Man-in-the-Middle Attacks – CompTIA Security+ SY0-401: 3.2

One challenge with modern network security is protecting against man-in-the-middle attacks. In this video, you’ll learn about man-in-the-middle and I’ll demonstrate a live MiTM attack.

<< Previous Video: Armored VirusNext: Denial of Service >>


A man in the middle is an attack technique that works very much like the name sounds. There’s a bad guy. He sits in the middle of a conversation between two devices. And he’s able to watch exactly what’s going on between those systems.

He can capture packets. He can inject his own information in there. He can change information or simply just watch what’s going on and see if we can identify things that might be interesting that he could use later.

What he’s really doing is redirecting your traffic. He becomes the endpoint instead of you sending information, for instance, to your router, you would send information to the man in the middle, and the man in the middle would then pass it on to the router, in many cases being completely invisible. You never even know this redirection is taking place. So obviously, this becomes a pretty major issue.

There’s a number of ways for accomplishing this. One very common way is something called ARP poisoning because the ARP protocol, the address resolution protocol used in TCP/IP, has no security associated with it. Machines just simply trust that if they’re receiving information in an ARP packet that that information is something that is legitimate.

And what we’re going to do is use a program, and I’ll show you exactly how we’re able to use third party applications to be able to do ARP poisoning with just a few clicks of a mouse. What we’re going to do is sit between two computers. For instance, you’ll have a 192.168.1.9, which is one of the Macintosh computers on my network. And I’m going to be talking out to the internet through my router, which is 192.168.1.1.

You’ll also notice that my laptop or my computer I’m using here has a particular Mac address on the ethernet network as does my router. And then fundamentally, of course, we don’t use IP addresses to communicate directly between devices. We use Mac addresses to communicate directly between devices over ethernet. And then once we send the traffic, the IP address helps move it along wherever it wants to go.

The way that we determine where this router is though is we send out a message wanting to know where is 192.168.1.1? Are you out there? I need your Mac address so that I can send information directly to you. And what happens is the router in this case says, oh, yes, I’m 192.168.1.1 and here is my Mac address.

And what my machine over here does is make a little ARP cache that is inside the memory of my computer, and it says, oh, I can remember this now. I don’t have to keep asking over and over. I’ll always know that 192.168.1.1 happens to be this Mac address and all is well with the world.

Well, what happens with a man in the middle situation is you have somebody else who’s on this local network. And that’s an important consideration is ARP and the way that it operates and these man in the middle attacks that take advantage of this ARP poisoning can only work on this local subnet. ARP packets do not traverse routers. So this is something that, obviously, has to be on our local network, which is another reason to have your wireless networks well secured.

So there’s a third party out here, 192.168.1.14. His Mac address, as you see here, I made it very easy to find his Mac address. ABCDEF. So what he does is he sends a non-solicited message over to 1.9 saying oh, I’m 192.168.1.1. My Mac address is AABBCCDDEEFF.

So what happens is that the machine out here on 1.9 says, oh, it’s changed? I had no idea it was different. Let me change my cache so that now I will always send this ARP cached information. There it is. Now whenever I need to talk to 192.168.1.1, I’m going to send it to this third party.

And what happens is the third party then sends it on to the router, and now he’s in the middle watching everything that goes back and forth. He poisons 1.9. He poisons 1.1. And now he can watch everything go across the network.

Let’s see this ARP poisoning in action. What I have here is a virtual machine running Windows. And on this machine, I’m running an application called Cain and Abel. You can access this at oxid.it if you wanted to download this and try it yourself.

Now also, this is my Macintosh computer and I’m going to look at the ARP table, ARP-A. If I’m communicating to 192.168.1.1, I’ve already done an ARP and I have in my ARP cache this Mac address, which is the Mac address of the router that I use to communicate out to the internet. So any time I want to go there, I simply talk to that particular Mac address.

Now what Cain and Abel is going to do for us it’s going to poison that ARP so that we can communicate through Cain and Abel to get to the internet. Let’s see how this works.

I don’t know the device is on my network now. I’m going to turn on the sniffing function of Cain and Abel. Go to the sniffer tab for the host, and I’m going to list the hosts that are on the subnet by taking the default settings and clicking OK. I’ve got a number of devices on my network. The one I’m most interested in is this 1.9 so you do need to know the IP address or perhaps, the DNS name of the device that you would like to access to be able to do the poisoning.

What I want to do is go to this APR tab and that stands for our ARP poisoning functionality. And what I want to be able to do is click this plus sign up here and say, anything going from 192.168.1.9 going to 192.168.1.1, I’m going to click OK and tell it that’s the two that I want to poison. Those right there.

Now the Cain and Abel program can poison many devices simultaneously so that you could start up Wireshark and capture information or do some interesting things that are built into using Cain and Abel. Now it’s not doing the poisoning yet. What I have to do to poison is click that nuclear symbol right here at the top it says right here, poisoning. And it shows you how many packets.

And if I do an ARP-A notice that 192.168 is now AABBCCDDEEFF, which is the Mac address of this device. So it’s now sent also a poison to my router so that it knows where to get back to 1.9 is it should go through Cain and Abel. Now we want to test this.

So let’s try going out to the internet and see what we see. I’m going to bring over a browser screen. And I’m going to connect to my internet router. That will be a good way to tell.

Since I’m starting on 1.9, I’m going to go to 192.168.1.1 and hit Enter. And it’s going to ask me to log in to this router. I’m going to put in my password and I’m going to click Log In. And it’s going to log me into this Netgear router.

Now because we had a man in the middle, this man in the middle was able to see all of those packets. And I could have certainly gathered them, but there is an automatic function within Cain and Abel that will grab all of the passwords that go through FTP, HTTP, IMAP, LDAP Pop3, Telnet, et cetera, et cetera. It’s already identified a session that went to 192.168.1.1 with the username of admin and the password of supersecret. So just by doing this poisoning on this local network, I’m now able to watch everything going by and I’m able to gather some very, very critical security information from the traffic going back and forth over my network.

That’s another good reason why we want to be sure if we’re communicating to a device that is very, very secure that we want to use encrypted protocols to be able to do that. I’m going to turn off the poisoning. That gets rid of that poison there. Let’s go back to our terminal screen.

I’m going to do an ARP-A. When I remove the poisoning, notice everything went back to normal. So Cain and Abel is able to do a man in the middle, slip in the middle, watch what was going on, and then quietly remove itself from the middle and everything goes back to normal.