In the next few sections, we're going to talk about what are known as man-in-the-middle (MITM) attacks. This is one of the most dangerous and effective attacks that we can carry out in a network. We can only do it once we have connected to the network. It can be used to redirect the flow of packets from any client to our device. This means that any packet that is sent to or from the client will have to go through our device, and since we know the password we know the key to the network, so we will be able to read those packets. They won't be encrypted, and we will be able to modify them, drop them, or just read them to see if they contain passwords or important information. This attack is so effective because it's very hard to protect against. We're going to talk about the ways to protect against it, but it's very hard to fully protect against this attack. This is due to the way the ARP protocol works. It was programmed in a way that's very simple and very effective, but it's not secure enough.
ARP has two main security issues. The first one is that each ARP request or response is trusted, so whatever our device says to other devices that are in our network will be trusted. We can just tell any device that's on our network that we are the router and the device will trust us. It will not try to make sure that we are actually the router. It will not run any tests to ensure our identity. If we tell any device that we are the router, the device will believe us. In the same way, if we tell the router that we are someone else on the network, the router will trust us and will start treating us as that device; so, that's the first security issue. The second security issue is that clients can accept responses even if they didn't send a request. So, for example, when a device connects to the network, the first thing it's going to ask is, who is the router? And then the router will send a response saying "I am the router." Now, we can just send a response without the device asking who the router is. We can just tell the device we are the router, and because the devices trust anyone, they will trust us start sending us packets instead of sending the packets to the router.
So, let's have a deeper look at how this MITM attack works. It's going to work using a technique called ARP poisoning, or ARP spoofing. This is done by exploiting the two security issues that we talked about in the previous paragraph. That's a typical Wi-Fi network, and we can see in the following diagram that when the client requests something it will send the request to the Wi-Fi router, and then the router will get the request from the internet and come back with the responses to the Client:
Now, all this is done using packets. So, what we are going to do is we're going to send an ARP response to the Client so that we can send responses without the Client asking them. The Client didn't ask for anything, but we can still send it a response. We're going to say that our IP is the router IP. So, the router, for example, has the IP 192.168.1.1; we're going to tell the Client the device with the IP 192.168.1.1 has our MAC address, so we're going to tell the Client that we are the router, basically.
This will cause the Client to start sending the packets to us instead of sending the packets to the router. The following diagram illustrates this:
After that, we're going to do the opposite to the Wi-Fi router. We're going to tell the router that we are the client. We'll do this by telling the router that our IP is the Client IP, and that Client has our MAC address, so the communication of packets will be done through the MAC address, and the Wi-Fi router will start sending any packet that's meant to go to the Client to us instead. This will redirect the flow of packets through our device, so when the Client wants to send a request it will send the request to us:
So, for example, as seen in the following screenshot, when the Client wants to open Google it will send the request to our device instead of sending it to the Wi-Fi router:
Now, our device will go to the Wi-Fi router, it'll get Google, the Wi-Fi router will send the response to our device instead of the Client, and then we will send the packet back. So, this means that each packet that is sent to the Client or from the Client, will have to go through us. Since it's going through us and we have the key, we can read these packets, we can modify them, or we can just drop them.
So, that's the basic principle of the MITM attack and ARP poisoning. Basically, we're going to tell the Client that we are the Wi-Fi router, and then we're going to tell the router that we are the Client. This will put us in the middle of the packet flow, between the Client and the Wi-Fi router, and all the packets will start flowing through our device. Then we can read the packets, modify them, or drop them.