Man-in-the-Middle Attack with ARP and DNS

A man-in-the-middle (MitM) attack is a form of cyberattack where important data is intercepted by an attacker using a technique to interject themselves into the communication process. The attacker can be a passive listener in your conversation, silently stealing your secrets, or an active participant, altering the contents of your messages, or impersonating the person/system you think you’re talking to.

Think back to the 20th century, when your younger sibling would pick up the phone when you were talking to your crush. You didn’t know they were listening, and then they went and tattled on you. That’s a basic MitM attack.

How Does A Man-in-the-Middle Attack Work?

1 Attacker eavesdrops on your conversation
2 Peer 1 sends a message to peer 2
3 Attacker intercepts the message between Peers
4 Attackers alters the message, steals info etc.

Here is a practical example of a real-world MiTM attack against Microsoft Office 365 where MFA was bypassed by the attacker:

User clicks a phishing link that takes them to a fake Microsoft login page where they enter their username and password
The fake webpage forwards the username and password to the attacker’s server
The attacker forwards the login request to Microsoft, so they don’t raise suspicion
Microsoft sends the two-factor authentication code to the user via SMS
User enters the code into the fake webpage
The fake page forwards 2FA code to the attacker’s server
The attacker uses Evilginx to steal the session cookie
The attacker forwards the user’s 2FA code to Microsoft, and now the attacker can log in to Office 365 as the compromised user by using the session cookie, and has access to sensitive data inside the enterprise

ARP Cache Poisoning

Address Resolution Protocol (ARP) is a low-level process that translates the machine address to the IP address on the local network.

Attackers inject false information into this system to trick your computer to think the attacker’s computer is the network gateway. When you connect to the network, the attacker is receiving all of your network traffic (instead of your real network gateway) and passes the traffic along to its real destination. From your perspective, everything is normal. The attacker is able to see all of your packets.

1.Attacker joins your network and runs a network sniffer
2.Attacker inspects your network packets to attempt to predict the sequence numbers of your packets between you and the gateway
3.Attacker sends a packet to your computer with the faked source address of the gateway and the correct ARP sequence to fool your computer into thinking the attacker’s computer is the gateway
4.At the same time, Attacker floods the gateway with a Denial of Service (DoS) attack so you receive the fake ARP packet before the gateway is able to respond
5.Attacker fooled your computer into thinking the attacker’s laptop is the real gateway, and the MitM attack is successful

DNS Cache Poisoning

DNS cache poisoning is when the attacker gives you a fake DNS entry that leads to a different website. It might look like Google, but it’s not Google, and the attacker captures whatever data — username and password, for example — you enter into the faked website.

1.Attacker figures out that you use a certain DNS resolver.
2.Attacker knows this resolver is vulnerable to exploits, like an older version of BIND.
3.Attacker uses this exploit to tell the DNS resolver that www.example.com lives at an IP address that they own.
4.You go to www.example.com from your computer, and the DNS resolver tells you that the IP address of that site is the attacker’s machine!
5.Attacker completes the connection to the real website so you don’t realize there is anyone listening, but he is able to see all the packets that you are sending.

MitM attacks have been around for a long time, and while they’re not as common as phishing and malware or even ransomware, they are usually part of targeted attacks with specific intent.