MITM

MITMs are typically a LAN based attack that abuses layer2/3 protocols like arp,dhcp. SUMMARY: Back in the days of network HUBs we only needed a NIC that could go into promiscuous mode and our computer could sniff the traffic of any frame no matter the MAC since they were all knocking at our door anyways. But now we use switches that send the frame to the registered port and this makes sniffing far more difficult. There are some attacks that overflow the switches to get them to act like hubs so we can snif. Sniffing can be passive or active- Active: (MAC flooding)(ARP poisoning) Not stealthy Passive: Just listen with wireshark and see what you hear and try to get sensitive information. Almost impossible to detect this method Arp was made as away to quickly map layer 3 IPs with layer 2 MAC addresses. There are 2 types of ARP protocol packets(request/reply). This works in conjunction with an arp tables that stores these mappings with a ttl. Every network component on a network has an arp table on it. ARP tables: (win)#arp -a (lin)#arp When a computer wants to send something to another IP on the network it will first check its arp table to see if there are any mapping for a mac address. If there are it will pull the mac address and add it to the layer 2 part of the frame and send it out. If not found then it will send an arp request for the IP: src_ip:sender src_mac:sender dest_ip:who we want to check dest_mac:FF:FF:FF:FF:FF:FF //this indicates the broadcast This request will go to every node in the broadcast domain. Any node that does not match the dest ip will drop the packet. Matching Ip will respond with its MAC. MAC Flooding: Here we flood the CAM table on the switch which holds the following entries: <MAC - port - TTL> When we fill the CAM table we make it where any new MAC seen on the network will not be saved to the switch and will be sent out in a hub fashion. ARP Poisoning: We can do what is called a Gratuitous arp reply where we send out our MAC to the nodes to tell them what our MAC is without them asking. We can do this either to the gateway or a host. We need to send these about every 30 seconds (faster than the cache time out) in order to hold our spot in the middle. After the attack we should expunge our MAC from the cache with the real Mac just be be safe. There are tools to detect arp poisoning but not much to stop it. (tool dsniff) Host: We can send these arp reply's to insert ourselves between 2 computers by spoofing the IP and giving our mac.

Gateway: This method we send our MAC as the gateway IP to trick all nodes or a subset of nodes on the network that we are the gateway. Then all request are sent to the real gateway as if they were us.

We can also dos ourselves if we grab to many hosts and cant handle the requests fast enough.