1 / 15

Man in the Middle attacks and ARP poisoning explained

Man in the Middle attacks and ARP poisoning explained. Why you shouldn’t ignore invalid certificates. A review of ARP.

shepry
Download Presentation

Man in the Middle attacks and ARP poisoning explained

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Man in the Middle attacks and ARP poisoning explained Why you shouldn’t ignore invalid certificates CrashCourseSecurity.com

  2. A review of ARP In order for host A to begin communication with host B, host A needs to know both host B’s IP address (where it is on the network) and its MAC address (the address for the network adapter) CrashCourseSecurity.com

  3. Host A sends an ARP request destined to host B’s ip address. • Host B responds with an ARP reply and sends its MAC address to host A. • Host A stores the response in its ARP table (also known as an ARP cache) so it can look it up for future reference. • Host A and B can now communicate freely. CrashCourseSecurity.com

  4. ARP Review IP: 192.168.1.1 MAC: AA:AA:AA:AA:AA:AA IP: 192.168.1.5 MAC: BB.BB.BB.BB.BB.BB ARP table ARP table 192.168.1.1 = AA:AA:AA:AA:AA:AA Who has 192.168.1.1? 192.168.1.5 = BB.BB.BB.BB.BB.BB.BB 1. Host 192.168.1.5 wants to know the MAC address of 192.168.1.1 2. 192.168.1.5 sends an ARP request destined to 192.168.1.1. 3. 192.168.1.1 responds with an ARP reply and sends its MAC address to 192.168.1.5. 4. 192.168.1.5 stores the response in its ARP table (also known as an ARP cache) so it can look it up for future reference. 5. The two hosts can now communicate freely. CrashCourseSecurity.com

  5. Man in the Middle Fool two hosts into thinking you are a legitimate one by using false ARP replies. This allows you to intercept all traffic between the two hosts. CrashCourseSecurity.com

  6. Send fake ARP replies in order to impersonate target hosts. • All legitimate traffic goes to the targeting machine and then gets forwarded to the other victim. • Targets are unaware they are being attacked. • Attacker can listen to data or inject fake data. • Attacker must be on the same physical network. CrashCourseSecurity.com

  7. Man in the Middle IP: 192.168.1.1 MAC: AA:AA:AA:AA:AA:AA IP: 192.168.1.5 MAC: BB.BB.BB.BB.BB.BB aLL y0uR bAs3 aR3 b3l0nG to uS, n00b!! ARP table ARP table 192.168.1.5 = BB.BB.BB.BB.BB.BB.BB 192.168.1.1 = AA:AA:AA:AA:AA:AA 192.168.1.5 = CC:CC:CC:CC:CC:CC 192.168.1.1 = CC:CC:CC:CC:CC:CC Attacker Send fake ARP replies. ARP packets say that both 192.168.1.5 and 192.168.1.1 are located at the attacker’s MAC address of CC:CC:CC:CC:CC:CC All traffic between two victims is sent through the attacker. IP: 192.168.1.10 MAC: CC:CC:CC:CC:CC:CC CrashCourseSecurity.com

  8. SSL Certificate Data between two hosts is encrypted using a certificate so third parties cannot eavesdrop. CrashCourseSecurity.com

  9. SSL Certificates IP: 192.168.1.1 MAC: AA:AA:AA:AA:AA:AA IP: 192.168.1.5 MAC: BB.BB.BB.BB.BB.BB Get https://www.onlinebankingcom ? ? i*fk3903kd#1;OKfjm3 Kelq;l(3k_11fkP10394 username = johnDoe password = password1 username = jonDoe password = password1 Attacker 1. Client requests secure web page 2. Client requests certificate from server. 3. Client encrypts data using certificate IP: 192.168.1.10 MAC: CC:CC:CC:CC:CC:CC 4. Attacker is unable to read encrypted traffic. CrashCourseSecurity.com

  10. SSL Certificate Forging CrashCourseSecurity.com

  11. An attacker is able to intercept the certificate request and inject a forged certificate. • The attacker can then encrypt the data sent by the client, and then re-encrypt the data with the real certificate when it sends it to the server. • Often times this will cause a certificate warning in browser (See picture on previous slide). CrashCourseSecurity.com

  12. SSL Certificate Forging IP: 192.168.1.1 MAC: AA:AA:AA:AA:AA:AA IP: 192.168.1.5 MAC: BB.BB.BB.BB.BB.BB username = johnDoe Password = password1 Get https://www.onlinebanking.com username = johnDoe Password = password1 Fjkel(83;aljffke19(30 Fj3kl250_(235’)@@! 33k3l*&93)|fka|}3adF[} Fjek:LE1Qapd13=fda3#+ username = johnDoe Password = password1 1. Client requests certificate. Attacker Certificate is intercepted by attacker. 5. Attacker re-encrypts the data using the original key. Attacker forges a copy of the certificate with a new key. Attacker records bank account information and books a trip to the bahamas. IP: 192.168.1.10 MAC: CC:CC:CC:CC:CC:CC Victim encrypts data using fake key. CrashCourseSecurity.com

  13. ARP poisoningDenial of Service Attacker tells the victim that the default router cannot be found. No data can be sent outside the network. CrashCourseSecurity.com

  14. ARP poisoning- DoS IP: 192.168.1.1 MAC: AA:AA:AA:AA:AA:AA IP: 192.168.1.5 MAC: BB.BB.BB.BB.BB.BB ARP table ARP table 192.168.1.1 = DB:9F:39:1F:92:11 192.168.1.5 = BB.BB.BB.BB.BB.BB.BB 192.168.1.1 = AA:AA:AA:AA:AA:AA Attacker Attacker tells victim the router is at a non-existent MAC address. 2. No data packets reach the router. IP: 192.168.1.10 MAC: CC:CC:CC:CC:CC:CC CrashCourseSecurity.com

  15. CrashCourseSecurity.com CrashCourseSecurity.com

More Related