1

I have a test environment, where I try some wireless hacking tools and approaches, and lately I have been interested in evil twin attacks. I created a fake AP using airbase-ng, and specified the IP tables manually, at what point if the client connected had Internet access. Then, I fired the MITMf framework and ran it with the following command:

./mitmf.py -i at0 --spoof --hsts --arp --dns --gateway 192.168.0.1

Using this approach, I was able to get the credentials of the victim (myself in my test lab) from FB and GMail. It was redirecting the connection to some not secure subdomain, such as account.google.com instead of the original accounts.google.com.

On the other hand, I tried to use the MANA toolkit in order to create the fake AP automatically. It also comes with tools such as SSLStrip and dns2proxy (which MITMf uses too). But, once I ran the script that comes with MANA (start-nat-full.sh), it created a fake AP, and the connected client had Internet access, but if the client wanted to visit a website like FB or GMail, the page won't open at all.

I didn't spend time to go over the source code fully, but I believe one difference between them is that MITMf also offers DNS and ARP spoofing using the tool Spoof, which I used while running the attack. If I remove them, the attack doesn't succeed, while then it would open the secure version of FB or GMail.

Though, I don't exactly know whether this was the primary reason why it succeeded with one tool and not with the other one. If someone has had similar experiences I would like to hear. But, my question is, does ARP or DNS spoofing play role in doing MITM attacks (or bypassing HSTS)?

davidb
  • 4,285
  • 3
  • 19
  • 31
typos
  • 473
  • 1
  • 7
  • 11

3 Answers3

2

ARP Spoofing is mostly the basis of MitM Attacks. It is used to redirect the traffic initially. This is done by fooling the victim into beliving that your MAC address is associated to the routers IP address. This is called ARP-Spoofing or ARP-Cache poisoning.

DNS Spoofing is used to target specific sites. For example if you created a fake site that is looking like the one of a local bank you will then send fake answers for the associated domain to redirect the traffic to the site you controll instead of the original one.

Bypassing HSTS is done by manipulating the clients time setting. This can be done by manipulating the NTP traffic the client receives. There is a stand alone tool to do this called delorean. This will not work when the site is listed on the HSTS pre-load list.

I also had different experiences with different tools. For example arpspoof and bettercap did work great for me while ettercap did nothing but cause trouble.

techraf
  • 9,141
  • 11
  • 44
  • 62
davidb
  • 4,285
  • 3
  • 19
  • 31
  • Thanks for the answer now, but I already know their basic idea. I was hoping for a more elaborate answer from someone that is experienced with these tools, and that may point out what may be the reason that one tools succeeds where the other one fails. – typos Jun 06 '16 at 22:34
  • 1
    You said "But, my question is, does ARP or DNS spoofing play role in doing MITM attacks (or bypassing HSTS)?" which I answered. Maybe you should formulate your question more clearly – davidb Jun 07 '16 at 10:23
  • @davidb "This will not work when the site is listed on the HSTS pre-load list." Because even preloaded entries expire, an attack that would set the clock past the expiry date would work. – jub0bs Mar 04 '21 at 13:46
0

In a MITM attack using software like ettercap the attacker would connect to a router and then reroute all other traffic to their computer through ARP spoofing to do the interception then send it to the router. However if the attacker is running a "fake ap" they do not need arp spoofing as they would be the "router" of the network already

That being said they may utilize DNS Spoofing in cases where they want to redirect traffic to their own servers (whether externally or on a laptop) for example they might go to a public WiFi hotspot to steal banking passwords and later go on to sell the data or use it directly to commit fraud.

On the subject of HSTS, it may only be bypassed if both of the following requirements are met:

  1. The user has never visited the website using HSTS (or has previously cleared the HSTS headers)

  2. The website using HSTS isn't preloaded into their web browser.

Only when both of these requirements are met will you be able to bypass HSTS. The protocol was designed to prevent SSL Spoofing Attacks by taking away the user's choice of whether to proceed ahead or not (unless it's NOT preloaded and the user manually removed the header).

Hopefully this provided you with some insight into the differences between the attacks.

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
Cuban
  • 46
  • 3
0

mostly man in the middle attacks use ARP poisoning as the method to position a malicious device between the two devices.

ARP works at layer 2 network layer. ARP is broadcast based and any device can reply to an ARP broadcast. typically devices store ARP caches I.e. devices will have ARP tables storing MAC and IP address mappings.

a MITM can be conducted if all devices are working on the same broadcast domain. the malicious device issues continuous ARP reply's to both devices the malicious literally issues ARP replies continually to both devices therefore overriding the other devices ARP cache. both devices with the ARP poisonous cache start sending their packets to the malicious device; who in turn forwards to the correct device. the malicious devices ARP is not poisoned.

this allows one to record the traffic and possible see the content if not encrypted.

a typical mitigation strategy is to implement VLAN this introduces additional broadcast domains. though each VLAN will still have same broadcast domain as such devices within each remain vulnerable to each other.

hope his helps some way.

Darragh
  • 1,102
  • 9
  • 15