Different Flavours of Man-In-The-Middle Attack, Consequences and Feasible

Solutions

iGopi Nath Nayak and 2Shefalika Ghosh Samaddar

Corresponding Author & M. Tech IV Semester Student 1, Faculty Member 2

Department of Computer Science and Engineering Motilal Nehru National Institute of Technology Allahabad-211004, India

Email: gopinayakmnnit@gmai1.comi.shefalika99@yahoo.com2

Abstract-Man-In-The-Middle (MITM) attack is one of the

primary techniques employed in computer based hacking. MITM attack can successfully invoke attacks such as Denial of service (DoS), DNS spoofing and Port stealing. MITM attack is

particularly suitable in a LAN environment, Where it is typically performed through ARP poisoning. MITM attack of

every kind has lot of surprising consequences in store for users such as, stealing online account userid, password, stealing of local ftp id, ssh or telnet session etc. This paper emphasizes on

different types of MITM attacks, their consequences and feasible solutions under different circumstances giving users

options to choose one from various solutions. ARP spoofing and its effect in a LAN environment is studied in detail to achieve the stated objective.

Keywords- MITM, DoS, DNS, Vulnerability, Feasible Solution, Attacker, Victim, Gateway, Packet

I. INTRODUCTION

The name "Man-in-the-Middle" is derived from the basketball scenario, where two players intend to pass a ball to each other and one intruding player between them tries to seize it without their prior knowledge. It is also known as 'bucket brigade attacks' or 'fire brigade attacks' or 'Monkey-

In-The-Middle' attack A common MITM attack scenario may involve the attacker as a third party intercommunicating node between a client and a server [1]. In this case, the attacker often decisively captures messages between the client and the server. The client and a server are communicating with each other under this environment of pseudo-safety. Typically, this is achieved in a Ethernet LAN environment by ARP poisoning.

A. ARP P o iso ning Basic

In a LAN environment, data transfer takes place by making use of MAC addresses. MAC address operates at the Data Link layer of TCP-IP protocol stack It is important to convert IP address to MAC address in order to communicate in a LAN. The protocol, that used to perform such functionality, is called Address Resolution Protocol (ARP). When a node wants to send data, it searches for ARP cache to find out the MAC address of the IP address of the node for sending data [2].

Ethernet addresses or MAC addresses are required for communication between network devices to communicate on Ethernet. Such devices must send or receive packets to Ethernet (MAC) addresses. Ethernet addresses consists of 48

978-1-4244-5540-9/10/$26.00 ©2010 IEEE

491

bits (6 octets), whereas IP addresses are of 32 bits (4 octets). ARP deals with the two kinds of packets - ARP request and ARP reply. When a sender wants to know the MAC address of the destination IP or node, it broadcasts the ARP request to every host in the network. The destination node sends a reply to the sender with MAC address through ARP reply in a unicast mode. When a LAN is devoid of an attacker, the rightful IP address owner replies to the requester. After receiving the response, the receiver caches it locally to speed up future communication.

ARP has its own limitations. ARP does not provide any authentication and therefore, nothing prevents an attacker from sending a spoofed ARP response. ARP also does not prevent others to send an ARP reply. In fact, this is the basis of an ARP spoofing attack, when the attacker wants to redirect traffic to another machine in the same LAN, he/she is allowed to do so without any authentication check. In ARP spoofing attacks, attackers send a fake ARP response packet pretending that they own the IP addresses that are wanted. This causes the requester to cache the fake data. As a result, the victim's machine, which has incorrectly cached information about the IP address's owner, sends all traffic destined for that IP address to the attacker's node.

Uy,,·l SIt, (h 0.1 ...... 1 �ol «(�...g IOC�U�4!

la \ltf·3 S'iI'{'" Of Gatf�ay 11'-11231 B21 MAl-O():lb:d4 74-62 �

Fig. I. MITM in LAN Scenario

In fig -1, a scenario of ARP spoofing is simulated, where a computer system having the IP address 172.31.132.73 makes internet connection through proxy server 172.31.100.29 through a layer-3 switch (Gateway) having the IP address. 172.31.132.1. All the systems are connected to the Layer -2 switch. An attacker with IP address 172.31.132.72 is connected to the same layer-2 switch. The attacker initiates ARP poisoning pretending to be the Gateway to victim. The victim node sends data to the gateway pretending as the generic gateway. The attacker

typically behaves as Man-In- The-Middle between the victim and internet gateway. The attacker must launch an ARP spoofing attack against the target machine as well, inserting incorrect information into the caches of other side of communication. Section 2 discuses about different ways of performing MITM attacks. Section 3 elaborates the consequences of the MITM attacks. Section 4 contains proposed simple feasible solutions to be adopted by users and section 5 concludes with a discourse on future direction of research.

II. DIFFERENT TYPES OF MITM ATTACK

MITM attacks can be performed in different flavors in a LAN or WAN. This paper presents the MITM attack in a LAN environment through ARP poisoning. ARP poisoning has different colors depending upon the type of network. Two common ways of performing ARP poisoning in a LAN environment is discussed in this paper.

A. Through ARP packet [4]

The attacker (IP 172.31.132.72) has to collect MAC address of victim (lP 172.31.132.73) node sending ARP broadcast packet. Victim sends reply that 172.31.132.73 is at MAC address 00:16:35:AE:55:EC to the attacker. The attacker broadcasts packet to collect MAC of Gateway (IP 172.31.132.1). Gateway sends reply that 172.31.132.1 is at MAC address 00: IB:D4:74:62:BF to attacker. Under the scheme of ARP, which does not require any authentication for sending or receiving messages, the attacker can easily communicate with any node on LAN.

Fig. 2. ARP sends reply to be used for arp spoofing

After collecting MAC of victim node and gateway, the attacker sends unicast arp packet to the victim as well as to gateway at regular interval of time. It sends the arp packet as 172.31.132.73 is at 00:lE:EC:9E:17:98 to the gateway and to the victim node, it sends the A packet as 172.31.132.1 is at 00: 1E:EC:9E: 17:98. As switch understands only the MAC address, it forwards the packet based on MAC address. After receiving the ARP packet, the victim node add the MAC address of the attacker with the IP address of the gateway in the ARP cache and similarly the gateway, after receiving the arp packet, adds the MAC address of the attacker with the IP address of victim node in its ARP cache.

As a consequence, whenever the victim wants to access any resources over the LAN, the request will come to attacker through layer-2 switch. Layer-2 switch operates in Data link layer of TCP-IP protocol. It maintains a special table which have mapping between port number (physical port of device) and MAC address. It creates a binding between port number and MAC address. In CISCO switch, this mapping table is called CAM (Content Accessible Memory) table. The attacker forwards this packet to proxy through layer -2 switch (by using CAM table) and gateway

492

again. When any packet intended to reach victim node in LAN through proxy, it first comes to the gateway. The gateway forwards it to the attacker, the attacker collects it through the switch. The attacker forwards it to victim node through switch. The packet becomes vulnerable to active and passive sniffing. The attacker may see the content containing communication between victim's node and proxy server. The loss of confidentiality, integrity, and privacy are the immediate consequences of such attack. Figure-2 depicts situation in a simulated environment.

B. Thro ugh ICMP packet [3]

This method resembles to the first one but with a little difference. In this case, the attacker collects the MAC address of the victim node and gateway by sending ARP packet. Next the attacker sends the ICMP ping request to victim node with source IP address as the IP of gateway (172.31.132.1). The attacker sends again, another ICMP ping request to gateway with source IP as the IP of victim (172.31.132.73) node. After getting the fake ICMP request, arp cache of victim node hold s the MAC address of attacker with IP of gateway as ARP cache entry. Similarly, arp cache of gateway holds the MAC address of the attacker with the IP address of the victim node. When victim node wants to send any packet to gateway, it would be delivered to attacker instead of gateway directly and then to the gateway. Any packet from gateway to the victim's node will fmd its route through the attacker. And the attacker would be able to sniff all the packets to and fro from the victim's node. Figure-3 simulates the above attacking scenario.

Fig. 3. ICMP based arp spoofing

III. CONSEQUENCES OF MITM

The MITM attack through arp poisoning, allows an attacker to perform active and passive attacks in the communication network between victim node and gateway. Such attack may lead to violation of privacy and even to financial losses. DNS poisoning, Denial of service attack, HTTPS sniffing through fake SSL certificate and HTTPS sniffing through sslstriping are few of the possible consequences from many.

A. DNS po iso ning [3]

ARP spoofing allows an attacker for DNS poisoning. DNS server returns the IP address of the corresponding DNS address to the client browser. When a client wants to access particular web resources, he enters the DNS address in address bar of the browser. The browser in turn, generates DNS request to the nearest DNS server. DNS server replies the client with the IP address of the web site. Browser connects to that web site by using the IP address.

In case of DNS poisoning, the attacker behaves as a DNS server to victim. As every packet, that gets generated by victim's system, goes through attacker's system, DNS request packet generated by victim's browser also passes

through attacker's node. Instead of returning a genuine IP address of the DNS server, the attacker gives fake IP of the DNS to the victim's node. For example, if the victim wants to visit google.com, the attacker would provide the IP address of yahoo.com. The victim gets the web page from yahoo instead of getting page from google. Attacker can also redirect to a local system in the LAN to the victim's system. Even the attacker can host a fake site in the local system and transfer fake pages to the victim's node which may have login id and password option of some popular web site. userid and password of the victim may easily be impersonated by using this technique.

B. DOS attack [4]

A denial-of-service (DoS) attack is to make computer resource unavailable to its intended users. It generally involves preventing desired and defined internet resources or all internet resources to the victim. Attack involves saturating the target (victim) machine with external communications requests, such that it cannot respond to legitimate traffic. The response comes so slowly as to be rendered effectively unavailable response A DoS attack can be a total denial of service or it can be partial denial of service such as

l)Reduction of internet bandwidth due to imposed

congestion. 2) Disruption of configuration information, such as routing information and ARP information or malfunctioning due to lack of timely information

3) Disruption of TCP packet or resetting of TCP sessions,

without proper closing of the sessions. Such session may

result in automatic restoring of the earlier session without

entering login ID and password again.

4) Disruption of DNS services.

5) Disruption of Local Authentication services.

6) And disruption of many essential network services.

Every packet that comes from victim's node has to pass through attacker, after a successful arp spoofing. This gives the attacker an opportunity to pass the packet to desired location or drop the packets at random, making disrupted communication. The attacker may even drop and kill all the packets that come from victim's node making total denial of service. The victim will be prevented from accessing any internet resources. The attacker may design to drop and kill selected kind of internet packet so as to disrupt few of the essential services. Such types of attacks are difficult to detect early. The victim may lose valuable time before realizing that only some of the services are getting denied. This may cause a huge financial loss in a e-business scenario. It may lead even to fatal consequences in case of real-time applications related to e-governance and healthcare. An attacker may drop TCP packet to reset TCP session. TCP session fails to yield communication every time it opens. Attacker may drop DNS packet to disrupt DNS address message passing and IP address conversation.

493

C. HTTPS sniffing through ssistriping

This attack was first simulated by Moxie Marlinspike and resented in Black Hat Conference at La Vegas in 2009 [7]. Every traffic of victim passes through attacker due to MITM, which facilitate attacker swap every HTTPS link by HTTP link from server to victim. The attacker successfully establishes a HTTP connection between victim and himself and a secure connectivity between attacker and the HTTPS server. HTTP is the entry point into any HTTPS communication, subverting HTTP allows a attacker to take control of the HTTPS communication. Moxie designed a special tool called sslstrip to perform this attack [5]. The attacker can sniff victim's password, financial information and all other personal information for malicious use through plain HTTP connection.

D. HTTPS sniffing throughfakeSSL certificate [5}[6]

When a user accesses a web page with prefix extension of HTTPS before DNS address at the address bar of the browser, he will get a SSL certificate from the intended web server. The SSL certificate contains the public key of web server. The public key is used by the client browser for sending the session key to the web server in encrypted form, which will only be decrypted by the web server's private key. This establishes a secure session with a valid session key, which may be renewed for future session on available options. The general practice is to renew the session key again and again to save time in communication. This makes the session key vulnerable to attacks.

After a successful arp spoofing, the attacker could generate a fake SSL certificate that is forwarded to victim. It also passes the request to web server. After blocking the web server certificate, the attacker could generate a fake certificate for establishing a secure connection from the attacker to the web server through SSL certificate of web server and also from victim's node to attacker through SSL certificate of the attacker. The attacker is now able to capture all encrypted traffic from victim to web server. Such SSL striping may cause economic loss, especially in case of signing contracts between parties related to business transaction.

IV . PROPOSED SOLUTION

E. Using ARP request packet to the gateway

The proposed solution makes use of shell script for the user, who does not want to become a victim of all the earlier vulnerabilities. The script may run in background. The solution successfully prevents itself from arp poisoning.

#!/bln/sh while [ 1 do

done

arplng -f 172.31.132.1 steep 5

Fig. 4. shell script having prevent arp poisoning

Fig-4 suggests one such shell script. At periodic interval, user sends arping request to the gateway in order to keep the

MAC address of the gateway in its cache. Arping request is a broadcast request that the user sends to every system in the network. The intended system sends a reply with the MAC. Fig-4 shows that the user periodically sends arp request message to the gateway 172.31.132.1. Gateway, in turn, replies its MAC address in a unicast arp reply packet. As this process runs periodically, it prevents an attacker to poison arp cache of the victim. This solution can be used by every common linux user. A

security aware user may allow these techniques for privacy concern over connection, such as web mail login, ftp site login and local proxy authentication login. In fig 5, we have shown the arp cache table considering different instances. The content of cache table may be seen by using two commands. One is 'arp -a' and second one is 'ip neighbor

show'. Fig 5 shows the 'ip neighbor show' command three times [8]. All the commands are underlined. The 'ip neighbor show' command shows arp cache before poisoning. It shows the MAC address of the attacker (IP 172.31.132.72)

and other one is the MAC entry of gateway (172.31.132.1). Next 'ip neighbor show' command shows the arp cache entry after arp poisoning by the attacker (172.31.132.72). The MAC addresses are presented in a rectangle, which shows MAC address of the attacker and gateway is same, proving that the arp cache is poisoned. To prevent the poisoning, we run arping command as third time. Lastly arp cache table is displayed.

r ootl�nnni :J /IDJ1G Ip r�@@fI,t ip nGi ghbo r s �O'� 172.31.132. n dev ethO Uaddr aa: Ie :e�:ge: 17:98 STALE

72.31. 132 . 1 dey ethO Ha dr eo: 1b : d4 : 74: 62: bt RUOOBLE r oot@rmnit : / /lome Ip r\'eel1# iD Dei gbbg r s 1lD't!

72.31.132. 72 �ev etM t ta��r 88: Ie :ec: �e: 11:9a STALE 72.31. 132 . 1 de'l ethO Uadr 00; Ie ; e ( ; ge; 17; 98 REACHABLE

root@nnnlt : J omefprvee�i rping ·f 172.31.132.1 ARPI�G 172.11.132.1 trom 172.31.132.71 �thO iJnicast reply froD 172 .31.132.1 [00: 18:04: 74:62 :ilFI 1. a7511<5 Sent 1 prob�s (1 broad(8st (s�) ReceiYed 1 response(s) r oot@onnH : J IWne Ip r�een# 1 p ne l ghM r Silt/II

12.31.132. n dQ� QthG lladdr 00: 1@:@(:9Q:17:98 STALE 172.31. 132 . 1 de'l ethO Ua dr ea: Ib : d4 : 74: 62: bf R�AOOBLE

Fig. 5. ARP cache content in different situation

This process has a few limitations. It generates un­necessary traffic in local area network as ARP request is a broadcast and arp reply is unicast one. Security always comes at a cost, but these solutions are very cost effective for any privacy critical application. The script does not work in windows OS as it does not have equivalent arping command.

F. Mo nito ring arp -a table database

An end user, especially a linux user may use these shell script to monitor arp entry or arp table of its system. A system before sending message always can check its arp cache to deliver the data in MAC layer. If arp cache has wrong MAC entry for a given IP address, then it delivers the data to mismatched MAC. The system reels under arp poisoning. Fig- 6 depicts a piece of shell script having awk command which control the arp table of the user. It checks

494

the content of arp table at regular interval of time. The script checks the MAC address of gateway for possible arp spoofmg and it alerts the user. On receiving alert, the user can take appropriate action byusing different techniques, with the help of various powerful linux command.

#!/bin/sh white [ 1 I do

done

.a·.rp .• I .wk '{print S4}' I grep eS:lb:d4:74:62:bf •

if I $. ·gt 1 ) then

notify· send ·t 9 System is �p poisoned fi sleep 9.5

Fig. 6. Shell script with awk to detect ARP poisoning

The solution permits the user not to send arp broadcast message to the gateway. Rather it checks its arp cache at periodic interval. It generally checks how many IP addresses are associated with the MAC address of gateway. If number is more than 2, it alerts the user about possible poisoning. Disadvantages of this technique is that a user has to know before hand the MAC address of the gateway and subsequently be informed about the arp poisoning. However, it never takes any precaution to stop it. A user can use 'arp -d' command to delete the arp poisoned entry to prevent this type of attack.

C. Using static entry in L ay er -3 switch o r in the gateway

Since communication of the user to internet gets established through gateway, the attacker exploits this scenario. A arp static entry for all LAN user connected to the gateway may be added. Though it is not so much flexible for mobile user in a mobile ad hoc network; it works in a fixed wired network very well. The command is required to entered as fallows. [10]

switch# show mac-address-table This command will show MAC address entry along with

static and dynamic nature in the gateway. We can change all the dynamic entry to static entry, so that when attacker performs arpspoofing, the MAC entry of the victim system in the gateway will never get changed. This solution is not suitable for nomadic user. It would be best for stand alone system. In a dynamically changing environment, most probably, it is not the suitable solution.

D. Using static entry in the victim system

For making secure internet connection, an user can add a static entry for the gateway in the arp table of a system. Generally arp entries are either static or dynamic.' arp -s' command changes a arp entry to static form. The effect of the command may be seen in fig-7.[9]

root@mnnit:/home/prveen# arp ·s 172.31.132.1 ae:1b:d4:74:62:bf

root@mnnit:/home/prveen# ip neighbor show I head ·2

172.31.132.1 dey ethS lladdr eS:lb:d4:74:62:bf PERMANENT

172.31.132.72 dey eth6 lladdr eS:1e:ec:ge:17:98 STALE

Fig. 7. arp static entry addition

The above command makes the gateway arp entry as static. As a result when an attacker performs a arpspoofing, the entry related to gateway never gets changed. This solution has many limitations. Every time the user changes location, he has to change the gateway MAC as it is a static entry. It also has to know the gateway MAC before running this command

E. Restricting ICMP packet

Most of the frrewall now a days restrict ICMP packet of different variants. A user has to activate frrewall in order to block ICMP packets. Many of the antivirus software also blocks the ICMP packets. A user can also block ICMP packet, by using other methods e.g. not responding to any ICMP request packet. Stopping ICMP packets may even block port(s) and stop future communication through these ports. But blocking the resources and facilities, certainly is not solution, but an limitation that a feasible solution could not be provided.

V. CONCLUSION

ARP poisoning is a common MITM attack having its existence for more thatn a decade. Many solutions has been proposed from time to time so as to stop arp spoofing, but many of the implementation remains an issue. This paper explained the many consequences of arp poisoning which has been noticed recently by security researchers. There are many more devastating consequences due to arp poisoing, which has not been mentioned due to lack of space. The proposed solutions are very user friendly and do not require any prior knowledge of the subject. The solutions are ready made in the sense, that these solutions are not third party tool based. Rudimentary operating system environment in linux allows these scripts to work in the best possible manner. A straight forward application is shown through actual examples. Web-based connections secured through HTTPS using some typical attributes of LAN are not a fool proof solution. An inexperienced user may not even notice the changes due to attack e.g. a change of protocol label of https to http. Even at times, self signed certificate may pose problems of organizing an attack by certificate spoofing. The naive user usually clicks to by pass the browser's warning thinking these warnings as routine alerts. Fake HTTPS session generation provide eas y sniffing and decryption of traffic. A basketful of software protocol analyzer e.g. Wireshark, is available for network traffic sniffing.

A possible elaborate future direction of the work is to list down all flavors of ARP poisoning, DNS poisoning and prepare a table containing the entries like kinds of ARPIDNS poisoning, its consequences, detection mechanism, preventation mechanism (if any) and remedy in the background of prevalent limitation like undesirable port blocking, packet restriction and limited activation of important web contents and services. The limitation of each solution may also be studied. Such table will be a ready help for every security aware user and an arsenal to fight ARPIDNS terrorism.

495

ACKNOWLEDGMENT

The study taken up while pursuing M.Tech (Information Security) is partially supported by Information Security

Education and Awareness (ISEA) Project, Department of Information Technology, Govt. of India.

REFERENCES

[I] Definition of MITM availble at, http://it.toolbox.com!wiki/index.phplManin-the-Middle Attack

[Accessed on April 2, 2010]

[2] ARP concept, TCPIIP Protocol Suite, 3/e by Behrouz A. Forouzan, Tata Mcgraw-Hill publication

[3] Arpspoof a arp poisoning tool availble at, http://monkey.orgl dugsongl dsniffl [Accessed on April 2, 20 I 0]

[4] Ettercap a arp poisoning tool, http://ettercap.sourceforge.net/ [Accessed on April 2, 2010]

[5] HTTPS sniffing through ssl-striping, http://thoughtcrime.org [Accessed on April 2, 2010]

[6] F. Callegati, W. Cerroni, M. Ramilli, Man-In-The-Middle Attacks to

https protocol, IEEE, Security and Privacy Volume:7 Issue: I ate:Jan.- Feb. 2009 Page(s): 78 - 81.

[7] http://www.blackhat.com!presentationslbhdc09IMariinspikelBlackHat _ DC-09-Mariinspike-Defeating-SSL.pdf[Accessed on April 2, 2010]

[8] ip neighbor show command available at, http://iinux-ip.netlhtml/ether-arp.html [Accessed on April 22, 2010]

[9] arp -s command available at, http://linux-ip.netlhtmlltools-arp.html [Accessed on

April 22, 2010]

[10] show mac address command available at http://www.cisco.com!enlUS/ docsl switchesllanl catalyst6500/ios! 12.1 E/native/commandlreference/show2.html#wp2004 764 [Accessed on April 22, 20 I 0]