Detecting and analyzing man-in-the-middle attacks
Cuckoo's Egg
In man-in-the-middle (MITM) attacks, attackers place themselves between the victim and the targeted resources, putting them in a position to intercept, read, and possibly even manipulate communications. In doing so, the attacker does not have to redirect the traffic completely or impersonate the data target. Instead, they can sniff the data on the network and then let it continue to the intended target without interference. In other words, the attacker is in the middle of the data flow.
As a result, many users and administrators do not identify these attacks until it is too late, because in most cases, network services are not disrupted by the attack. Services continue to run normally while the attacker accesses the traffic between the client and the server. Identity theft, faked transactions, or stealing intellectual property are just a few possible results.
These attacks can just as easily be performed on cable-based networks as on WiFi, although they are particularly common on WiFi networks because public WiFi is often virtually unprotected.
Before I look at possible defense mechanisms and tools such as Wireshark, I'll first look into how an MITM attack takes place, with techniques such as Address Resolution Protocol (ARP) poisoning, and how you can detect and analyze attacks, which in turn can help you protect your own network against MITM attacks and optimize your internal security structure accordingly.
ARP Gateway
MITM attacks often rely on the ARP cache, which is the local cache with IP to MAC address assignments. Its content can be displayed at the Windows command line by typing
arp -a
(Figure 1). On Linux computers
ip n s
does the same thing. This information can help detect MITM attacks because the command shows whether a MAC address is stored on a computer for two or more different IP addresses, which can be indicative of ARP spoofing.
However, any attacker can also read and manipulate the data because the cache has no authentication and protection. Anyone can view and change IP addresses and the associated MAC addresses and use them for attacks. The example of ARP spoofing used here plays out as follows: PC1 belongs to the victim. It receives ARP responses from the attacker's PC, which pretends to be a router with a route to the Internet. As a result, PC1 redirects its ARP requests to the attacker's PC, which forwards them to the real router and vice versa. At the same time, the router receives ARP responses from the attacker impersonating PC1, which results in all ARP information intended for PC1 reaching the attacker's PC, which redirects the responses to PC1.
The attacker can now view and modify all the packets received. If the data traffic is not encrypted, intruders can grab login data for HTTP websites or the content of documents with this approach. Additionally DNS spoofing, phishing, keylogging, and many other attacks are possible in this way.
The best way of preventing ARP spoofing and thus MITM attacks is end-to-end encryption. In this case, all the data traffic between the devices involved is encrypted, and attackers cannot use the intercepted data. End-to-end encryption is made possible by the use of protocols such as HTTPS, POP3S, or IMAP4S. Managed switches also offer the option of preventing such attacks, although the security function first needs to be enabled on the switch. On Cisco switches, for example, this function is known as Dynamic ARP Inspection (DAI).
Setting up Wireshark
Wireshark [1] sits on the network like an MITM attacker and captures data traffic, allowing you to detect patterns that could indicate an MITM attack. However, Wireshark is also frequently used by attackers because it analyzes network packets unobtrusively. If an intruder uses ARP spoofing to route packets to their own computer, Wireshark can analyze the packets in the same way – and you can detect these packets on the network. In other words, Wireshark can help you carry out, prevent, or log MITM attacks.
On Linux, the libpcap library is a prerequisite for using Wireshark. An installation on Windows 10 or 11 is possible, as well. As part of the installation, Wireshark can import the latest version of Npcap. On Windows, Npcap or WinPcap has to be in place to capture live network traffic. Wireshark includes Npcap as of version 3.x; the older versions use WinPcap. On Windows 10/11 and Windows Server 2016/2019, Npcap is better suited for analyzing data on the network in combination with Wireshark.
After starting Wireshark, the first step is to prepare the program for the test (as is true for other tasks you perform with Wireshark, not just for analyzing MITM attacks). The most important functions can be found in Capture | Options . Clicking the Manage Interfaces button opens a dialog with the local interfaces that you can use for monitoring. The Input tab provides the network interfaces that Wireshark uses for sniffing.
Equally important is Edit | Preferences | Capture , which is where you select the default network interface you want Wireshark to monitor. The Update list of packets in real time and Automatic scrolling in live capture options ensure that the currently captured packets are always displayed in the window. The Name Resolution sidebar option in the Preferences dialog is also important. You will want to enable the Resolve network (IP) addresses option. Wireshark will then attempt to display the names of the devices for the IP addresses it displays.
It is crucial to enable promiscuous mode to ensure that Wireshark records all packets on the network, and not just those addressed to its own host system. The corresponding settings are also available under Capture | Options , where promiscuous mode is normally enabled, unless you have disabled it.
On the Output tab, you can specify the file in which Wireshark will save the capture. To ensure that the files do not fill up your whole disk, you can enable automatic overwriting of older files with Use a ring buffer with n files . Saving the captures makes it easier to analyze MITM attacks later, but it does not stop you capturing the attacks during live analysis.
Sniffing with Wireshark
To start sniffing scans with Wireshark, just click on the icon with the shark fin. Alternatively, double-click on the interface from which you want to record data. Use the Stop icon to stop the scan and the File menu item to save it, unless you have automated this action with the settings as explained above. In the upper window, Wireshark shows the incoming packets and, after selecting a packet, their content in the lower window (Figure 2). You can enable filters in the upper section to ensure that Wireshark lists only the data that interests you.
Initial tests for detecting MITM attacks and understanding the corresponding processes can consist of monitoring how a new IP address is queried by DHCP, which is how clients communicate with the network and DHCP servers communicate with clients. The data can be displayed onscreen thanks to Wireshark. Sniffing other information that clients send to servers or to other endpoints basically works this way, as well.
Once you have started sniffing the traffic, you can renew the IP address on a computer that needs an IP address while running in Windows with:
ipconfig /release ipconfig /renew
The data traffic triggered by this can then be captured. Clicking on the Protocol column lets you sort, even without saving files or setting filters. Selecting the DHCP protocol helps you find the individual messages between the client and DHCP server. Wireshark's bottom window shows the IP addresses and names of the computers involved. Other data packets can be read in a similar way.
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.