Lab: Man-in-the-Middle Attacks
In this lab, you will be inserting yourself in the middle of a connection to perform a Man-in-the-Middle (MitM) attack.
This lab will be using information from the Port Scanning lab. Your are required to finish that lab before trying this one.
Late submissions will result in a 10% penalty per day (e.g., 2.5 days late result in 25% penalty)
1. ARP Poisoning
The address resolution protocol (ARP) is a layer 2 protocol whose purpose is to allow network devices to associate layer 3 addresses with layer 2 addresses. In a typical environment, ARP is used by nodes on a local area network to associate IP addresses with ethernet MAC addresses.
The ARP protocol is relatively simple. When a host A wants to send a packet to an IP address on the same LAN, it sends an ethernet broadcast requesting the MAC address of a node with a particular IP address. When a host B sees a request for its IP address, it will send a reply with its MAC address. Host A will then cache the result for a short period of time, using that MAC address for future packets to the IP address.
There is no built-in form of authentication in ARP, therefore replies can be easily spoofed. By sending false ARP replies, it is easy to redirect traffic from a victim to yourself. At this point you can perform several attacks. You could drop the traffic, effectively performing a denial-of-service. You could listen to the traffic and forward it, sniffing all the victim's traffic. You could also modify the traffic before sending it. Plenty of information about ARP and ARP poisoning is available on the web.
WARNING: ARP poisoning attacks can be very disruptive to a network. Please follow these instructions exactly, otherwise you might interfere with other teams doing their labs.
You will use
ettercap to perform an ARP poisoning.
Review the man page on
ettercap and become familiar
with the command line options. In particular, review the ARP poisoning options.
From the Port Scanning lab, you should have identified
two machines on network that are on the 10.0.0.64/26
address space. We shall refer to the IP address of the
Linux machine as
LIN and the Windows machine as
For the purposes of this lab, assume you somehow knew
that a user on the
LIN box regularly logs
into a website on the
WIN box. Your goal is
to sniff the username and password.
Open three terminals on your Linux router. In your first SSH terminal, send an ICMP echo request to both the
WINmachines in order to add their MAC addresses to your ARP cache. Record their MAC addresses and the MAC address of the interface linked to that network on your Linux router for your report. Hint: see
In your first SSH terminal, you will be monitoring ARP requests and replies. Use the command:
tcpdump -n -i <iface> arp
Depending on the network traffic, you might see a few ARP requests for other machines.
In the second terminal window, you will be monitoring HTTP packets between the
WINmachines. Use the command:
tcpdump -n -i <iface> port 80 and host
Notice that since the local area network is switched, you will not see any data on this scan until you start the ARP poisoning.
In the third SSH terminal, run ettercap with the following command line:
ettercap -i <iface> -T -M arp:oneway /
This will ask
ettercapto redirect packets from
WINthrough your router first. It will then replay those packets on to the correct MAC address so that neither host notices that
ettercapis stealing these packets.
In the first SSH terminal, carefully review the ARP data. You should see periodic, unsolicited ARP replies for
LINwith your MAC address instead of the MAC address you previously recorded. You should also see at least one ARP reply with the correct MAC address. Save a snippet of the output showing both.
In the second SSH terminal, carefully review the output. You should see the HTTP packet data from the
LINbox to the
WINbox, starting with the SYN request. Record a snippet of 10 or so lines for your report.
In the third SSH terminal,
ettercapshould have sniffed the HTTP password being used to login into the
WINbox. Record one of the password lines for your report.
ettercapby pressing 'q'. In the first SSH terminal, record a snippet of the
tcpdumpoutput showing the ARP replies with the correct MAC address for
Since ettercap disables Linux IP forwarding (routing) while it is running, you need to enable it manually every time after using ettercap or you won't be able to route to your Windows server. This is done by simply running:
3. DNS Cache Poisoning
While ARP poisoning is a very powerful attack, it is generally only effective if the attacking system is on the same ethernet segment as one of the victims. Another MitM attack is possible by subverting the Domain Name System (DNS). Since DNS requests and replies are not generally authenticated, it is possible to trick a resolver into believing a certain domain points to an IP other than the correct one.
The term DNS cache poisoning can refer to many different methods of achieving the same end: tricking a resolver into trusting a false record. Many forms of these attacks are a result of DNS software implementation bugs and a poorly designed protocol. Some of these attacks are described in a DNS cache poisoning article.
Some specific examples of DNS software bugs are described here, here, here, and here. Select one of these bugs and study it in depth. More background information on how the DNS works can be found here.
In the absence of any DNS resolver vulnerabilities, cache poisoning is still possible. Obviously, if an attacker compromises a router or network in between a resolver and a DNS server, then it would be trivial to subvert records. However, even if an attacker doesn't have this kind of access, it may be possible to poison DNS caches.
Suppose an attacker, Mallory, knows that Alice's DNS resolver will
be sending a request for the domain
Bob's DNS server (who is authoritative for that domain) at a
particular time of day. Mallory knows the IP address of Alice's
resolver and Bob's DNS server, but the request itself cannot be
seen by Mallory. Suppose Mallory wishes to spoof a DNS response as
if it came from Bob's server to trick Alice into believing a false
record. Assuming Mallory sends this spoofed record at just the
right time (eg. before Bob's reply gets to Alice), calculate the
probability that Mallory will successfully poison Alice's
resolver. Record the result of your calculation and your
reasoning behind it.
For this lab, your team must submit a report with the following information:
The recorded MAC addresses.
A snippet of the ARP data right after the ARP poisoning, showing at least one correct ARP reply and a few spoofed ARP replies.
A snippet of 10 or so lines of HTTP data between
A password line from ettercap showing the HTTP username and password.
A snippet of the ARP data right after the ARP poisener deactivated, showing the correct MAC address for the
What is Mallory's probability of success in the DNS cache poisoning attack against Alice?
In the DNS cache poisoning section, you studied a specific flaw in some DNS software which could allow an attacker to easily poison it. State which flaw you studied and describe the specific scenario(s) in which an attacker could exploit it.
Suppose it was your task to design a simple heuristic to detect ARP poisoning attacks. What kinds of abnormalities could a passive sniffer look for that would be strongly indicative of this kind of MitM attack?
Submit a link to a tool that you can install on your Linux machine to detect ARP poisoning.
tcpdumpoutput of HTTP packets, why are only packets from
Your grade for this lab will be composed of:
70% - The outputs you recorded.
30% - The rest of the questions.