Wednesday, July 4, 2012

Sniffing & man-in-the-middle/mitm using network sniffers

A long time ago I had written an article ( on network sniffers, primarily wireshark, which described what sniffing is and how one can passively sniff other users' data by setting Wireshark in promiscuous mode. Such a technique is known as passive sniffing and is really useful if your local network uses hubs instead of switches. But if your network uses the latter then you will not be able to capture all the traffic. The difference is due to the way these devices forward packets to the destination.

When a node sends a packet to a hub it quickly makes several copies and forwards it to all the other physical ports. The figure below illustrates this.

As you can see, the network packet denoted by the envelope is supposed to be delivered to PC0. But as soon as it receives the packet from Router0 it makes several copies and pushes it through all the links.

So if PC1 were to be running Wireshark then it will always receive all the traffic meant for PC0. It should be clear that it becomes very simple to sniff data when using hub.

Now let us consider a network using a switch.

 In the previous article mentioned above I have explained how a switch maintains a table which has MAC address and physical port mapping.

Briefly speaking, any packet meant for PC0 will be forwarded only to that particular link and the other links will never get a copy. It is obvious that Wireshark running on PC1 will not be able to capture any other data.

Now comes the interesting part! A technique known as Active sniffing is all you need to overcome this problem! It requires you to perform a Man in the Middle attack aka MitM which will be described below. But before I delve into what is active sniffing and mitm let me talk a little about ARP and ARP spoofing.


(NOTE: You may skip this section if you are well aware of what ARP is)

I assume you are already a little familiar with ARP (Address Resolution Protocol ). It is basically a protocol designed to allow two machines to communicate. It works at the link layer of the OSI model. You should also be aware of the arp or MAC table. It can be viewed by running the arp -a command in Windows and a simple arp command in Linux. It is a mapping of the IP address of a machine and its MAC address present in the local network.

Very briefly, if a node wants to send a packet it uses the destination IP address to look up its arp table to find the MAC address of that machine. When the packet is processed by a receiving node, it validates whether the destination MAC address matches or not, otherwise the packet is discarded.

ARP Spoofing/Poisoning

What if an attacker machine is somehow able to convince that it is actually the destination machine the victim wants to talk to? Simultaneously if it is able to convince the destination machine that it is actually the victim pc? Basically it will be able to read all their conversation.

Technically speaking, what if the attacking machine keeps on sending false ARP updates telling the victim pc that the destination pc's MAC address is its own?

network topology

Refer to the illustration above. Here the attacker PC has crafted and sent false ARP updates telling the victim PC to update its arp table to point the destination PC's arp table with bb:bb:bb:bb . The poor victim PC would always put the destination MAC address as bb:bb:bb:bb. The attacker after reading the packet will then quietly forward it to the destination using the correct MAC address. At the same time the attacker would attack the destination node as well.

Please keep in mind is that if the destination node is not in the local network then it will never be able to know its MAC address. This is because MAC addresses are not forwarded outside the local network.In such a situation you will have to attack the local gateway/router since all the traffic intended for outside the network is forwarded to it.

Finally even though physically the attacker may be anywhere within the local network, logically all data will travel through it. The attacker acts as a middle man between the victim and the destination PC, thus the term man in the middle attack.

To summarize, we achieved a man in the middle attack by ARP spoofing or ARP poisoning. This is active sniffing because unlike passive sniffing, where the attacker simply sits and silently reads all the packets, proactive measures are taken and network configuration or setting is stealthily disturbed.

Limitations of this attack

It should become clear that in order to perform this attack the victim PC and the attacker MUST be within the same local network. Also some protocols have been built to detect Mi-t-M attacks. HTTPS/SSL is one such protocol (I hope now you realize why it is advised to look for the small padlock when communicating sensitive information!). Most modern browsers will detect errors in digital certificates and promptly display an error. There are other techniques which have been developed to specifically attack SSL and HTTPS which will be dealt with in future.


Using these concepts, tools have been built which allow you to actively sniff packets. Such tools such as Wireshark combined with Arpspoof, Cain and Abel and Ettercap will be discussed in the next post of this series. By the next article you will be able to actively sniff and read data from packets intended for others! Prevention techniques will also be discussed.

IMPT: the next part of this tutorial *Actively network sniffing uing cain and abel*

Important Links:

1. Understanding passive sniffing
2. Wiki on arp spoofing
3. Wiki on Packet sniffing
4. Wiki on promiscuous mode

No comments:

Post a Comment