man in the middle attacks and arp poisoning explained why you shouldn’t ignore invalid...
TRANSCRIPT
CrashCourseSecurity.com
Man in the Middle attacks and ARP poisoning explained
Why you shouldn’t ignore invalid certificates
CrashCourseSecurity.com
A review of ARP
In order for host A to begin communication with host B, host A needs to know both host B’s IP address (where it is on the network) and its MAC address (the address for the network adapter)
CrashCourseSecurity.com
1. Host A sends an ARP request destined to host B’s ip address.2. Host B responds with an ARP reply and sends its MAC
address to host A.3. Host A stores the response in its ARP table (also known as an
ARP cache) so it can look it up for future reference.4. Host A and B can now communicate freely.
CrashCourseSecurity.com
IP: 192.168.1.1MAC: AA:AA:AA:AA:AA:AA
IP: 192.168.1.5MAC: BB.BB.BB.BB.BB.BB
ARP table ARP table
Who has 192.168.1.1?192.168.1.1 = AA:AA:AA:AA:AA:AA192.168.1.5 = BB.BB.BB.BB.BB.BB.BB
ARP Review
2. 192.168.1.5 sends an ARP request destined to 192.168.1.1.
3. 192.168.1.1 responds with an ARP reply and sends its MAC address to 192.168.1.5.
4. 192.168.1.5 stores the response in its ARP table (also known as an ARP cache) so it can look it up for future reference.5. The two hosts can now communicate freely.
1. Host 192.168.1.5 wants to know the MAC address of 192.168.1.1
CrashCourseSecurity.com
Man in the Middle
Fool two hosts into thinking you area legitimate one by using false ARP replies.
This allows you to intercept all traffic between the two hosts.
CrashCourseSecurity.com
• Send fake ARP replies in order to impersonate target hosts.
• All legitimate traffic goes to the targeting machine and then gets forwarded to the other victim.
• Targets are unaware they are being attacked.• Attacker can listen to data or inject fake data.• Attacker must be on the same physical network.
CrashCourseSecurity.com
IP: 192.168.1.1MAC: AA:AA:AA:AA:AA:AA
IP: 192.168.1.5MAC: BB.BB.BB.BB.BB.BB
ARP table ARP table
192.168.1.1 = AA:AA:AA:AA:AA:AA192.168.1.5 = BB.BB.BB.BB.BB.BB.BB
Man in the Middle
IP: 192.168.1.10MAC: CC:CC:CC:CC:CC:CC
192.168.1.5 = CC:CC:CC:CC:CC:CC 192.168.1.1 = CC:CC:CC:CC:CC:CC
Attacker
aLL y0uR bAs3 aR3 b3l0nG to uS, n00b!!
1. Send fake ARP replies.2. ARP packets say that both 192.168.1.5 and 192.168.1.1 are located at the attacker’s MAC address of CC:CC:CC:CC:CC:CC3. All traffic between two victims is sent through the attacker.
CrashCourseSecurity.com
SSL Certificate
Data between two hosts is encrypted using a certificate so third parties
cannot eavesdrop.
CrashCourseSecurity.com
IP: 192.168.1.1MAC: AA:AA:AA:AA:AA:AA
IP: 192.168.1.5MAC: BB.BB.BB.BB.BB.BB
SSL Certificates
IP: 192.168.1.10MAC: CC:CC:CC:CC:CC:CC
Attacker
Get https://www.onlinebankingcom
? ? username = jonDoepassword = password1i*fk3903kd#1;OKfjm3Kelq;l(3k_11fkP10394
username = johnDoepassword = password1
2. Client requests certificate from server.3. Client encrypts data using certificate
4. Attacker is unable to read encrypted traffic.
1. Client requests secure web page
CrashCourseSecurity.com
SSL Certificate Forging
CrashCourseSecurity.com
• An attacker is able to intercept the certificate request and inject a forged certificate.
• The attacker can then encrypt the data sent by the client, and then re-encrypt the data with the real certificate when it sends it to the server.
• Often times this will cause a certificate warning in browser (See picture on previous slide).
CrashCourseSecurity.com
IP: 192.168.1.1MAC: AA:AA:AA:AA:AA:AA
IP: 192.168.1.5MAC: BB.BB.BB.BB.BB.BB
SSL Certificate Forging
IP: 192.168.1.10MAC: CC:CC:CC:CC:CC:CC
Attacker
Get https://www.onlinebanking.com
username = johnDoePassword = password1Fjkel(83;aljffke19(30Fj3kl250_(235’)@@!
username = johnDoePassword = password133k3l*&93)|fka|}3adF[}Fjek:LE1Qapd13=fda3#+
username = johnDoePassword = password1
1. Client requests certificate.
2. Certificate is intercepted by attacker.3. Attacker forges a copy of the certificate with a new key.
4. Victim encrypts data using fake key.
5. Attacker re-encrypts the data using the original key.6. Attacker records bank account information and books a trip to the bahamas.
CrashCourseSecurity.com
ARP poisoningDenial of Service
Attacker tells the victim that the default router cannot be found. No data can be
sent outside the network.
CrashCourseSecurity.com
IP: 192.168.1.1MAC: AA:AA:AA:AA:AA:AA
IP: 192.168.1.5MAC: BB.BB.BB.BB.BB.BB
ARP table ARP table
192.168.1.1 = AA:AA:AA:AA:AA:AA192.168.1.5 = BB.BB.BB.BB.BB.BB.BB
ARP poisoning- DoS
IP: 192.168.1.10MAC: CC:CC:CC:CC:CC:CC
Attacker
192.168.1.1 = DB:9F:39:1F:92:11
1. Attacker tells victim the router is at a non-existent MAC address.
2. No data packets reach the router.
CrashCourseSecurity.com
CrashCourseSecurity.com