In part 1B here I'm going to explain how attackers can place them self in a man in the middle (MiTM) position using a an ARP Cache poising attack. In part 1B I will will demonstrate how this is done using a Wifi Honeypot. In part 2 I will demonstrate what can be done once in the MITM position You can read either 1A OR 1B and go from there, you don't need to read both.
Imagine you are a computer sitting on a network. Sharing the network with you are a wide variety of different devices; Computers, Network Printers, Routers. Each host (really each network adapter) has a MAC address also known as hardware address. This address is burned into the device by it's manufacturer. But we really need assigned IP address to communicate. To translate IP addresses into MAC addresses we use Address Resolution Protocol (ARP). Essentially when a host want's to know which IP address goes with which MAC address it broadcasts "192.168.1.3 wants to know who owns 192.168.1.2" and 192.168.1.2 replies 'a1:b2:c3:d4:e5:f6 owns 192.168.1.2' and 192.168.1.3 stores this in a little cache of addresses.
It's a very simple protocol with one very big security problem an attacker can simply lie. To spoof 192.168.1.2 for example the attacker (66:60:00:00:06:66) starts sending APR responses declaring '66:60:00:00:06:66 owns 192.168.1.2' continually Many hosts will add this to their ARP chache even if they didn't request it. For the host sending the request there is no way tell who the real host is. This problem is a feature of Ethernet and can't be easily fixed, only really detected.
In this scenario we are on a wired Ethernet network or are already connected to a wireless network. At this point we are just another host. We can sniff a little traffic but what we really want is a particular host's (192.168.1.3) traffic to both come and go through us so, that we are the man in the middle and can control the victims traffic.
To do this we use ARP cache poisoning to convince 192.168.1.2 that we are their gateway to the internet (192.168.1.1) with:
arpspoof -i eth0 -t 192.168.1.2 192.168.1.1
to receive traffic coming from the other direction we convince the gateway (192.168.1.1) that we are 192.168.1.2 with:
arpspoof -i eth0 -t 192.168.1.1 192.168.1.2
Voilà, all internet traffic coming from or to 192.168.1.3 goes to our computer, but not through it yet. At the moment the victim can not connect to the internet. The traffic is coming to us and stopping at us. I'll cover handling the traffic in part 2.