Search:

Search

News Articles Tech Tools Subscribe Archive Whitepapers Digisub Write for Us! Newsletter Shop

DevOps Cloud Computing Virtualization HPC Linux Windows Security Monitoring Databases all Topics...
Home » Archive » 2022 » Issue 67: syst... » Detecting and a... Login

« Previous 1 2 3 Next »

Detecting and analyzing man-in-the-middle attacks

Cuckoo's Egg
Simulated Ettercap MITM Attack
To understand and ultimately defend yourself against an MITM attack, it can be helpful first to simulate an MITM attack yourself. Always keep in mind that this
kind of experiment on a third-party network – including public WiFi – is likely to be punishable by law. On your own network, however, the security functions
and barriers on the managed switches can easily be tested. Tools such as Wireshark in combination with Ettercap [2] help to flood the network traffic with fake
ARP data. The tool is available for Linux and is included in the Kali Linux distribution, as is Wireshark. On Ubuntu, install Ettercap with the commands:

sudo apt update

sudo apt install ettercap-common

After starting Ettercap, you can start the sniffing process and display the list of local network hosts (Figure 3). Special settings are not necessary. Ettercap
then displays the network devices it has found, which you can use for attacks. To start an MITM attack, click on a computer in the host list and select the Add
to Target 1 tab.

Figure 3: Ettercap helps perform MITM attacks, which you can then
analyze with Wireshark.

For an effective test, create a share and a text file with arbitrary content on the computer. You can then track access to the share, see when the file is opened,
and view its content in Wireshark. Check the ARP cache on the computer beforehand with arp -a and make a note of the original MAC address of the
computer with the share (see the "Another Analysis Tool: XArp" box). In the attack, swap the MAC address of the original computer with the MAC address of
another computer, in this case the one on which you launched Ettercap. Up to this point, Ettercap has not performed any actions but has only read data on the
network, just as an attacker would do.

Another Analysis Tool: XArp

In addition to Wireshark, tools such as XArp help detect fake entries in ARP tables. A combination of different tools can be useful, which together perform a
comprehensive analysis or stress test on your own security architecture. One way to detect this kind of attack is to keep a close eye on the ARP table on the
victim's computer. XArp does just that, effectively helping to detect ARP spoofing.

Unfortunately, XArp is no longer being maintained [3], although it might persist in distribution repositories, or someone might eventually revive the project.

Next, select another computer that you want to sniff for the test and click Add to Target 2 . The target definitions can also be seen at the bottom of the window.
The Ettercap computer can now sniff the data between the two devices, and you can, in turn, analyze the operations with Wireshark.

In Ettercap's upper right menubar is an icon with a globe. If you click on it, you can choose from different MITM attacks. To test an attack, it is best to select
ARP poisoning and confirm that you want to start. The attack is now active and can be observed with Wireshark. Ideally, you will want to launch Wireshark on
the computer that is running Ettercap. This attack can also be done with Kali Linux, as mentioned before; both tools are integrated. At any time, you can stop
ARP poisoning in Ettercap or define other targets. After stopping the attack, the selected target systems again have the correct MAC address assignments
after a short time.

Laughing Third Party

Launching Wireshark in parallel on the computer that you have defined as Target 2 is the easiest way to trace the attack. Open the share you created earlier
and the file on the Target 2 computer, which is exactly what users would do when accessing data on the network. The two Wireshark instances capture the
actions performed in the background.

If you again query the ARP cache on the Target 2 computer by typing arp -a, you will see that during an active MITM attack courtesy of Ettercap, the MAC
addresses for Target 1 are identical to those of the Ettercap computer. The MITM computer has succeeded with its ARP attack and can spoof another
computer. The client you defined as Target 2 assumes that the Kali computer with Ettercap is the Target 1 computer with the active share, allowing traffic to be
recorded on the Kali computer, even though the data is running back and forth between Target 2 and Target 1 and the Kali computer is not involved – a typical
MITM case.

Other computers will not notice this activity because the attack does not disturb the network. The entries you have made let the computer with Ettercap and its
active Wireshark instance read data that is exchanged between Target 1 and Target 2. If the data is not encrypted, the Wireshark instance on the Ettercap/Kali
client will help you extract the content of the data packets. You will find the corresponding captures on the Kali/Ettercap computer. Closing Ettercap on the
MITM machine also ends ARP poisoning, and the attack is no longer visible.

Filters
Wireshark is as useful a tool for performing MITM attacks as it is for analyzing them. For this reason, it makes sense to take a close look at the tool's
capabilities. One important feature is the filters: If you enable an ARP filter in Wireshark, using the example of the attack described previously, you can focus
on the ARP-related network traffic (Figure 4). If you then use the SMB or SMB2 filter, you will also see the SMB traffic between the clients. With the SMB filter,
all exchanges between Target 1 and Target 2 show up, including the content of the text file created and opened for this test.

Figure 4: An MITM attack can be detected quite quickly by changing

the display filters for ARP and SMB.

Wireshark also has the filters arp.duplicate-address-frame and arp.duplicate-address-detected , which tell Wireshark to display, from a saved or live capture,
the packets that have duplicate MAC addresses for different IP addresses. Precisely this information can be seen in the Info column. If you find such packets
on the network, you can assume that an attacker is trying to duplicate MAC addresses. If you click on such packets, the original MAC address of the
respective systems can also be found during the analysis.

« Previous 1 2 3 Next »

Buy this article as PDF

Express-Checkout as PDF

Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES

Print Issues

Digital Issues

SUBSCRIPTIONS

Print Subs

Digisubs
 TABLET & SMARTPHONE APPS

US / Canada

UK / Australia

Related content
Arp Cache Poisoning and Packet Sniffing
Intruders rely on arp cache poisoning to conceal their presence on a local network. We'll show you some of the tools an attacker might use to poison the arp cache
and gather information on your network.

more »

Wireshark
Troubleshoot network problems with this popular protocol analyzer.

more »

Understanding Layer 2 switch port security

What happens when an intruder with a laptop parks at an empty cubicle and attaches to your local network? If you don't want to find out, it
might be time to think about implementing some switch port security.

more »

Kali Linux is the complete toolbox for penetration testing

The Kali Linux distribution is a complete toolbox for penetration testing.

more »

New Man-in-the-Middle Attack Targets Smartphones

more »

comments powered by Disqus

Subscribe to our ADMIN Newsletters

Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Most Popular
Secure microservices with centralized zero trust
Discover vulnerabilities with Google Tsunami
Security analysis with Security Onion
Pentest your web server with Nikto
Passkeys eliminate the need for password-based authentication

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
 Support Our Work

$0.00

Support ADMIN

Supported payment methods:

Service Legal Notice

Article Code Privacy Policy
Contact

Glossary © 2023 Linux New Media USA, LLC – Legal Notice