I fail to understand how a MITM attack sniffs packets and modifies them.In the case of ARP spoofing although the attacker has spoofed the MAC address of a host, how does he modify it as the IP layer would just discard the packet as the IP's of the host and the attacker do not match?
Asked
Active
Viewed 402 times
1
-
2http://en.wikipedia.org/wiki/Promiscuous_mode is one of the ways to get packets which do not match the IP of the host. – Steffen Ullrich Jun 03 '15 at 05:37
1 Answers
2
A MitM attack may have more than one purpose, it may just be an information gathering project, or it may be an impersonation project.
For information gathering purposes just listening to traffic is good enough, and like Steffen mentioned in the comments, setting up a NIC in this mode would achieve the desired result. How to enable promiscuous mode depends on your operating system, in Windows it can be done with the netsh command and in Linux it involves the /etc/rc.local file (its better to search in internet for your specific case).
For impersonation projects the level of sophistication increases, often it involves somehow altering the CAM table in a switch (ARP spoofing). I will not talk about the specific implementation of an attack like this, but consider this scenario:
- Marc wants to send an email to Jane. Tom is the attacker.
- Marc tries to connect to the mail server, instead he sends his credentials to Tom.
- Tom uses those credentials to authenticate with the mail server, impersonating Marc.
- Tom also sends valid replies to every request from Marc.
If you want to learn how to mitigate such an attack, and need to practice or put some tool or mechanism to test, I recommend trying arpspoof, its of course not the only tool available but an easy enough one to use.
Purefan
- 3,560
- 19
- 26