Wednesday, July 18, 2012

Man-In-The-Middle With nping

nmap is known as the world's best port-scanner.  However there are a few lesser known tools that are installed with nmap.  They are; ncat (an improved version of netcat), nping (a packet crafter), and ndiff (like *unix diff, but for nmap scans). 

This post will focus on simulating a LAN based Man-In-The-Middle (MITM) attack using nping.

A LAN based MITM attack exploits a well known security flaw in the Address Resolution Protocol, or ARP.  ARP is used to map a layer 3 IP address to a layer 2 MAC address so that hosts on the same network can transmit traffic to each other.

Unlike DNS, ARP accepts updates at any time and can't be configured to only accept secured updates.  This means that one can send a spoofed ARP packet mapping the IP address of another host to the MAC address of their own host, thus causing all communication intended for the other hosts IP to be sent to the spoofer's host. 

A MITM attack sends spoofed ARP packets to two different hosts with the other hosts IP, but with the attacker's MAC address.  For example:

Host A ------------------ Attacker ------------------ Host B
1.1.1.1                           MAC : X                        2.2.2.2
MAC : A                                                            MAC : B

Attacker sends a ARP packet to Host A with it's MAC address (X) and Host B's IP address (2.2.2.2).  Attacker also sends a ARP packet to Host B with it's MAC address and Host A's IP address.  This populates the ARP cache of each host with the IP address of each other, but the MAC address associated with the IP address is that of Attacker.  This allows all traffic sent between the two hosts to be pass through Attacker, hence the term "Man-in-the-middle".

MITM attacks allow the attacker to intercept or sniff the traffic between two hosts.  The security implications of this are obvious and is particularly dangerous on wireless networks.

nping is a tool that allows one to generate custom packets.  It allows one to specify the source IP address, destination IP address, source MAC, destination MAC and may other TCP/IP, Ethernet and UDP features.

I used nping in my ESXi environment to simulate a MITM attack.  This is how I did it:

Hosts:
Teal (Debian 6.0) - 10.0.0.2
blue (Debian 6.0) - 10.0.0.1 - attacker
DC-03 (Windows Server 2008 R2) - 10.0.0.3

These VMs were connected to a vswitch on a private network segmented from my home network.

1) Ran nping from blue against DC-03 and Teal specifying blue's MAC address as the source for ARPs for DC-03 and Teal respectively:

Command sent to TEAL:
nping --arp-type arp-reply --source-mac 00:0c:29:43:ec:da --source-ip 10.0.0.3 -c 9999 10.0.0.2

Command sent to DC-03:
nping --arp-type arp-reply --source-mac 00:0c:29:43:ec:da --source-ip 10.0.0.2 -c 9999 10.0.0.3

-c 9999 means run the command 9999 times.

Here`s what it looked like in action:
nping to Teal:



nping to DC-03:
 

Here the resulting ARP tables on each host:

 Teal :
 DC-03 :

I then ran ncat in listening mode on Teal to simulate a web server and then installed Apache.  I installed IIS 7 on DC-03.  I tested connecting from one host to the other while using tcpdump on blue to monitor the traffic.  The results are below:

Using Firefox on DC-03 to connect to Teal:

Using Lynx on Teal to connect to DC-03:
 

Using Telnet on DC-03 to connect to the ncat listener on Teal and then connecting using IE9 (odd results):

tcpdump on blue of the DC-03 to Teal session:

tcpdump on blue of the Teal to DC-03 session:

As you can see, I was able to monitor the traffic going between Teal and DC-03 on blue using tcpdump.

There are much better tools for performing LAN based MITM attacks (ettercap, Cain and Abel).  But utilizing packet crafters is a good way to get a underlying understanding of how things work.