Spoofing and Man-in-the-Middle Attacks
Date Assigned: mm/dd/yyyy
Time Due: mm/dd/yyyy by hh:mm
Educational Objectives
This lab will introduce you to both ARP spoofing and man-in-the-middle attacks and how they are carried out within a networked environment.
Lab Environment
The following machines are needed to conduct this lab:
- CentOS Linux, CentOS6.4
- Backtrack 5, BT5R3
- Windows 7, Win7
- Fedora 18, FC18
All computers must be networked and accessible to each other.
Summary
When you connect to a computer you often take for granted the protocols used to find the destination machine. In a LAN the method of resolving an IP address to a MAC to send a packet to its destination is by ARP (Address Resolution Protocol).
In this lab you will learn how to poison victims ARP cache and passively sniff connections. Before software can be used to poison an ARP cache you must first do some preliminary exercises to better understand how to use and manipulate your ARP cache. Once you understand ARP and how your ARP cache is utilized, the next few exercises use ARP poison to sniff and attack connections. The first exercise is to understand a powerful tool used to perform ARP poison and various LAN attacks. This tool is Ettercap. Next you will be passively and actively sniffing a connection between two victim machines. After completing these exercises you will have a good understanding of how man-in-the-middle attacks occur.
Background
What is ARP?
Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address that is recognized in the local network. For example, in IP Version 4, the most common level of IP in use today, an address is 32 bits long. In an Ethernet local area network, however, addresses for attached devices are 48 bits long. (The physical machine address is also known as a Media Access Control or MAC address.) A table, usually called the ARP cache, is used to maintain a correlation between each MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions.
How ARP Works?
When an incoming packet destined for a host machine on a particular local area network arrives at a gateway, the gateway asks the ARP program to find a physical host or MAC address that matches the IP address. The ARP program looks in the ARP cache and, if it finds the address, provides it so that the packet can be converted to the right packet length and format and sent to the machine. If no entry is found for the IP address, ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine knows that it has that IP address associated with it. A machine that recognizes the IP address as its own returns a reply indicating so. The ARP program updates the ARP cache for future reference and then sends the packet to the MAC address that replied. Since protocol details differ for each type of local area network, there are separate ARP Requests for Comments (RFC) for Ethernet, ATM, Fiber Distributed-Data Interface, and other protocols. There is a Reverse ARP (RARP) for host machines that don't know their IP address. RARP enables them to request their IP address from the gateway's ARP cache.
What is ARP poison and a man in the middle attack?
The Address Resolution Protocol serves the function of determining the mapping between IP addresses and MAC hardware addresses on local networks. For example, a host that wants to send a message to IP address 10.0.0.2 on the local network sends a broadcast ARP packet that requests the MAC for that IP. The host that owns the IP 10.0.0.2 returns an ARP reply packet with its MAC address. The requesting host then sends the message, and stores the IP-to-MAC mapping for future packets.
In order to minimize network traffic, ARP implementations update their cache of ARP-to-IP mappings whenever an ARP request or reply is received. If the MAC address reported in the packet for the given IP has changed, the new value will overwrite the old one in the cache. ARP replies are unicast packets directed at one machine, and cause only that machine to update its cache.
Figure 1.Setting up a man in the middle attack by C against A and B.
The particular kind of ARP attack examined in this lab is the use of ARP reply packets to perform cache poisoning. This attack makes possible many sorts of man-in-the-middle attacks. Consider an example depicted in Figure 1. The attacker, Host C, sends an ARP reply to B stating that A’s IP maps to C’s MAC address, and another ARP reply to A stating that B’s IP maps to C’s MAC address. Since ARP is a stateless protocol, hosts A and B assume that they sent an ARP request at some point in the past and update their ARP caches with this new information.
Figure 2. Computer C performs a man in the middle attack against A and B.
Now, when A tries to send a packet to B it will go to C instead. Host C can use this unique position to forward the packets on to the correct host and monitor or modify them as they pass through C (Figure 2). This man in the middle attack allows C to monitor or modify telnet sessions, read mail passing over Post Office Protocol (POP) or SMTP, intercept SSH negotiations, monitor and display Web usage, and commit many other malicious activities.
The ARP cache poisoning attack can be used against all machines in the same broadcast domain as the attacker. Hence, it works over hubs, bridges, and switches, but not across routers. An attacker can, in fact, poison the ARP cache of the router itself, but the router won't pass the ARP packets along to its other links. Switches with port security features that bind MAC addresses to individual ports do not prevent this attack since no MAC addresses are actually changed. The attack occurs at a higher network layer, the IP layer, which the switch does not monitor.
The tool that was used in demonstrating and testing the effectiveness of these attacks was Ettercap. Developed as an open source project, Ettercap provides both a menu based and command line tool to perform ARP cache poisoning and man in the middle attacks against switched networks (among other things).
What is Ettercap?
(
Ettercap is a multi-functional packet sniffer/interceptor/logger that works on switched LANs. It allows the active and passive dissection of numerous protocols, including ciphered ones, such as SSH1, and includes features for network and host analysis.
Section 0: Setup and installation
0.1: Installing Ettercap
Ettercap should be installed on your BT5R3 machine – however you can place it on another machine such as FC18 is you wish:
# yum install ettercap
# yum install ettercap-common
# yum install ettercap-gtk
Test Ettercap
# ettercap -v
If your installation completed successfully, you will be able to see “Ettercap NG-0.7.3”.
0.2: Checking the FTP servers
Now you have to make sure that you have a FTP server installed and running on your CENTOS6.4 machine.
# yum search ftpd
# yum install vsftpd
Start ftp:
# /etc/init.d/vsftpd start
Test this using 127.0.0.1
0.3: Telnet Server 7
Make sure the TELNET server is installed on your Windows 7 machine, and is running:
Start Telnet service
C:\> tlntsvr.exe /service
Note: If Telnet service is not installed please install using the following steps
Control Panel -> Programs and Features -> Turn Windows features on or off -> Telnet Server
0.4: Telnet Server CENTOS6.4
Make sure the TELNET server is installed on your CENTOS6.4 machine, and is running:
#yum search telnet
#yum install telnet_server telnet
#/etc/init.d/xinetd start
0.5: WiresharkCENTOS6.4 and BT5R3
Check to make certain that both Operating Systems have Wireshark installed.
# yum install wireshark-gnome
Section 1: ARP
By now you should have a clear understanding of what ARP is and how it works. Now you will get a chance to learn more about this protocol and how to hack it, by doing some exercises. In the first exercise you will learn how to read your own ARP cache in Linux (Windows is very similar) and how to modify it. After learning the basic OS commands to control your ARP cache, you will use the program Ettercap to poison other computer’s caches on the network.
Before doing the lab it is important to understand which machine is being used in each situation. Each of the machines hardware addresses will be identified by the following notation a:b:c:d:e:f. Make sure you substitute the appropriate hardware address when you see the notation a:b:c:d:e:f.
1.1 Getting to Know ARP and ARP Tables
1) First you are going to observe the initial state of your ARP cache.
Open up a terminal in you CENTOS6.4 machine
# arp
If the entry is blank, then think about when exactly does a computer start sending out ARP packets to discover hosts on the network.
2) Now you are going to observe as entries are added to the ARP cache.
On the CENTOS6.4 machine:
- First start the program Wireshark to capture ARP packets.
- Make certain that Wireshark will stop the capture after 30 packets and then capture.
- Next you are going to ping the BT5R3 machine from the terminal
- If the Wireshark program did not already stop capturing packets then click on < stop >
- Review the captured ARP packets in Wireshark
- Next check the ARP cache in the CENTOS6.4 machine
- Next you are going to ping the Win7 machine
- Next check the ARP cache in the CENTOS6.4 machine
Q1.1.1: What did you see after typing “ARP”? Why is this?
3) Finally before you move on to the next part of the lab, make a table of each machine’s IP address and its corresponding hardware address.
Table 1. IP addresses and hardware addresses
Computer / IP Address / Hardware AddressBT5R3
CENTOS6.4
Windows 7
4) In addition to just observing the ARP cache, the ARP cache can be manipulated with the “ARP” command. The ARP command also allows the user to manually enter in IP to hardware address mappings.
Although on a large network this would require a lot of labor, it is an easy way for networks with static IP addresses to defeat ARP poison attempts by hackers. By adding the ARP entry manually, it becomes static and cannot be changed except by the owner of the computer. Let’s work with some of these other commands now.
On the CENTOS6.4 machine:
Use the “ARP” help feature and look through the possible options.
# yum install man
# man arp
Next edit the cache manually by deleting the BT5R3 entry
Q.1.1.2: What command did you use to delete the entry?
Make certain to verify the new ARP cache
Next edit the cache manually be adding back the deleted BT5R3 computer so that its address is static
Q.1.1.3: What command did you use to manually add the entry?
Make certain to verify the ARP cache again
The static entry should be identified by the flag ‘CM’
Q1.1.4: What is the significance of ‘CM’? Make certain that you provide a detailed response.
Finally remove the static entry
1.2. Using ARP
1)Now you are going to test to see what happens when an IP address is mapped to the wrong hardware address. Before you use an ARP poison program to do this, you are going to do this manually.
2)In the following commands below, make sure to set the hardware address for the BT5R3 to the wrong address.
3)Make certain to verify the ARP cache again
Cd
The static entry should be identified by the flag ‘CM’
4) When completed, try to ping the BT5R3 machine from CENTOS6.4
Q1.2.1 What happened when the machine was pinged? Why did this happen?
Section 2: Ettercap
2.1. Creating FTP Access
1) For the next few exercises you are going to use the BT5R3 machine as the attacking machine and the Win7 machine and CENTOS6.4 machine to communicate with each other using various ports. These machines will be the unknowing victims within the network.
- Make certain that you create an account that can be used to access CENTOS6.4’s FTP server.
- Write the username and password for this account below:
- Also on CENTOS6.4, create a simple text file named no_protection.txtwithin the /var/ftp/pub directory. This file will be used to transfer from CENTOS6.4 to Win7 via FTP.
# cd /var/ftp/pub
# echo [YOURMTUUSERID] > no_protection.txt
2.2. Getting to Know Ettercap
When Ettercap is started, it first probes the network to see all of the hosts that are on the network. It does this by sending out ARP request packets for each host IP address on the network (network determined by net mask of the host). Only the IP addresses that have hosts on them will reply giving the attacker a good indication of who is on the network. Why does this work so well? Because each host on the network must have ARP enabled so that the network will work properly.
Although Ettercap is best used by command-line, for this introductory use, we will use the program’s GUI interface.
Start Ettercap 0.7.3 on your BT5R3 machine, type
#ettercap -G
at a command prompt window. You should see the following screen:
Figure 3 Ettercap GUI
Let’s see how Ettercap scans your addresses.
On your CENTOS6.4 machine:
Open Wireshark
Start capture
On your BT5R3 machine using the Ettercap application:
Note:Do not scan the entire network!!!
Conduct a quick scan (i.e. set the net mask to 255.255.255.0.) to only scan class C range:
- Select Options
- Netmask
- Type 255.255.255.0
Or place your hosts on file → save → browse to file when selecting host list
- Select Sniff - Unified Sniffing using the Ethernet port that is assigned to your BT5R3 machine (i.e. eth0)
- Then Hosts - Scan for hosts (**is using subnet to scan and not host file)
- Once Ettercap is done scanning stop the Wireshark packet capture
- Make certain to notice how Wireshark views the Ettercap scan.
Q.2.2.1: How could you use software to detect that Ettercap is being run on your network?
Remember to give a detailed response.
2.3. Using Ettercap Passively to Sniff a Connection
Now you are going to use the skills you learned in the previous section to perform a man in the middle attack on a connection. For this scenario a user on the Win7 machine will attempt to login to the ftp server on the CENTOS6.4 machine. Unknown to the victim, the attacker on the BT5R3 machine will be in the middle of the connection watching and logging the actions of the victim(s).
First you must use Ettercap to select the victim machines and ARPpoison them.
- On the BT5R3Ettercap GUI:
- Check the host list and select RHEL 5 and Win7 as the two targets
- Hosts – Host list
- Select CENTOS6.4 IP – Add to Target 1
- Select Win7 IP – Add to Target 2
- Select Start->Start Sniffing
- Conduct the man-in-the-middle by selecting Mitm->ARP poisoning – Sniff remote connections
- Once this is complete select View->Connections
Now that the ARP poison has taken place between the two targets, conduct the following:
On the Win7 machine:
- Open a terminal if one isn’t already open
- Show its ARP cache
On the CENTOS6.4 machine:
- Open a terminal if one isn’t already open
- Show its ARP cache
Q.2.3.1: What did you see different about the ARP cache on the two virtual machines compared to before?
2.4. Displaying Ettercap’s Abilities to Conduct Man-in-the-Middle Attack
To illustrate how Ettercap can conduct a man-in-the-middle attack, you will be logging into RHEL’s FTP server from Win7.
Before this takes place, make certain that you start another Wireshark session on the BT5R3 machine to help you clearly see all of the packets involved in the attack.
On the BT5R3 machine:
- Open Wireshark if it is already not open
- Set capture for 300 packets
- Start the packet capture
On the Win7 machine:
- In the terminal ftp into the CENTOS6.4 machine
- At the prompt enter the user name and then password for the user created earlier
- Type in a few commands to create data to see
- Also before you exit download the new text file of (no_protection.txt) to the Win7 machine
On the BT5R3 machine:
- Stop Wireshark capture if it has not stopped already
- Open up Wireshark and look at the packets from the ftp session
- By looking at the IP address it seems as though the connection is going from the original source to the original destination
- On one of these same packets open up the Ethernet part and look at the hardware addresses
- Make certain to view an ftp packet and its source and destination hardware address
Q2.4.1: What did you notice about the packets hardware address compared to its IP address? How would software looking to detect this attack fail?
Q2.4.2: Were you able to get the userid and password using Ettercap?
2.5. Using Ettercap Actively to Disrupt a Connection
Ettercap also has a wide variety of methods to disrupt a connection. Using the existing FTP connection that has been established between the Win7 and CENTOS6.4 machine, attempt to inject data or a file into this connection on either or both victim computers.
Q.2.5.1: Were you successful? Why or why not?
Now go ahead and “kill” the FTP connection between the victim’s machines. Once completed, you should be able to view that the connection was broken from the Win7 machine that established the FTP connection to the CENTOS6.4 machine.
Q.2.5.2: How would you proceed to avoid an attacker from being able to shut down computer connections such as FTP between CENTOS6.4 and Win7? Make certain to be specific in order to demonstrate your knowledge on this topic.