In last my last post “MITIM Using dsniff on Ubuntu” I explained steps to perform an MITM attack. There are several other posts on the web which explains steps pretty easily on how to perform an MITIM attack.
One thing is very much clear, don’t trust HTTP websites and trust HTTPS only. That is basic. Sure, but still , is there an easy way to see if someone is siting between me and router?
Yes!!! There are pretty simple way to find out of there is anyone between me and router.
Lets see
Attacker IP : 192.168.0.6
Attacker Mac: 68:17:29:8:cf:28
Router IP: 192.168.0.1
Router Mac: 58:19:f8:f0:51:10
Victim IP : 192.168.0.119
Lets first check the ARP table with command “arp -a“, this will list the current arp table in my machine. ARP table maintains the list between IP and MAC address of the systems in the network , I am interacting with.
As of now, I am good and not been ARP poisoned yet, so my ARP table looks like below
abhattacharya$ arp -a
? (192.168.0.1) at 58:19:f8:f0:51:10 on en0 ifscope [ethernet]
? (224.0.0.251) at 1:0:5e:0:0:fb on en0 ifscope permanent [ethernet]
? (239.255.255.250) at 1:0:5e:7f:ff:fa on en0 ifscope permanent [ethernet]
If you notice carefully the MAC addresses are unique similar to the IP addresses, that is what it should be. And I can see MAC Address of the router is 58:19:f8:f0:51:10
Now lets monitor an outbound traffic from my machine and lets trace its hops in network. Ideally after leaving from my machine the request should go to the Router and from there it will go out to Internet.
abhattacharya$ traceroute http://azsamhita.org
traceroute to http://azsamhita.org (92.242.140.2), 64 hops max, 52 byte packets
1 * * *
2 192.168.0.1 (192.168.0.1) 8.070 ms 6.657 ms 7.372 ms
3 10.115.120.1 (10.115.120.1) 20.360 ms 22.889 ms 16.860 ms
4 100.127.73.52 (100.127.73.52) 18.381 ms 17.571 ms 16.931 ms
5 100.120.100.0 (100.120.100.0) 17.157 ms 20.688 ms 21.180 ms
6 langbprj02-ae1.0.rd.la.cox.net (68.1.1.14) 34.918 ms 33.238 ms 40.484 ms
7 ae-6.r01.lsanca20.us.bb.gin.ntt.net (168.143.229.57) 28.602 ms 29.408 ms 28.439 ms
8 ae-8.r23.lsanca07.us.bb.gin.ntt.net (129.250.6.48) 37.997 ms 29.958 ms 32.070 ms
9 ae-1.r22.lsanca07.us.bb.gin.ntt.net (129.250.2.206) 30.941 ms 29.415 ms 32.131 ms
10 * * *
11 ae-6.r21.miamfl02.us.bb.gin.ntt.net (129.250.2.218) 99.744 ms 94.969 ms 91.600 ms
12 ae-11.r04.miamfl02.us.bb.gin.ntt.net (129.250.4.21) 92.997 ms 92.566 ms 96.596 ms
13 ae-7.a00.miamfl02.us.bb.gin.ntt.net (129.250.2.203) 94.916 ms 99.597 ms 95.064 ms
14 xe-0-0-47-2.a00.miamfl02.bboi.net (157.238.179.114) 91.816 ms 90.593 ms 85.948 ms
15 66.216.1.27 (66.216.1.27) 87.939 ms 91.004 ms 87.540 ms
16 * * *
17 * * *
Please note the first system it visited is 192.168.01 and that is the IP of the Router in my network. So all good.
Now from my other laptop (attacker laptop) I started ARP spoofing this laptop. Once both way ARP spoof commands are running, lets check the ARP table of the Victim’s laptop again.
abhattacharya$ arp -a
? (192.168.0.1) at 68:17:29:8:cf:28 on en0 ifscope [ethernet]
? (192.168.0.6) at 68:17:29:8:cf:28 on en0 ifscope [ethernet]
? (224.0.0.251) at 1:0:5e:0:0:fb on en0 ifscope permanent [ethernet]
? (239.255.255.250) at 1:0:5e:7f:ff:fa on en0 ifscope permanent [ethernet]
Notice now, the MAC Address of the router is showing different and it is 68:17:29:8:cf:28. Also it is appearing twice now. Once for the Router’s original IP that is 192.168.0.1 and once for some other System in the network with the IP 192.168.0.6
This means some one in the network with IP 192.168.0.6 have fooled my network to believe the MAC address of router is 68:17:29:8:cf:28
This is scary, lets monitor and trace the network traffic hops now again,
abhattacharya$ traceroute http://azsamhita.org
traceroute to http://azsamhita.org (92.242.140.2), 64 hops max, 52 byte packets
1 * * 192.168.0.6 (192.168.0.6) 10.161 ms
2 192.168.0.1 (192.168.0.1) 7.314 ms 8.627 ms 7.937 ms
3 10.115.120.1 (10.115.120.1) 17.888 ms 19.331 ms 25.489 ms
4 100.127.73.52 (100.127.73.52) 18.010 ms 19.203 ms 18.032 ms
5 100.120.100.0 (100.120.100.0) 22.453 ms 16.566 ms 29.033 ms
6 langbprj02-ae1.0.rd.la.cox.net (68.1.1.14) 67.394 ms 29.237 ms 32.659 ms
7 ae-6.r01.lsanca20.us.bb.gin.ntt.net (168.143.229.57) 29.164 ms 49.411 ms 32.978 ms
8 ae-8.r23.lsanca07.us.bb.gin.ntt.net (129.250.6.48) 42.342 ms 33.159 ms 30.864 ms
9 ae-1.r22.lsanca07.us.bb.gin.ntt.net (129.250.2.206) 31.599 ms 32.659 ms 32.082 ms
10 * * *
11 ae-6.r21.miamfl02.us.bb.gin.ntt.net (129.250.2.218) 102.027 ms 91.272 ms 90.975 ms
12 ae-11.r04.miamfl02.us.bb.gin.ntt.net (129.250.4.21) 100.105 ms 94.320 ms
ae-9.r05.miamfl02.us.bb.gin.ntt.net (129.250.4.89) 91.589 ms
13 ae-7.a00.miamfl02.us.bb.gin.ntt.net (129.250.2.203) 96.808 ms
ae-8.a00.miamfl02.us.bb.gin.ntt.net (129.250.3.41) 104.897 ms
ae-7.a00.miamfl02.us.bb.gin.ntt.net (129.250.2.203) 102.391 ms
14 xe-0-0-47-2.a00.miamfl02.bboi.net (157.238.179.114) 88.258 ms 86.353 ms 86.897 ms
15 66.216.1.27 (66.216.1.27) 95.002 ms 90.038 ms 89.004 ms
16 * *^C
Wow, so this now shows clearly that the traffic after leaving my machine first went to the machine 192.168.0.6 before going to the router 192.168.0.1 and then from there it was forwarded to router and then it went to Internet.
This shows I am possibly under an MITIM attack by some one on IP 192.168.0.6
I will at this first thing will do , disconnect from this network and re-connect so that I can possibly get a different IP.
The above monitoring can be done using script too. I wrote a sample script.
Check my Jupyter Notebook file at my github repo here https://github.com/anisoftcorporation/jupyter/blob/master/mitimDetect.ipynb
You can see the output , the script is running in a loop, initially when I was not under attack, the It printed the ARP table and as there was no duplicate MAC address it printed False.
But once I am under attack it printed the duplicate MAC address and also it printed True.
You are welcome to fork it and enhance it.
Instead of just printing True, the script can be modified to alert and do more like below.
- Disconnect from Network and re-connect in attempt to get a new IP address
- Sending de-auth to the Attacker IP to disconnect it from network.
