MITM Attacks: ARP Spoofing/Poisoning over IPv4
What is a MITM ARP “Man in the middle” attack?
The types of attack “Man in the middle” (MITM) or also known as “Man in the middle”, consist of carrying out a passive attack technique, called:
ARP Poisoning or
ARP Poison Routing (APR), and is carried out in LAN (
Local Area Network ) and WLAN (
Wireless Local Area Network ) networks. Being connected to the same network, this attack allows us to capture all traffic directed from one or more hosts on the network to the configured gateway (Gateway) and vice versa. It consists of “cheating” or rather poisoning the cache of the victim’s ARP table (what is known as:
ARP Cache Poison – APR ).
So that the MAC Address (
Media Access Control Address) of the victim’s gateway is not the real one, but the MAC address of the attacker. Thus, when the victim makes queries to the internet that will be requested for their gateway before they pass through the attacker’s host, the attacker will let them pass to the router, the router will return the response to the attacker again, and this to the victim. In this way, the victim will not realize what is happening. To make it more clear:
A detail to keep in mind is that if instead of poisoning the victim’s ARP table cache with the attacker’s MAC, it is poisoned with another false MAC (for example 00:11:22:33:44:55) the victim will provoke a denial of service DOS (
Denial Of Service ).
Differences between Promiscuous Mode and Monitor Mode
Since this attack is used in wired networks that are routed through switch devices, the traffic is not transmitted through an open medium (such as wireless transmissions), so to capture this type of traffic in one or more hosts it is necessary to perform this type of techniques such as ARP Spoofing. With the card in
promiscuous mode (
Promiscuous Mode – a term used for wired networks) since
monitor mode (
Monitor Mode ) would be the appropriate term for wireless networks and to be able to capture all the IVs (
Initialization Vectors). These modes, both promiscuous and monitor, refer to the same thing (but each one applying it in its proper term, depending on the area in which it is being used or treated) and what they consist of is being able to capture ALL the packets that circulate through the network, even if they are not addressed to the host that requested the request.
How is the Ethernet frame modified to perform an ARP Cache Poison?
Every MAC frame is made up of its header (or header
) of a source MAC address and a destination MAC address (at the end of the header it also shows the type of Ethernet), the payload (or
body ) made up of data and the trailer (or
queue ) that shows a CRC (
Cyclic Redundancy Check, error checking) or checksum (
Verification Sum ) or FCS (
Frame Check Sequence ), this verifies if the frame has arrived correctly at its destination or not. The most common way to create an ARP Spoofing is to create a “race condition” (
Race Condition ) consists of the distribution of unsolicited ARP responses (by the victims), which are stored in the ARP cache of the victims or clients. .
Why is this MITM-Man in-the-middle attack possible?
Both the “ARP request” and “ARP reply” packets do not provide any identification validation in the transaction. For this reason, this attack is made transparent to the user since the frame is not verified in any of the directions with any integrity identification mark (
ID ).A practical and simple case of carrying out the attack with Windows. The scenario for this practice is as follows:
