Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


MITM Attacks

No description

Shailvi Shah

on 6 December 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of MITM Attacks

MITM Attacks
Team 8
Brian, Harsha, Shailvi, Sven


Project Scenario
Common MITM Attacks
Tools Used
ARP Poisoning
Replay Attack
Insertion Attack
SSL attacks
Comparison of Defense Mechanisms

Project Scenario

Common MITM Attacks
Intentionally listening to private conversation
ARP Poisoning/Spoofing:
Associate the attacker’s MAC address with victim’s IP address
Replay Attack
Replay the payload/packet for the same result
Insertion Attack
Changes existing data or insert new data in network conversation
SSL Attack
See encrypted data

Image by goodtextures: http://fav.me/d2he3r8
Tools Used

Packet sniffer
Inspect and analyze tcpdump captures
ARP poisoning
Packet filtering
Text based browsers

Attack - Eavesdropping
Capture packets being transferred between Alice and Bob
Setup arp spoofing using ettercap
Information found
What kind of data is being transmitted?
Nature of the communication
Authentication information

Attack - Eavesdropping (Cont.)
ARP Poisoning
ARP Poisoning Defense Schemes
ARPWatch (detection)
ARPWatch monitors transmission of request and reply messages over Ethernet and check them against a database of (IP addr, hardware addr) pairings
Static ARP caches (prevention)
Static ARP cache stores permanent (IP addr, hardware addr) pairs of trusted hosts to avoid sending request and reply messages over Ethernet.

Defense - ArpWatch
Advantages - ARPWatch and Static ARP
Favorable when the network configuration does not change often. A list of static ARP entries deployed to hosts via an automated script.
Ensures that hosts rely on local arp caches rather than arp reply and requests.
In general, third party tools to monitor ARP traffic are feasible when considering individual hosts.

ArpWatch - cont’d
ArpWatch - cont’d
Static ARP Cache - cont’d
Static ARP Cache - Screenshots
Replay Attack
- Other Defenses

Server sends nonce to client
Client adds hash to message using nonce
Each nonce can only be used once
MITM can intercept token/nonce/timestamp

Static ARP Cache - cont’d
Static ARP Cache - cont’d
Static ARP Cache - cont’d
Static ARP Cache - cont’d
ArpWatch - Screenshots
Insufficiencies - ARPWatch and Static ARP
ARPWatch does not support dynamic assignment of IP addresses.
Static ARP caches does not support dynamic assignment of IP addresses and detection of destination failures.
Updating and maintaining static ARP tables on all machines is a significant overhead in even medium -sized networks.
In networks where there are frequent entries and exits, static ARP tables are very difficult to maintain.

DHCP Snooping and Dynamic ARP Inspection
DHCP Snooping
Trusted and untrusted ports.
Maintains DHCP Binding Table : IP, MAC, port, lease timer, binding type.
Dynamic ARP Inspection (DAI)
DAI with DHCP Snooping : strict control over what packets are allowed into the network. Prevents ARP Poisoning.
Switch only forwards legitimate ARP Replies.

DHCP Snooping and Dynamic ARP Inspection
Replay Attack
- Scenario
Replay Attack
- Attack Scheme
Replay Attack
Defense - Session Token

Replay Attack
Defense - Session Token
Attack - Insertion Attack
if (ip.proto == TCP && tcp.src == 80)
if (ip.proto == TCP && tcp.src == 80)
replace(" $", "$9");

Insertion Attack (Cont.)
Defenses against Insertion Attacks
Message Integrity
Message Authentication Code

Defense against SSL attack schemes:
Use HTTPs with HSTS (HTTP Strict Transport Security)
Enable SSL/TLS for IMAP on server side
Information about SSL certificates on website home page

Defense Mechanism Recommendation
ARP poisoning/spoofing
Static ARP Inspection (SAPRI)
Dynamic ARP Inspection (DAPRI)
Hybrid ARP Inspection (HAPRI)
Replay Attack
Timestamp + Hashing
Insertion Attack
Message Authentication Codes + Timestamp
SSL Attack
General awareness

Thank You !

Happy Holidays!

Monitors ARP traffic
Detects Layer 2 / Layer 3 address pairing changes
Records to syslog
Emails to administrator
Changes detected
New station : new pairing using previously unseen layer 2 address
Ethernet mismatch : layer 2 address changed on host

ArpWatch - cont’d
Full transcript