2

I'm currently studying the possibility of a man-in-the-middle attack in a network consisting of a switch and 3 computers:

  1. Server/Host
  2. Client
  3. Man In The Middle

The server and the client will change data (actually, the client will only download a file from the server using a specific protocol that is written over TCP/IP), and via ARP Poisoning, I've made it possible to eavesdrop the data exchange, however I was wondering:

Is it possible for the MITM to get the file being transferred, make a few changes and then send it to the client as it should be done?

techraf
  • 9,141
  • 11
  • 44
  • 62
William Studart
  • 123
  • 3
  • I'm not sure you've given us enough information to answer. Is there any encryption? Signing of the data? Can the MiTM alter the data or only view it (sometimes called active vs passive MiTM)? – Neil Smithline Jun 28 '16 at 02:03
  • Sorry by not being clearer, the data isn't encrypted nor signed, and I would want for the MiTM to alter the data before reaching the client! – William Studart Jun 28 '16 at 04:40
  • 1
    That's a classical MITM where the attacker receives and forwards the traffic. And since the traffic is not protected the attacker can modify it before forwarding. Just have a look at tools like sslstrip which make use of this. – Steffen Ullrich Jun 28 '16 at 04:58

1 Answers1

1

In theory, yes. You'd need to disable IP forwarding so the data doesn't pass through the attacking machine. You'd need to forward the client's download request and then intercept the download as it bounces off the attacker.

Once you have this file, modify it as you wish and send it to the victim while spoofing yourself as the server.

NOTE: This process will not work if the connection is secure. In that case, you'd need to find a way around the encryption such as a DROWN attack or SSLStrip. Please also note that these attacks are circumstantial, and are not guaranteed to work (just like any other attack).

The Defalt
  • 98
  • 7
  • I'm writing a code using Scapy, and as far as I know, to disable IP forwarding I should only use the command: `echo 0 > /proc/sys/net/ipv4/ip_forward`? – William Studart Jun 28 '16 at 17:52
  • That works. You could also open it as a file object and manually write the string to it. Either way works just fine. – The Defalt Jun 28 '16 at 22:10
  • As I'm a novice in the art of networking, I have a doubt, such as, since the client will be the one to request the download, won't the request timeout? – William Studart Jul 05 '16 at 18:18
  • Normally yes. That's the tricky part. You need to be able to decide which packets to forward and which to store and drop. – The Defalt Jul 06 '16 at 06:33