/================================================================================\
---------------------------------[ PLAYHACK.net ]---------------------------------
\================================================================================/


-[ INFOS ]-----------------------------------------------------------------------
Title: "Introduction to Man-In-The-Middle"
Author: Nexus
Website: http://nexus.playhack.net
Date: 2007-04-08 (ISO 8601)
---------------------------------------------------------------------------------


-[ SUMMARY ]---------------------------------------------------------------------
     0x01: Introduction
     0x02: Arp Spoofing
     0x03: Port Stealing
     0x04: Conclusions
---------------------------------------------------------------------------------



---[ 0x01: Introduction ]
The Man-In-The-Middle attack is an a very common attack but most of all really
effective, which is took in action in switched LANs.
This kind of attack can be accomplished with several types of tecniques, and
the most important are ARP Spoofing (or ARP Poisoning) and the Port Stealing.

Thanks: thanks to everybody who are really get involved in the project we just
created few days ago! :) i'd like to thank you and invite all of you to get
more participating. Thanks also to str0ke, omni & GOD.
-----------------------------------------------------------------------------[/]



---[ 0x02: ARP Spoofing ]
The ARO (Address Resolution Protocol) is a protocol is definitely old that
permits to obtain the MAC address of a computer from his IP address.
This protocol is used in the nets which uses the IP protocol and, in order
to send packets, uses the datalink model: as to say that the data is
incapsulated in datalink packets addressed to a certain IP and into which is
contained the MAC address of addresser, obtained as said from the ARP.

It's possible, exploiting the really low security level of this protocol,
"squeeze" in the middle of a communication between to computers (for example
an host and a gateway) and intercept each data in transit.
           ________ ________
          | HOST A |----------(*)-------------| HOST B |
           ```````` | ````````
                     |
                     |
                     |
                     ____|_____
                    | ATTACKER |
                     ``````````

The fundamental concept is this: the ATTACKER squeeze in the line of
communication between HOST A and HOST B in an absolutely TRANSPARENT way and
can observe each packet in transit and eventually also modify them or create
new ones.

This is the new situation.
           ________ ________
          | HOST A |----------( )-------------| HOST B |
           ````|``` | ```|````
           | | |
           | | |
           | | |
           | ____|_____ |
           `---->-----| ATTACKER |-----<------'
                     ``````````

As we can see all packets in transit between HOST A and HOST B pass first
from ATTACKER, who as actually the power to make anything he want to them.

A very versatile tool for this type of attack is Ettercap, which is a full
italian suite (written by ALoR and NaGa from blackhats.it) very easy to use
and which allows us to make this attack effective.

The command to be used in the case of arp spoofing attack is as follows:

# ettercap -T -M arp:remote /xxx.xxx.xxx.xxx/ /yyy.yyy.yyy.yyy/ -w results.log

Where "-T" says to ettercap to start running in textual mode, "-M arp:remote"
defines the attack type and where xxx.xxx.xxx.xxx is the HOST A ip (any
computer connected to the net) and yyy.yyy.yyy.yyy is the ip of HOST B (that
can be eventually the same gateway): the slash are important, don't forget
them.

The "-w results.log" creates a pcap file in which all packets are dumped: this
can be useful in this situation because later we could analize the dumped
infos with software like tcpdump or ethereal.
-----------------------------------------------------------------------------[/]



---[ 0x03: Port Stealing ]
An attack a little bit complex is the PORT Stealing: i'll threat that in a easy way,
considering that in this tutorial has been decided only to introduce you to this
kind of tecniques! An deeper tutorial may be a topic for upcoming papers :)
If you don't know how a switch works out, probably you'll need some preliminar
explaination.
First of all we got to say that a switch is a net device which works on ethernet
level and which comprehend only MAC addresses: the IPs doesn't know what are.
In addiction a switch is equipped of a CACHE, in which it take trace of all the
MAC addresses of encountered computers.

Let's begin the attack.
When we connect to a switch, we send an ARP packet in broadcast as to let everybody
know that we came.
When we send a packet from our computer to an HOST B the switch act in this way:
If HOST A has MAC address like AA:AA:AA:AA:AA:AA and HOST B of the type
BB:BB:BB:BB:BB:BB and between them there's a packets transit, the switch detects
the existance of these to computers connected to the net and which it works for
adding them to his cache.
The packet starts from the HOST A and inside it contains the MAC address of HOST B,
the switch detect the packet and get first of all the MAC address of HOST A and it
saves it in its cache indicating the Interface in which is connected, for example 0.
When the packet comes to HOST B, this reply with a new packet and, watching it, the
switch does the same thing as before and it adds to its cache the MAC address of
HOST B and its Interface, for example 1
Now everything is ok, and the switch detected the computers and it knows at which
Interfaces they are connected.

Now let's get on...
If we modify our MAC address, that has we know it stands in an eprom at our net
card inside (and as it comes it is programmable as we want), and we put into
the MAC address of HOST A (for example) we can start to communicate with the
switch and send new informations.

To modify the MAC address (under Linux machines) it's sufficient to operate
with the command "ifconfig".
If to start we try a command like:
     # ifconfig eth0
     
We'll get an output like this:
eth0 Link encap:Ethernet HWaddr 00:11:22:3A:4B:5C
inet addr:192.168.1.2 Bcast:255.255.255.255 Mask:255.255.255.0
inet6 addr: fe80::211:d8ff:fe1a:6d23/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:132976 errors:0 dropped:0 overruns:0 frame:0
TX packets:149359 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:101226683 (96.5 MiB) TX bytes:24193224 (23.0 MiB)
Interrupt:185 Base address:0xc800

The field concerning the MAC address is this:
     HWaddr 00:11:22:3A:4B:5C

Now nothing left than modify it's value with the string obtained during our
attack; to accomplish this it's sufficient to give this command:
     # ifconfig eth0 hw ether 01:02:03:04:05:06
     
And the new result will be:
eth0 Link encap:Ethernet HWaddr 01:01:03:04:05:06
inet addr:192.168.1.2 Bcast:255.255.255.255 Mask:255.255.255.0
inet6 addr: fe80::211:d8ff:fe1a:6d23/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:132976 errors:0 dropped:0 overruns:0 frame:0
TX packets:149359 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:101226683 (96.5 MiB) TX bytes:24193224 (23.0 MiB)
Interrupt:185 Base address:0xc800

Now that we have "spoofed" the MAC address of victim machine we can proceed on.

The switch, seeing the same MAC address of HOST A contained in his cache but
associated to a different Interface, "thinks" that probably it has disconnected
and reconnected to another port (even if it's not like this really :P) and then
it updates his table and substitute the Interface of HOST A (which previously was 0)
with the new one (that is ours, for example 2).

Now we got EFFECTIVELY stolen the port of HOST A in a absolute transparent way,
because everything stands on switch level.

This kind of attack requires a great traffic of ARP packets, that despite to that
doesn't slow down the connection because are very little packets.

Doesn't exist any way to prevent this kinds of attacks, there are only some
advanced switch (like Cisco ones) which supervise the traffic of ARP packets
in its net, and if from an host comes an excessive number of packets, it excludes
it from the traffic.

But considering that these switch are really too much expensive, in the 80-90% of
cases, our attacks will come to an end.
-----------------------------------------------------------------------------[/]



---[ 0x04: Conclusions ]
We have finished our short "excursus" in the world of switched nets, and if you
got a duly developed brain in order to understand the written words on this paper
probably you should understand that the proposed tecniques are really very
easy and doesn't requires lots of knowledges on net protocols, even if knowing
something more on what we're doing doesn't really should make sick ;)

But this wasn't the purpose of this document: we just wanted to propose a quick
overview on security in LANs and i think i reached that aim.

To the next time for more details!
-----------------------------------------------------------------------------[/]


\======================================[EOF]=====================================/