3

I just started to learn about MITM attacks, and I can't figure out few things. I have few questions and appreciate all the answers.

  1. If the attacker is already in my LAN why does he need to trp to arp spoof or dhcp spoof, can he just sniff all the traffic on the network, or is it true only if there's a hub involved? if it isn't is it only in order to deal with the encryption?

  2. why does the arp chart is able to change so quickly without any confirmation is there some kind of protection we can do?

  3. I'm not expecting a full technical explaination of this but how does the attacker even gets into the network and gets to be part of the subnetwork? is that mean that he needs to hack into the router and make himself part of the lan? and does it means that he is part of 2 lans? one his and one the victims one?

Sorry in advance if some of the questions are vogue or weird , just trying to understand.

Mc As
  • 31
  • 3

4 Answers4

3

Passive sniffing is not a MiTM attack. Depending on the network setup, sniffing may be able to view all communication, but it can't change any of it. A MiTM is when an attacker controls one of the nodes directly in the connection path between the client and the server. As shown in this diagram from Wikimedia, you think that you are talking to the server, either directly or through a series of trusted nodes, but you are really talking through an evil intermediary.

enter image description here

There are many ways to get a computer to use the incorrect route through the attacker's machine. Spoofing various network settings (eg: ARP spoofing or evil twin attack) is one common strategy. Another might be to infiltrate a network provider's machine.

How the attacker achieves the MiTM status is highly-situational. It's not like you can go to MiTM.com to attack any computer in the world. You need a foothold that you obtain by leveraging a vulnerability or other security weakness (eg: evil twin relies on insecure access points).

As to why ARP caches are subject to poisoning, it's a combination of the need to be dynamic and performant in a large network and weak security design. That said, ARP poisoning isn't trivial to execute. OS's come with defenses, but sometimes they can be bypassed.

Neil Smithline
  • 14,621
  • 4
  • 38
  • 55
  • 1
    Agreed, the distinction between passive sniffing and active MitM is crucial here. The other answers don't really mention this. – multithr3at3d Apr 14 '18 at 18:40
1

If the attacker is already in my LAN why does he need to try to arp spoof or dhcp spoof, can he just sniff all the traffic on the network, or is it true only if there's a hub involved? if it isn't is it only in order to deal with the encryption?

The attacker will be able to sniff WiFi traffic by using monitor mode, no ARP poisoning or hubs required. Depending on the network architecture, intercepting traffic on the wire can be more challenging. If a hub is used, the attacker can put their network adapter into promiscuous mode and sniff traffic (Wireshark has a feature to do this). If a switch is used, traffic can be sniffed with other techniques such as ARP spoofing or MAC flooding, which causes a switch to behave like a hub.

why does the arp chart is able to change so quickly without any confirmation is there some kind of protection we can do?

There are techniques to mitigate ARP spoofing such as:

I'm not expecting a full technical explaination of this but how does the attacker even gets into the network and gets to be part of the subnetwork? is that mean that he needs to hack into the router and make himself part of the lan? and does it means that he is part of 2 lans? one his and one the victims one?

Some ideas to get onto the same network as you:

Joe
  • 2,734
  • 2
  • 12
  • 22
0

If the attacker is already in my LAN why does he need to trp to arp spoof or dhcp spoof, can he just sniff all the traffic on the network, or is it true only if there's a hub involved? if it isn't is it only in order to deal with the encryption?

The attacker can only see traffic that goes to the network node he has compromised, because a switch limits traffic to just that node. If he wants to sniff the data between other systems, he will have to attack the switch, or compromise another system on the network that sits on the LAN segment where the target systems are.

I'm not expecting a full technical explaination of this but how does the attacker even gets into the network and gets to be part of the subnetwork? is that mean that he needs to hack into the router and make himself part of the lan? and does it means that he is part of 2 lans? one his and one the victims one?

Typically the attacker gets into the victims network by exploiting a vulnerability on one machine (tricking an HR person to open a malicious document labeled ‘my-resume.pdf’ is pretty common) and then uses that compromised computer as a foothold for further exploration and attacks. From there, the attacker ‘pivots’ to other systems in the network until he reaches his destination.

John Deters
  • 33,650
  • 3
  • 57
  • 110
0

An attacker could sniff traffic on a wired network only if the network is connected with a hub -- most networks use switches though, so you need to trick the network infrastructure into passing traffic through you. Hence ARP spoofing.

jth
  • 726
  • 6
  • 10