MITM arp-spoofing

This article is about the man in the middle attack called arp-spoofing. Why this attack is one of the more dangerous on a local area network.

Article published on 3 June 2010
last modification on 29 May 2016

by Emeric Nasi


License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Creative Commons License


Introduction

ARP spoofing is the most dangerous, silent, script-kiddie level attacks you risk on a LAN.
I wanted to wrote this article to point out why MITM attacks are really dangerous and how to protect from them.
I will start by explaining what is Man In The Middle attack and arp-spoofing and how to perform this attack. Then I will give a few methods to protect yourself and/or your local area network against MITM attacks

I Easy and dangerous

I.1 The man in the middle (MITM)

Usually, a network communication can be visualized as a "pipe" between two machines
[A]-----------------------[B]
That means that the host "B" is the only one receiving the data "A" sent to him and vice-versa.
An attacker is in a MITM position when his machine, "C" intercept all communication between A and B but without A or B knowing it.
[A]----------[C]-----------[B]
In this position the attacker can see all the data and can intercept, modify or delete any packet he wants.

Note: You can consider a normal Internet router to be in a MITM position between you and a distant website, the difference is that you know he is there and you suppose you can trust it (and that is also a reason to encrypt communications).


There are various attacks that can lead to an MITM position, dns spoofing, dhcp spoofing, arp spoofing, etc...

I.2 The ARP protocol

MITM attacks are really easy to perform on a Local Area Network. The easiest and most dangerous way of doing it is called "ARP spoofing". This attack relies on the ARP protocol.
The ARP protocol is used on the majority of the local networks around the world. Its main purpose is to associate an IP address (network address) to a MAC address (physical address).
Example :
You (A) are on a LAN (company or at home, wifi or ethernet, etc), you which to connect to the website www.sevagas.com.
Here is a simple view the communication path :
[A]------[LocalRouter]--------- ... [BunchOfRouters] ... ---[www.sevagas.com]
The part we are interested here is the link : [A]------------[LocalRouter]

Establishing that link implies the use of ARP protocol because your machine knows the router’s ip address, but not its MAC address.
Imagine the router IP is 10.0.0.1 and the A machine’s IP is 10.0.0.102
To get the MAC address of LocalRouter, A will use ARP protocol:
- A sends to everyone on the network "arp - who has 10.0.0.1"
- LocalRouter answers where he is : "arp - 10.0.0.1 is at LocalRouter_MAC_ADDRESS"
Then A can communicate with LocalRouter

Note: LocalRouter performs the same operations to know where A is.
The weakness here is that both A and LocalRouter have a limited cache and regularly "forget" about each other. That means, "who has" and "is at" arp operation are performed a lot of time during the communication.


I.3 ARP spoofing

Now imagine that a third machine, we will call it C, keeps doing :
- C sends to A "arp - 10.0.0.1 is at C_MAC_ADDRESS"
- C sends to LocalRouter "arp - 10.0.0.102 is at C_MAC_ADDRESS
-> Now A thinks C is the LocalRouter and LocalRouter thinks that C is A !!
We are in the next situation :
[A]------[C]-----[LocalRouter]
That is a MITM by arp spoofing attack.
C can now do anything he wants with the datas, he can sniff passwords, cookies, spy on everything that A is doing on the Internet, etc. C can also modify all data, emails, instant messaging, photos etc. A can never now if what he looks at is original data or
data modified by C.
All these attacks are really easy to implement, there are a lot of tools and I wont get into them all.

Note : There are even tools that automatically replace all web images by porn images during MITM attack. You can really do anything...

This attack is not only powerful, it is also very easy to implement, that is what we are going to see right now.

I.4 Perform arp-spoofing attack

The following example takes place on a Linux Backtrack 4 distribution and suppose you are already connected on a network
The router ip address : 10.0.0.1
The victim ip address : 10.0.0.102
The hacker address : 10.0.0.199 connected trough interface eth0

That’s it! Only 3 command lines and you can already grab all cleared text passwords.

II How to protect from ARP spoofing attack ?

II.1 Do not use ARP dynamic mechanism

It is possible to statically set the ARP cache so the machine already know the corresponding MAC address of the other machines. There are various ways to do that depending on the machines OS. The problem with that method is it can really be fastidious because you have to configure all machines. Moreover you have to repeat all the operation if you add a new machine. From laptop user point of view, this method is not realistic because you would have
to reconfigure you rp static cache each time you connect into a new network.

II.2 Encrypt data

Security guides generally recommend to encrypt your connexion so that it is impossible to spy or smartly alter the data.
It is often recommend to use SH or TLS (SSL) tunneling.
You can imagine encrypted ssl connexion like a tunnel between the client a the server.
Example when you connect to a https site (like banking accounts, major webmails, governement sites...)
There is a normal Internet communication :
[A]------[LocalRouter]--------- ... [BunchOfRouters] ... ---[https://www.mybank.com]
But all traffic concerning the website is encrypted so none of the intermediate routers can watch what you are doing.
So we can say that the communication with the webserver is inside a tunnel communication :
[A]====================================[https://www.mybank.com]
If we apply that to the MITM situation previously described we have the next two communications path:
[A]-------[C]-----...—[https://www.mybank.com] for network communication
[A]=========[https://www.mybank.com] for web communication
A can interrupt traffic, but he cannot spy or modify the web data as everything is encrypted.

II.3 Encrypt data ?

This solution is better than no encryption at all but is far from being perfect.
If you take SSH with password authentication for exeample, the attacker can grab the keys when you transmit them and steal your password.
[A]========[C]=========[ssh server]
The problem with encryption is in fact how to safely share the keys if someone is already spying on the connection ?
Using public keys and certificate is a solution.
Even if tools like ettercap has TLS intercepting features, they cannot imitate a valid certificate.
They can try to send their own certificate but most navigators will alert you about non-official certificates.
So when connecting to your bank account, if you see a pop-up saying something like "invalid certificate", you might be under an MITM/TLS attack.

Note: There is a tool called SSLStrip that can hijack your connection with a secured website without having to send a false certificate. This implies you not rely only on encryption.

II.4 Detect MITM

The best method to avoid MITM attack is to detect them and stop them before any harm can be done. It is quite surprising that there are not a lot of tools that detects this attack. Most classic pc firewalls do not detect them.
If you are a pc/laptop user I recommend small tools like decaffeinate for windows and arpwatch for Linux. These tools generate alerts when they detect abnormal change in the ARP cache.
If you manage a LAN, you can install an IDS that will detect most attacks. For example,
a combination of snort, swatch and iptables can be installed to create automatic detection and real-time alert concerning ARP spoofing, plus a temporary blacklisting of the attacker address. This IDS can be installed on the router/firewall or one machine that would work like a sentinel on the network.
Also, you should never accept invalid TLS certificate coming from big organization and always verify that a site that is supposed to use TLS/SSL has an URI that starts with "https://"