INTRODUCTION

In today society people rely a lot on the Internet for studying, doing research and doing business. Internet becomes an integral part of modern life and many efforts were put to make it secure for example the series of cryptography techniques and secure protocols like SSL. Unfortunately not all the computers are equipped with the necessary protection, in the network environment, when a packet travels from the source host to the destination host, it can be recorded, extracted, or altered by the third party host which we call “man in the middle” or MITM. In the man in the middle attack, the attacker tries to locate his host between two victim hosts so he can intercept the data transmitted between the victims as they are not aware of the “man in the middle.”

Figure 1: Man In The Middle Illustration

Figure 1 illustrates the MITM context, the man in the middle impersonate both Alice and Bob by relaying the messages between them. Alice believes that she is directly talking to Bob and so does Bob; however, the attacker now can control the whole communication.

In this project, I will present the techniques to implement the MITM attacks in the LAN environment, the most common type of MITM attacks. In these attacks, the attacker will have the ability to:

Then I will present some solutions provided by the security experts to prevent MITM attacks as well as reduce the risks that they can cause.

SYSTEM DESCRIPTION

The key factor to ensure the success of MITM attacks is that the attacker must have the ability to place his host at the position that he can intercept the communication between his victims. Unfortunately, the weakness of Address Resolution Protocol (ARP) in Local Area Network (LAN) environment which translates the IP addresses into MAC addresses totally allows the attacker spoof the MAC addresses of other hosts. Hence, he can capture all the traffic to those spoofed hosts.

In this section I will present a technique called ARP Spoofing or ARP Redirect that is commonly used to redirect the traffic between two hosts through the third host which is owned by the attacker. Then, I will describe the network configuration of the lab that will be used to implement the MITM attacks.

ARP Spoofing

Assume that Alice and Bob’s hosts are connected into a LAN and Alice wants to send a packet to Bob. Although Alice knows Bob’s IP address, the Data Link Layer in Alice still needs to know the MAC address of Bob to transmit the packet via LAN. To get Bob’s MAC address, Alice first checks if she store Bob’s MAC address in her ARP cache. If it exists, she can use Bob’s MAC address, else, she sends the ARP request to ask for the MAC address corresponding to Bob’s IP address. All the hosts on LAN will receive the ARP request from Alice but only Bob has the IP address described in the ARP request, so Bob will return his MAC address to Alice. When Alice has Bob’s MAC address, the data transmission begins.

Figure 2: ARP Spoofing

Now we assume that there is one more host, Charlie, is connected to LAN with Alice and Bob. Charlie will send Alice the ARP reply message saying that the MAC corresponding to Bob’s IP is Charlie’s MAC and at the same time Charlie sends Bob the ARP reply saying that the MAC corresponding to Alice’s IP is Charlie’s MAC. Both Alice and Bob update their ARP cache and use that information to transmit packet. As the result, the entire conversation between Alice and Bob flows through Charlie (as shown in the Figure 2.)

Lab Network Configuration

As mentioned above, in this project, I will implement the MITM attacks on LAN environment to demonstrate how the attacker can launch the MITM attacks and what he can do with the data of his victim. I setup the simple network for the lab as shown in the Figure 3.

Figure 3: Lab Network Configuration

• Linux server: is used to provide some common Internet services. This machine also plays the roles of the attacker’s host in some scenes and as the victim host in the other scene
  • OS: Ubuntu Linux 7.10
  • Services: HTTP (Apache), FTP (ProFTPD), SMTP/POP3 (Postfix), MySQL
  • MITM Tools: ettercap, dsniff, ethereal
• Windows XP desktop: plays the roles as a attacker’s host in some scenes and as the victim host in the other scenes
  • OS: Windows XP Professional
  • MITM Tools: ettercap, CAIN, Wireshark
• Windows Vista laptop: plays the roles as the victim host

All these machines are connected into switched LAN network and have access to the Internet via router. The router here also plays the roles of victim host since there will be the attack to the communication between a host inside LAN and the router.

MITM ATTACK AND DEFENSE

Capture Sensitive Data

Attack #1

• Scenario: Windows Vista laptop accesses to Linux server for services like HTTP, FTP, Email, and Database. Windows XP desktop launches the MITM attack to reveal username and password that the laptop uses as shown in Figure 4.

Figure 4: MITM attack inside LAN

• Method: To launch this attack, Windows XP machine first has to poison the ARP caches of Linux machine and Windows Vista machine. There are many software tools available to do ARP poisoning, however I use ettercap in this attack since it is all-in-one tool which can do both ARP poisoning and network sniffing. In addition, I can use ettercap in both Windows and Linux platforms. The attack is described in the following steps

Step 1: Launch ettercap in Windows XP then choose working mode as Promisc mode

Figure 5: Ettercap working mode

and choose Sniff mode as Unified sniffing then select the network card that has connection to lab’s LAN

Figure 6: Ettercap sniffing mode

(a) (b)

Step 2: Add Windows Vista machine and Linux machine to the target of ettercap. This can be done by select menu Hosts → Scan for hosts and then select menu Hosts → Host list then select 192.168.5.100 for Target 1 and select 192.168.5.250 for Target 2. Verify the targets by choosing menu Targets → Current Targets

Figure 7: Targets of the attack

Step 3: Poison the ARP caches of Windows Vista and Linux machines by select menu Mitm → Arp poisoning… then choose Sniff remote connections

Figure 8: Poisoning the ARP caches of targets

(a) (b)

To verify that the ARP poisoning is successful, I check the ARP caches at both targets by using command: arp –a

Figure 9: ARP cache of Windows Vista machine

Figure 10: ARP cache of Linux machine

We can easily see that both ARP caches are poisoned, in Windows Vista machine, the entry 192.168.5.250 (Linux machine) has the MAC address 00-1D-09-82-22-95 (Windows XP machine) and in Linux machine the entry 192.168.5.100 (Windows Vista machine) has the MAC address 00:1D:09:82:22:95 (Windows XP machine)

Step 4: Sniff the traffic between Windows Vista machine and Linux machine and capture the sensitive information by choosing menu Start → Start Sniffing

Figure 11: Sniffing traffic between two targets

The connections can be seen by choosing menu View → Connections. For each connection, we can see the data by select it and choose View Details

Figure 12: Connections between two targets

• Result: After successfully capturing the data transmitted between two targets, we can now examine it to reveal the sensitive information. In this attack, Windows Vista machine will access the following services which require authentication from Linux machine:
• Online music via web
• FTP
• Email via SMTP/POP3

By viewing the details of each connection between two targets, I can easily see all the usernames and passwords. Furthermore, ettercap automatically records the usernames and passwords transmitted in clear text form.

Figure 13: FTP username and password

Figure 14: Email username and password

Figure 15: Usernames and passwords detected by ettercap

Attack #2

• Scenario: Windows XP desktop accesses to an Internet site that uses SSL, Gmail, for example. Linux server launches the MITM attack to capture the username and password of the desktop as shown in Figure 16.

Figure 16: MITM attack between a host inside LAN and the router

• Method: In this attack, I am trying to mislead the Gmail user to accept the fake certificate that is issued by me, not by Google. If the user has some knowledge about computer security and s/he examines the certificate before accepting it. The attack would not be successful.

Figure 17: Fake certificate

To launch this attack, I use the following tools:

• ettercap: to do ARP poisoning
• dsniff software suite:dnsspoof to answer the DNS requests from Windows XP machine with Linux machine as the DNS server and webmitm to relay all the HTTP and HTTPS request from Linux machine to the real servers.
• ssldump: to decrypt the encrypted data with fake certificate
• Wireshark: to capture traffic between Windows XP machine and the router.

Firstly, I need to do the ARP poisoning the ARP caches of Windows XP machine and the router using tool ettercap like the attack presented in section 3.1.1. And then I do the DNS spoofing by using tool dnsspoof. At this stage I launch the webmitm -d tool which is the used to relay the traffic from Windows XP machine to Gmail. Then I use Winshark to capture the traffic and save as gmail.log file.

All the packets captured in gmail.log can be decrypted by using the tool ssldump: ssldump –r gmail.log –k webmitm.cert –d > out

• Result: The username and password of Gmail user can be obtain from the out file by using the command: cat out | grep Passwd

Figure 18: Gmail username and password

Using the same attack method I also get the account information from the SSL connections to my bank’s server:

Figure 19: Bank account information

and also, my HawkID and password in ICON1:

Figure 20: HawkID and password in ICON

the same result with ISIS2:

Figure 21: HawkID and password in ISIS

Tamper the Data

• Scenario: Windows XP desktop accesses to an Internet site via the router. Linux server launches the MITM attack between the desktop and the router to deface the website that the desktop are surfing as shown in Figure 16.
• Method: The preparation for this attack is similar to the attack mentioned in section 3.1.1 with two targets: Windows XP machine and the router of the lab. In this case, ettercap will modify the data from the router before forwarding to Windows XP machine. To automate this task, I will create the filter, which is a method to extend the ability of ettercap, to automatically alter the incoming data.

The filter is developed based on the original one from [4] as follow:

# Change the Accept-Encoding of the client so server will send data to 
# client in the text plain format.
if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!");
      msg("zapped Accept-Encoding!\n");
   }
}

# Replace google’s logo with other image and change Google text into Hacker
if (ip.proto == TCP && tcp.src == 80) {
   replace("/intl/en_ALL/images/logo.gif", "http://hawksec.net/shrek.jpg");
    replace("Google", "Hacker");
   msg("Filter Ran.\n");
}

I save the filter source code as img.filter and then use the command etterfilter img.filter –o img.ef to compile it. After doing ARP poisoning to Windows XP and Linux’s ARP cache like in the section 3.1.1, I apply the filter by choosing menu Filters → Load a filter… and select img.ef.

• Result: After applying the filter, the Windows XP machine gets the modified Google page:

Figure 22: Modified Google page

RELATED WORK

There are some groups conducting MITM attacks against the Secure Shell (SSH) version 1 [12], and Radio-frequency identification (RFID) Cards [13] and Universal Mobile Telecommunication Standard (UMTS) [14] which the different methods of attacking in comparison with the attacks in this project.

CONCLUSION

After successfully conducted the attacks above I fully understood how the Man-In-The-Middle attack works in switched LAN environment. With the ability of capturing and modifying data, the risk that the attacker can cause by using MITM attack is huge. As we discussed earlier, the key factor of MITM is ARP poisoning based on the weakness of ARP protocol. Unfortunately, the attack to it is very easy and there are numerous of freely available tools to help launch the attack. There are some solutions to prevent this kind of attack for example using personal firewall in the Windows computers, using static ARP caches in small network or using ARPwatch for the large net work as well as using the encrypted connections. In addition, by doing this project, I have an opportunity to setup an Internet server in Linux with all the basic services.

REFERENCES

[1] Wikipedia. Man In The Middle Attack. http://en.wikipedia.org/wiki/Man_in_the_middle. March 2008

[2] Wikipedia. ARP Spoofing. http://en.wikipedia.org/wiki/Arp_spoofing. March 2008

[3] Ettercap. http://ettercap.sourceforge.net/. February 2008

[4] Fun with Ettercap Filters. http://www.irongeek.com/i.php?page=security/ettercapfilter. March 2008

[5] ETTERCAP - The Easy Tutorial. http://www.openmaniak.com/ettercap.php. February 2008

[6] Crimemachine. How to decrypt SSL encrypted traffic using a man in the middle attack. http://www.crimemachine.com/Tuts/Flash/SSLMITM.swf. April 2008

[7] Ethereal. http://www.ethereal.com/. April 2008

[8] dsniff. http://www.monkey.org/~dugsong/dsniff/. April 2008

[9] Haidong Xia and Jose' C. Brustoloni. Hardening Web Browsers Against Man-in-the-Middle and Eavesdropping Attacks. March 2008

[10] Ross Anderson and Mike Bond. The Man-in-the-Middle Defence. Computer Laboratory, University of Cambridge, Mar 2006. http://www.cl.cam.ac.uk/~mkb23/research/Man-in-the-Middle-Defence.pdf

[11] Serpanos, D.N., Lipton, R.J. Defense against man-in-the-middle attack in client-server systems. Computers and Communications, 2001. Proceedings. Sixth IEEE Symposium on , vol., no., pp.9-14, 2001

[12] Threats Addressed by Secure Shell. http://www.vandyke.com/solutions/ssh_overview/ssh_overview_threats.html. April 2008

[13] RFID Cards and Man-in-the-Middle Attacks. http://www.schneier.com/blog/archives/2006/04/rfid_cards_and.html. April 2008

[14] A Man-in-the-Middle Attack on UMTS. http://whitepapers.techrepublic.com.com/abstract.aspx?&docid=141953&promo=100511. April 2008

[15] Anatomy of an ARP Poisoning Attack. http://www.watchguard.com/infocenter/editorial/135324.asp. April 2008

[16] Arpwatch. http://www.securityfocus.com/tools/142. April 2008