Many people know that a network is used to transfer information from one point to another. However, many of them don’t know that this very information can be sniffed/eavesdropped. Man-in-the-middle (MITM) is one attack to sniff information sent between end-points. As the name inferred, the attacker wants to be a third person in a supposedly a two-person communication. Let’s make this clear. Suppose Alice and Bob are communicating through a network. Then there is Eve who wants to know what kind of talks that Alice and Bob are in.
Okay, then what? The first thing that Eve has to do is to impersonate both Alice and Bob and put herself “in the middle”. When Alice sends a message to Bob, in reality Alice sends a message to Eve who impersonates Bob. The same thing happens when Bob is sending a message to Alice. Eve receives the message from Bob.
One thing to realize is that both Alice and Bob don’t know that they are being intercepted. This is sweet!
Before we jump further into a real scenario, we have to know how a normal communication in a network works. First of all, that in a network, each node has two addresses: IP and MAC. For Alice to send a message to Bob, Alice will need Bob’s MAC address. But Alice only knows Bob’s IP address. So, how can Alice know Bob’s MAC address?
There is something called ARP (Address Resolution Protocol). Every node in a network will broadcast ARP request in order to get MAC addresses of other nodes. Then, each machine will create an ARP cache, a table consisting of IP/MAC association. If you’re using Linux, then you can check your ARP table by executing
So when Alice wants to send a message to Bob, then Alice will check the MAC address associated with Bob’s IP address. Alice just gets the MAC address from the ARP cache and send the message to Bob.
So, here we go. First question: How can Eve impersonate Alice and Bob?
Answer: Eve has to have IP Addresses of Alice and Bob.
Second question: What should Eve do so that Alice and Bob will not know that they in reality send their messages through Eve?
Answer: Each node has its ARP cache consisting of MAC/IP association. Eve has to ‘poison’ the ARP cache of Alice and Bob.
Got it? What is the link from these two questions?
Exactly, Eve has to associate her MAC address with Alice and Bob’s IP addresses! Eve has to send a forged ARP reply to Alice with the source MAC address is her MAC address and IP address is Bob’s. Then Eve does the same thing for Bob.
Alice’s IP = 192.168.0.101, MAC = MAC_A
Bob’s IP = 192.168.0.102, MAC = MAC_B
Eve’s IP = 192.168.0.103, MAC = MAC_E
After the ARP broadcast has taken place, then we have:
Alice’s ARP Cache:
Bob’s ARP Cache:
What Eve should do is that she has to send a forged ARP reply to both Alice and Bob so that their ARP cache would be like the following:
Alice’s ARP Cache:
Bob’s ARP Cache:
There is a nice article how to do this from my favourite sniffing tool: ettercap. You can check it here.
And from now on, any message that Alice sends to Bob and vice versa will be intercepted by Eve.
So, Eve has done her job, right? Nope!
One thing she has to do is to forward the message to the intended destination. This can be done by IP forwarding.
You can google how to do IP forwarding as it is pretty easy.
So, that’s it.
I write this article with the intention how easy it is to perform sniffing in a network. The goal is to have an idea what attacker can do to your network so that we can prepare our defensive lines.