MITM ARP Poisoning Case Study
CmpE 209 Zachary Baumgartner
Professor Park 4/6/15
Homework #2
[Question 1] MITM ARP Poisoning
1. If node1 is a "man in the middle" then node4 is an "odd man out." In particular, node4 was unaccounted for in section 2 "Recording actual address mappings." Later you arp poisoned node2 and node0 from node1; how about arp poisoning node 4 from node1? You accomplish poisoning by sending a crafted arp message to a node. Comment on the ways and means of poisoning node4 from node1. o The key to this question is that ARP is a layer 2 protocol. Since it is a layer 2 protocol, it can route to anything within the same network. In this case, only the hosts are in the same network, so we can only ARP poison the hosts. Node4 is subnetted, …show more content…
o The content is static and therefore does not change depending on who or when requests the content, making a replay attack effective since the content shouldn’t be expected to change.
3. Insertion Tasks
• Given the power of etterfilter and the kinds of traffic on this network, you can actually make significant changes to a machine or machines that you're not even logged in to. How? o Etterfilter compiles source filter files into binary filter files for ettercap to use. Ettercap can then do an ARP spoof on two targets. Now that a MITM attack is being performed, network traffic can be altered, which will then make changes to the victim machines without being logged into.
• Of the cleartext protocols in use, can you perform any other dirty tricks using insertion attacks? The more nasty and clever they are, the better. o One dirty type of insertion attack is tricking a client into believing that the server it’s connecting to has a valid signed certificate. Using a vulnerable protocol such as telnet, a malicious user can insert the illegitimate certificate and possibly redirect the client to an illegitimate website.
4. MITM Tasks
• What configuration elements did you have to …show more content…
Use the DETER Visualization tab to show the network and use arp and ifconfig commands to detect MAC and IP addresses for each machine. • State the source MAC and IP addresses as well as destination MAC and IP addresses for a packet going from the client to the cache
a. Source – client
i. IP Address: 10.1.1.2 ii. MAC Address: 00:04:23:AE:CE:B2
b. Destination – cache
i. IP Address: 10.1.1.3 ii. MAC Address: 00:04:23:AE:CE:CB
• Does the packet travel through the attacker box?
a. No
• State the source MAC and IP addresses as well as destination MAC and IP addresses for a packet going from the cache to the authoritative server
a. Source – cache
i. IP Address: 10.1.2.2 ii. MAC Address: 00:04:23:AE:CE:CA
b. Destination – cache
i. IP Address: 10.1.2.3 ii. MAC Address: 00:04:23:AE:CE:68
• Does the packet travel through the attacker box?
a. No
3. Part 3: Using Ettercap
Login to the attacker machine. Using ettercap, your objective is to get the DNS query for www.google.com to pass through the attacker. Once you've accomplished this and confirmed that the desired traffic is now passing through the attacker, record the following:
1. The command you
Professor Park 4/6/15
Homework #2
[Question 1] MITM ARP Poisoning
1. If node1 is a "man in the middle" then node4 is an "odd man out." In particular, node4 was unaccounted for in section 2 "Recording actual address mappings." Later you arp poisoned node2 and node0 from node1; how about arp poisoning node 4 from node1? You accomplish poisoning by sending a crafted arp message to a node. Comment on the ways and means of poisoning node4 from node1. o The key to this question is that ARP is a layer 2 protocol. Since it is a layer 2 protocol, it can route to anything within the same network. In this case, only the hosts are in the same network, so we can only ARP poison the hosts. Node4 is subnetted, …show more content…
o The content is static and therefore does not change depending on who or when requests the content, making a replay attack effective since the content shouldn’t be expected to change.
3. Insertion Tasks
• Given the power of etterfilter and the kinds of traffic on this network, you can actually make significant changes to a machine or machines that you're not even logged in to. How? o Etterfilter compiles source filter files into binary filter files for ettercap to use. Ettercap can then do an ARP spoof on two targets. Now that a MITM attack is being performed, network traffic can be altered, which will then make changes to the victim machines without being logged into.
• Of the cleartext protocols in use, can you perform any other dirty tricks using insertion attacks? The more nasty and clever they are, the better. o One dirty type of insertion attack is tricking a client into believing that the server it’s connecting to has a valid signed certificate. Using a vulnerable protocol such as telnet, a malicious user can insert the illegitimate certificate and possibly redirect the client to an illegitimate website.
4. MITM Tasks
• What configuration elements did you have to …show more content…
Use the DETER Visualization tab to show the network and use arp and ifconfig commands to detect MAC and IP addresses for each machine. • State the source MAC and IP addresses as well as destination MAC and IP addresses for a packet going from the client to the cache
a. Source – client
i. IP Address: 10.1.1.2 ii. MAC Address: 00:04:23:AE:CE:B2
b. Destination – cache
i. IP Address: 10.1.1.3 ii. MAC Address: 00:04:23:AE:CE:CB
• Does the packet travel through the attacker box?
a. No
• State the source MAC and IP addresses as well as destination MAC and IP addresses for a packet going from the cache to the authoritative server
a. Source – cache
i. IP Address: 10.1.2.2 ii. MAC Address: 00:04:23:AE:CE:CA
b. Destination – cache
i. IP Address: 10.1.2.3 ii. MAC Address: 00:04:23:AE:CE:68
• Does the packet travel through the attacker box?
a. No
3. Part 3: Using Ettercap
Login to the attacker machine. Using ettercap, your objective is to get the DNS query for www.google.com to pass through the attacker. Once you've accomplished this and confirmed that the desired traffic is now passing through the attacker, record the following:
1. The command you