CS 4740/6740 - Network Security

Lab: Man-in-the-Middle Attacks

In this lab, you will be inserting yourself in the middle of a connection to perform a Man-in-the-Middle (MitM) attack.

This lab will be using information from the Port Scanning lab. Your are required to finish that lab before trying this one.

Late submissions will result in a 10% penalty per day (e.g., 2.5 days late result in 25% penalty)

1. ARP Poisoning

The address resolution protocol (ARP) is a layer 2 protocol whose purpose is to allow network devices to associate layer 3 addresses with layer 2 addresses. In a typical environment, ARP is used by nodes on a local area network to associate IP addresses with ethernet MAC addresses.

The ARP protocol is relatively simple. When a host A wants to send a packet to an IP address on the same LAN, it sends an ethernet broadcast requesting the MAC address of a node with a particular IP address. When a host B sees a request for its IP address, it will send a reply with its MAC address. Host A will then cache the result for a short period of time, using that MAC address for future packets to the IP address.

There is no built-in form of authentication in ARP, therefore replies can be easily spoofed. By sending false ARP replies, it is easy to redirect traffic from a victim to yourself. At this point you can perform several attacks. You could drop the traffic, effectively performing a denial-of-service. You could listen to the traffic and forward it, sniffing all the victim's traffic. You could also modify the traffic before sending it. Plenty of information about ARP and ARP poisoning is available on the web.

WARNING: ARP poisoning attacks can be very disruptive to a network. Please follow these instructions exactly, otherwise you might interfere with other teams doing their labs.

2. Ettercap

You will use ettercap to perform an ARP poisoning. Review the man page on ettercap and become familiar with the command line options. In particular, review the ARP poisoning options.

From the Port Scanning lab, you should have identified two machines on network that are on the 10.0.0.64/26 address space. We shall refer to the IP address of the Linux machine as LIN and the Windows machine as WIN.

For the purposes of this lab, assume you somehow knew that a user on the LIN box regularly logs into a website on the WIN box. Your goal is to sniff the username and password.

1. Open three terminals on your Linux router. In your first SSH terminal, send an ICMP echo request to both the LIN and WIN machines in order to add their MAC addresses to your ARP cache. Record their MAC addresses and the MAC address of the interface linked to that network on your Linux router for your report. Hint: see ping, arp, and ifconfig.

2. In your first SSH terminal, you will be monitoring ARP requests and replies. Use the command:
   

   tcpdump -n -i <iface> arp
   		

   Depending on the network traffic, you might see a few ARP requests for other machines.

3. In the second terminal window, you will be monitoring HTTP packets between the LIN and WIN machines. Use the command:

   tcpdump -n -i <iface> port 80 and host LIN
   		

   Notice that since the local area network is switched, you will not see any data on this scan until you start the ARP poisoning.

4. In the third SSH terminal, run ettercap with the following command line:
   

   ettercap -i <iface> -T -M arp:oneway /LIN/ /WIN/
   		

   This will ask ettercap to redirect packets from LIN to WIN through your router first. It will then replay those packets on to the correct MAC address so that neither host notices that ettercap is stealing these packets.

5. In the first SSH terminal, carefully review the ARP data. You should see periodic, unsolicited ARP replies for LIN with your MAC address instead of the MAC address you previously recorded. You should also see at least one ARP reply with the correct MAC address. Save a snippet of the output showing both.

6. In the second SSH terminal, carefully review the output. You should see the HTTP packet data from the LIN box to the WIN box, starting with the SYN request. Record a snippet of 10 or so lines for your report.

7. In the third SSH terminal, ettercap should have sniffed the HTTP password being used to login into the WIN box. Record one of the password lines for your report.

8. Shutdown ettercap by pressing 'q'. In the first SSH terminal, record a snippet of the tcpdump output showing the ARP replies with the correct MAC address for LIN.

9. Since ettercap disables Linux IP forwarding (routing) while it is running, you need to enable it manually every time after using ettercap or you won't be able to route to your Windows server. This is done by simply running:

   sysctl net/ipv4/ip_forward=1
   		

3. DNS Cache Poisoning

While ARP poisoning is a very powerful attack, it is generally only effective if the attacking system is on the same ethernet segment as one of the victims. Another MitM attack is possible by subverting the Domain Name System (DNS). Since DNS requests and replies are not generally authenticated, it is possible to trick a resolver into believing a certain domain points to an IP other than the correct one.

The term DNS cache poisoning can refer to many different methods of achieving the same end: tricking a resolver into trusting a false record. Many forms of these attacks are a result of DNS software implementation bugs and a poorly designed protocol. Some of these attacks are described in a DNS cache poisoning article.

Some specific examples of DNS software bugs are described here, here, here, and here. Select one of these bugs and study it in depth. More background information on how the DNS works can be found here.

In the absence of any DNS resolver vulnerabilities, cache poisoning is still possible. Obviously, if an attacker compromises a router or network in between a resolver and a DNS server, then it would be trivial to subvert records. However, even if an attacker doesn't have this kind of access, it may be possible to poison DNS caches.

Suppose an attacker, Mallory, knows that Alice's DNS resolver will be sending a request for the domain example.org to Bob's DNS server (who is authoritative for that domain) at a particular time of day. Mallory knows the IP address of Alice's resolver and Bob's DNS server, but the request itself cannot be seen by Mallory. Suppose Mallory wishes to spoof a DNS response as if it came from Bob's server to trick Alice into believing a false record. Assuming Mallory sends this spoofed record at just the right time (eg. before Bob's reply gets to Alice), calculate the probability that Mallory will successfully poison Alice's resolver. Record the result of your calculation and your reasoning behind it.

Report

For this lab, your team must submit a report with the following information:

1. The recorded MAC addresses.

2. A snippet of the ARP data right after the ARP poisoning, showing at least one correct ARP reply and a few spoofed ARP replies.

3. A snippet of 10 or so lines of HTTP data between LIN and WIN.

4. A password line from ettercap showing the HTTP username and password.

5. A snippet of the ARP data right after the ARP poisener deactivated, showing the correct MAC address for the LIN machine.

6. What is Mallory's probability of success in the DNS cache poisoning attack against Alice?

7. In the DNS cache poisoning section, you studied a specific flaw in some DNS software which could allow an attacker to easily poison it. State which flaw you studied and describe the specific scenario(s) in which an attacker could exploit it.

8. Suppose it was your task to design a simple heuristic to detect ARP poisoning attacks. What kinds of abnormalities could a passive sniffer look for that would be strongly indicative of this kind of MitM attack?

9. Submit a link to a tool that you can install on your Linux machine to detect ARP poisoning.

10. In the tcpdump output of HTTP packets, why are only packets from LIN to WIN shown?

Grading

Your grade for this lab will be composed of:

• 70% - The outputs you recorded.

• 30% - The rest of the questions.