pointer is) > the + symbol will turn from gray to blue > click on the + symbol.
Click on the hosts to hijack the session: click 192.168.1.110 (Kali) on the left and 192.168.1.120 (Metasploitable2) > click OK
Click Start/Stop APR icon to perform a Man-in-the-Middle (MITM) attack between the selected hosts.
Generate traffic between Kali and Metasploitable hosts.
Notice the APR Status will change from Idle to Poisoning and Packets counter increased.
Go to
Sniffer > Passwords tab > Telnet (notice there's a count of 1).
Right-click
on the sniffed Telnet session > View
Noticed the displayed password in clear text (msfadmin).
You can remove the APR session by doing a right-click > Remove.
I ran APR again between 192.168.1.100 (Windows 10 machine) and 192.168.1.1 (ASA5506-X).
I tried to SSH to the ASA firewall from Windows 10 machine.
Notice the APR-SSH count became 1 and Cain & Abel detected the routed packets to the Internet.
Go to Sniffer > APR > click APR SSH-1 > right-click on the SSH session > View
Noticed SSH traffic is encrypted and hides the username and passwords. So it's best practice to use secure management protocols such as SSH (or use VPN) in your network.
No comments:
Post a Comment