5

I read about and tried a lot of MiTM attacks but I just don't get how Port Stealing can be used as a MiTM attack.

In my understanding one can "steal" a Port by sending Ethernet Frames faking the victims source MAC-Address with the goal of confusing the Switch to a point where the CAM-Table associates the attackers Port with the victims MAC-Address which for real is behind another Port.

This will result in the attacker receiving all the Packets which are destined for the victim. But at this point the attacker isn't able to forward the packets to the victim because the switch still thinks the victim is behind the attackers port.

So if I'm right till this point how can Port Stealing be used as a MiTM attack?

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
davidb
  • 4,285
  • 3
  • 19
  • 31

1 Answers1

4

The behavior you describe is true. However, the trick is that the attacker software will not keep the stolen port for itself, it will proceed in the following loop:

  1. Steal the port,
  2. Receive some data,
  3. Give the port back,
  4. Forward the data to the real destination,
  5. Go back in step 1 by stealing the port again.

You can find more information in Ettercap documentation, which includes the excerpt below:

Port Stealing

This technique is useful to sniff in a switched environment when ARP poisoning is not effective (for example where static mapped ARPs are used).

It floods the LAN with ARP packets. The destination MAC address of each "stealing" packet is the same as the attacker's one (other NICs won't see these packets), the source MAC address will be one of the MACs of the victims.

This process "steals" the switch's port of each victim.

Using low delays, packets destined to "stolen" MAC addresses will be received by the attacker, winning the race condition with the real port owner.

When the attacker receives packets for "stolen" hosts, it stops the flooding process and performs an ARP request for the real destination of the packet.

When it receives the ARP reply it's sure that the victim has "taken back" his port, so ettercap can re-send the packet to the destination as is.

Now we can re-start the flooding process waiting for new packets.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104