1

Let's imagine a data link layer level MITM attack. Is it possible to fulfill all of the following points?

  • you completely hide your identity by forging your own MAC address
  • you create malformed packets, so the router doesn't even know you are exist
  • you intercept every packet from the victim, and repeat it to the default gateway (and vice versa), replacing crucial informations such as SSL/TLS public key

Is there a way to accomplish this? How can I detect this kind of activity? I'm afraid the attacker can do basically anything without leaving any fingerprints, if it goes deep enough in the OSI model.

  • Forging your own MAC is trivial. It happens all the time. – schroeder Jul 20 '20 at 20:58
  • If you broadcast traffic, malformed or not, the router knows you are there... – schroeder Jul 20 '20 at 20:59
  • This is all trivially possible. You connect the victim directly to your machine and not the rest of the network. Do you mean wifi mitm? – schroeder Jul 20 '20 at 21:00
  • Yes, I mean a wifi connection. If the attacker doesn't answer any ARP request, the router has no clue it's there. Am I right? –  Jul 20 '20 at 21:03
  • "replacing crucial informations such as SSL/TLS public key" which will break the connection. You can't just replace it; that's what the protocol is designed to protect against. – gowenfawr Jul 20 '20 at 21:22
  • Replacing means send a crafted packet with same data, except the public key. –  Jul 20 '20 at 21:37
  • The public key is sent as part of a certificate, which is signed. You probably cannot forge a new signature, which would be required to change the key. – John Wu Jul 20 '20 at 21:57
  • 1
    Let's assume you use your public key in place of the server's, and you somehow manage to get a certificate authority to sign the new certificate containing the new public key. The client may still notice the new certificate and/or the new public key - especially if the client is using some form of public key pinning. – mti2935 Jul 20 '20 at 23:25

1 Answers1

0

Shenanigans at layer 2 are fairly trivial. Many devices (especially mobile devices) are automatically spoofing their MAC addresses; it is simple to do so on most desktop platforms. By default, if you are sending any traffic on the network, the router may know you are there. By definition, if you are connecting to a wireless network that requires authentication, the access point will definitely know you are there. Whether it knows who or what you are is a different story. The only way to be truly undetectable from a network perspective would be to sniff wireless traffic passively.

replacing crucial informations such as SSL/TLS public key

There are several classic attacks that can be launched from a MitM standpoint; notably, SSLStrip. However, for any service that is already connected to using TLS, you're going to have a hard time. You cannot simply replace certificate information from the server without triggering a security warning on the client, unless it is a poorly written application (e.g. modern browsers are out). That is the nature of TLS; it authenticates the server and prevents an active MitM attacker from being able to do much besides DoS.

There are technologies to detect and prevent ARP spoofing attacks, and these functions are largely implemented in enterprise networking hardware (e.g. Cisco whitepaper). The general concept is that the device uses prior knowledge (previous addresses, DHCP snooping) and looks for suspicious changes in the proposed MAC address mappings or gratuitous ARP packets being sent. If this activity is detected, the packets are ignored and no changes are made to the ARP table. There are also endpoint tools that may be able to work similarly.

If you can't afford to risk ARP spoofing attacks, there's always the option of disabling ARP altogether and using static ARP entries. But in general, properly configured TLS will thwart most risks. Of course, any non-encrypted traffic is fair game to be viewed and modified by an attacker.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42