Man in the Middle 1B: ARP Cache poisoning

Man in the middle is a class of attacks where an attacker somehow passes communications through a resource they control. In this series I'm going to describe how an attacker would hijack, control, subvert and snoop on a victims network traffic.

In part 1B here I'm going to explain how attackers can place them self in a man in the middle (MiTM) position using a 
an ARP Cache poising attack. In part 1B I will will demonstrate how this is done using a Wifi Honeypot. In part 2 I will demonstrate what can be done once in the MITM position  You can read either 1A OR 1B and go from there, you don't need to read both.


The Theory

Imagine you are a computer sitting on a network. Sharing the network with you are a wide variety of different devices; Computers, Network Printers, Routers. Each host (really each network adapter) has a MAC address also known as hardware address. This address is burned into the device by it's manufacturer. But we really need assigned IP address to communicate. To translate IP addresses into MAC addresses we use Address Resolution Protocol (ARP). Essentially when a host want's to know which IP address goes with which MAC address it broadcasts "192.168.1.3 wants to know who owns 192.168.1.2" and 192.168.1.2 replies 'a1:b2:c3:d4:e5:f6 owns 192.168.1.2' and 192.168.1.3 stores this in a little cache of addresses.

It's a very simple protocol with one very big security problem an attacker can simply lie. To spoof 192.168.1.2 for example the attacker (66:60:00:00:06:66) starts sending APR responses declaring '66:60:00:00:06:66 owns 192.168.1.2' continually  Many hosts will add this to their ARP chache even if they didn't request it. For the host sending the request there is no way tell who the real host is. 
This problem is a feature of Ethernet and can't be easily fixed, only really detected.

The plan

In this scenario we are on a wired Ethernet network or are already connected to a wireless network. At this point we are just another host. We can sniff a little traffic but what we really want is a particular host's (192.168.1.3) traffic to both come and go through us so, that we are the man in the middle and can control the victims traffic.

To do this we use ARP cache poisoning to convince 192.168.1.2 that we are their gateway to the internet (192.168.1.1) with:

arpspoof -i eth0 -t 192.168.1.2 192.168.1.1

to receive traffic coming from the other direction we convince the gateway (192.168.1.1) that we are 192.168.1.2 with:

arpspoof -i eth0 -t 192.168.1.1 192.168.1.2

VoilĂ , all internet traffic coming from or to 192.168.1.3 goes to our computer, but not through it yet. At the moment the victim can not connect to the internet. The traffic is coming to us and stopping at us. I'll cover handling the traffic in part 2.