Ethical Hacking, MITM and ARP Poisoning

| Ethical Hacking

When we consider about the security in computer-based systems, there is a concept called Ethical Hacking. These kinds of hackings are not done by professional hackers but can provide severe damages. In other word, you are indirectly granted for unauthorized access by authorized party. Just read below example and you will get a better understand on ethical hacking.

Let’s think you want to open an email from your office computer when you are at a leave since it is really urgent. In that situation, you called your trust worthy friend at office and tell him to open that email and forward it to your personal email. Then you gave to him your office e-mail password which is you used same for your Facebook account since it hard to remember so many passwords. So he will open your mail account and forward that particular mail to your personal account as well.

Soo.. your problem solved, right?????

But after some time, your friend thought that “She gave that password, let’s try to access her Instagram profile with same.”. Obviously, it did not and then he try that password with your Facebook account. So, what will happened. It worked. Then he went through your messages and things in your profile. Since, he is really good friend, he may not do anything harm to you.

But think that you are granted your friend to access your Facebook profile indirectly. These kind of hackers are known as Ethical hackers or White hackers.

Actually, there is high demand for the White Hackers in the industry to measure organizational security assessment. What they do is they manipulated a real cyber attack via organizational system in your company and then you will be able to learn and adjust your vulnerabilities to avoid real scenarios in cyber attacks.

ARP (Address Resolution Protocol) Poisoning and MITM (Man-In-The-Middle) attacks are treated as Ethical Hacking.

Before going through the ARP poisoning and MIMT, let’s do quick recap about what is IP Address, Subnet Mask and Default Gateway.

IP Address: As you know, your ID number provided by the government is specify only for you. That means, two or more person can not have same ID numbers. Likewise, IP address which is provided by Internet Service Provider (ISP) of your computer is unique for you.

The IP Address consists with 2 parts known as Network Address and Host Address. The devices in the same network can have same Network Address and different Hosts. The IP address consists with 32 bit number separated by 8 digit fields.

The IP addresses are fallen among 5 classes known as Class A,B,C,D and E. Below figure shows about the each class with respective value ranges.

Reference: https://www.tech-faq.com/ip-address-classes.html

Subnet Mask: Sometimes, a huge networks are sub-divided in to the smaller networks because of manageability. To check whether 2/more devices are belongs to one subnet, all you need to do is check that IP address’s network address.

MAC (Media Access Control) Address: Each network device has a NIC (Network Interface Card) which helps to connect them with the internet. The MAC is assigned to the NIC to identify the device physically over the other devices.

Broadcast: When the communication between two network devices are happening at the same network, the initial communication is facilitated through the broadcast. When the network device need to connect with another device, it broadcast a message for every devices in same network to identify if its desired destination is on the same network or different network.

Default Gateway: This paly its role when one device in a network want to communicate with the another device which is at another network. That means when the subnets of 2 IP Addresses are varying, the assistance of default gateway required in order to provide the communication between them. As a default date way we can use router, hub, switch and so on.

Every computer has their own IP address, Subnet mask and Default Gate Way. You can simply see your own above mentioned details by typing ipconfig/all in your command prompt. In the windows environment, when you type this command in your cmd, you will see list of details regarding your network communication.

|What Is MIMT (Man-In-The-Middle) Attack ?

Basically, the MIMT involves with the intruders who involve as a third party between secure communication channels. Here what happens is, an intruder eavesdrops your credential or any sensitive information before they are reaching to the respective receiver.

In the normal network communication, what really happens is sender can directly connect with correspondence server and get whatever he need. In MIMT attack, the user send their request to unknown party completely without any aware. Because, the third party consumes all the properties (IP address, MAC address) as the real receiver. Then, this third party can completely change or alter the message of sender before send it to the real receiver. Below, figure will show you the scenario of MIMT.

Reference: https://www.varonis.com/blog/man-in-the-middle-attack/

Techniques that Lead MIMT Attacks

• ARP (Address Resolution Protocol) Poisoning: In here what basically happens is an intruder behaves as a network gateway of your network and receive your all the request which are should go through the default gateway.
• DNS (Domain Name Service) Spoofing: In here as a victim you are going through the Domain Names which are provided by intruder on behalf of your gateway.
• HTTP Session Hijacking: An intruder waits for stealing your session cookies or credentials or any sensitive data in order to log in to your secure accounts like bank accounts.
• Port stealing: In here, the intruder is trying to steal the ethernet port of host and thereby make a connection with the sender.

How can we prevent from MIMT Attacks?

• Use end-to-end encryption as much as possible with your exchanges of information.
• Use MFA (Multi Factor Authentication).
• In the developer side, take the security in to the account of initial stages on the project development.
• Always try to use secure or trusted Wi-Fi connection and do not use public connection for sensitive information transmission.
• Design your security guidelines by based on the “Zero Trust” Principle. It says, do not trust anyone (your employees and stakeholders) and anything (like your devices, software — any tangible or intangible things).
• Do evaluation on your security in regular manner.

Let’s move to discuss about the type of MIMT attack called ARP Poisoning.

| ARP (Address Resolution Protocol) Poisoning ?

What is ARP and What it DOES?

The major responsibility of ARP is to provide set of rules for devices to find their desired destination by providing destination’s MAC addresses. Let’s see how ARP is working in LANs.

• When A need to communicate with B, A search its own ARP Table to find the MAC address of B since actual communication is taken by MAC address.
• If A fount particular MAC of B, then can Implement communication.
• In the case, if it does not find on his own ARP table, then A broadcast an ARP message in his network to find the particular MAC of B. Then all the devices in same network receive this broadcasted ARP message which consists IP and MAC addresses of both Source and Destination. But MAC of destination is null since A found it.
• Then the devices on same network compare these IP and MAC with their own IPs. If a device found the requested IP is mine that device will send ARP response for Computer A.
• In that case Computer A becomes destination while Computer B becomes source. Then ARP response consists with the MAC of B. Once, A receives MAC of B, then can create a proper communication with B.
• Also, ARP table in Computer A is updated with the MAC and IP of Computer B. Then if A need to communicate with B again, A does not need to broadcast a message again all over the network (LAN).

However, if you need to connect with the different device resides on different network, you may need to use a device called hub, router. The routers has their own routing tables to map desired destinations with source.

ARP Poisoning

Now you have an idea about the ARP and what it is used for. Now let’s discuss about the ARP Poisoning belongs to type of MIMT.

ARP Poisoning is caused by the the weakness of ARP. Because, to find the destination the source broadcast its own IP and MAC addresses along with ARP request message.

Now in the ARP Poisoning attack, an intruder also receive the MAC and IP of your Computer as well IP of your desired destination. Then he sends to you fake response message to establish the communication between his MAC address and your IP address. Then you will think this is the real destination and you will make communication with the intruder.

In following figure, you will be able to clearly see that what is done by an intruder to disseminate ARP Poisoning attack.

Reference: https://www.ionos.com/digitalguide/server/security/arp-spoofing-attacks-from-the-internal-network/

How can you detect if you are in the ARP Poisoning attack or not?

• You can load your ARP table by typing arp -a command.
• Then see if 2 different IP addresses consume one physical address. That means you are in under ARP Poisoning attack.
• Also, you can use ARP Poisoning detection tools such as “Wireshark” or XArp.

I hope you get a clear understand about the concept of Ethical Hacking, MIMT as well ARP Poisoning. In my next article, we are going to discuss about the DNS Spoofing which is one another MIMT attack in a detailed manner.

Stay Safe !!!