Tuesday, April 30, 2013

What is a Man In the Middle Attack?

A Man in the Middle Attack (MITM) is a type of network attack in which an attacker assumes the role of the default gateway and captures all the traffic going to and fro. This is a very serious attack and also very easy to perform. MITM attack can be performed in a Local area network such as airport and  coffee shop wifi, college wifi, computer labs and other any kind of LAN. 

What the attack basically means is that a hacker (or anyone for that matter) with the right set of  tools, can intercept all your internet activities and see all your passwords and  all the websites you are browsing. 


How to perform a Man in the Middle attack?

There are many types of Man in the Middle attacks. There are also many ways to perform this attack. There are several tools such as Cain&Abel, Ettercap, Subterfuge, SSLStrip etc which can do a MITM attack.

In Windows, we use a technique called ARP spoofing to achieve MITM scenario. We use a free ready made tool called Cain&Abel for this. First, you need to be in the same network subnet as the victim (same campus, same room, or same wifi).

Download and Install Cain&Abel. Also download and install Wireshark which is also free. We will be using wireshark to capture the packets and analyze them. 
After everything is installed, run Cain from the desktop or menu. 



  • 1. Start Sniffer by clicking button shown in red box. 2. Then go to Sniffer tab.

  • 3. Right click on screen and select “Scan Mac Addresses”. The screen will quickly  be populated with all users in your LAN.
  • 4. Select all the IP addresses and right click. and select "Resolve host name". Now, you can find the IP address of the person you want to attack by viewing the computer names.


  • Now, 
  •  4. click on “ARP” on bottom and then 
  •  5. click on “Plus” icon to add user in victim list. 


 A window called “New ARP Poison Routing ” will pop up.
  • You will see windows divided in two parts. Select the default gateway in left half and select the victim's IP in the right.  Here you see me selecting 10.97.26.1 as the default gateway for the network and the victim's IP address 10.97.26.156




  • Click on start ARP option shown in red box. You will see that CAIN starts poisoning the host. 



This completes our ARP poisoning  Now, all the traffic from the victim will pass through the attacker's PC. The victim may notice his internet speed slowing down. 

Now, we need to capture the traffic by using Wireshark. 

Fire up wireshark and
 1. Click on the adapter button shown below in red. 2. Click 'start' in the adapter where there are packets. 




If you let this run for a while, all the traffic going through the victim's PC will be captured by wireshark. You can then save the packet capture file and analyze it with appropriate filters. By analyzing the packets, you can find juicy information like username and passwords, web urls visited by the victim etc.
Please note that you have to be very careful while performing such an attack. If not done properly, it can even cause denial of service to the entire network. 



0 comments:

Post a Comment