This tutorial explains how man-in-the-middle attacks work. Learn what a man-in-the-middle attack is and how it works through examples.
A man-in-the-middle attack is one of the most widely used attacks that hackers use to steal sensitive information. In a man-in-the-middle attack, a hacker secretly places his device on a communication path. When devices use the communication path to exchange information, the information passes through the hacker's device. Since all information passes through the hacker's device, the hacker can modify the information in such a way that the target device thinks it has received this information from the device it is communicating with.
Let's take an example to understand how a man-in-the-middle attack works.
To communicate or exchange information with other computers, each computer on a local network needs two addresses. These addresses are the software address and the hardware address. The software address is called the IP address and the hardware address is called the MAC address. Computers use these two addresses to identify each other on the network.
If a computer wants to communicate with another computer on the network, it needs to know the software and hardware addresses of that computer. If a computer knows the software address of another computer but does not know the hardware address of that computer, it can use the ARP protocol. The ARP protocol allows devices to automatically discover the hardware addresses of other devices.
The basic principle of ARP is very simple. A device that wants to know the hardware address of another device sends an ARP Request message to the broadcast address of the network. The message includes the software address of the other device. As the message is sent to the broadcast address of the network, all devices on the network listen to it. The device whose software address matches the message's software address replies with an ARP Reply message that includes its hardware address. From the ARP Reply message, the computer learns the hardware address of the other computer. Once the computer knows the hardware address of the other computer, it can communicate with the other computer.
To avoid repeating the same process each time when a computer wants to communicate with another computer, the computer saves the hardware address of the other computer in the ARP table. Computers use the ARP table to store the discovered hardware addresses.
The following image shows an example of this process.
In the above example, PC-A wants to communicate with the Server. PC-A knows the software address (IP address) of the Sever but it does not know the hardware address (MAC address) of the Server. So, it sends an ARP Request to the broadcast address of the network. The ARP Request reaches all hosts of the network. PC-B ignores the request as the request is not intended for it. The Server responds to the request and sends an ARP Reply to the broadcast address. The ARP Reply reaches all hosts of the network. PC-B again ignores the ARP Reply as the reply does not belong to it. PC-A learns the hardware of the Server from the ARP Reply and stores it in the ARP table.
This is the normal workflow of an ARP operation. To use this operation to launch a man-in-the-middle attack, a hacker will do the following steps.
The hacker connects his system to the network and waits for an ARP operation. When an ARP operation is going on, the hacker monitors the operation and learns which system is sending ARP Request and which system is responding to the ARP Request. From ARP Request and ARP Reply messages, the hacker extracts the IP address and MAC address information. The hacker saves a copy of the ARP Reply message for the next step.
The following image shows this process.
Once the ARP operation is over, the hacker modifies the saved ARP Reply message. He changes the value of the MAC address field. He replaces the stored MAC address with its own MAC address. Then, he sends the spoofed ARP Reply message to the host. Address spoofing is a technique in which a hacker uses someone else's IP address to send packets instead of using their own IP address. To know more about this technique, you can check the following tutorial.
How IP Address Spoofing or Masquerading Works
When the host receives this ARP Reply message, the host thinks that this new ARP Reply message contains the most recent information, and updates the ARP table.
The following image shows this process.
The host uses the ARP table entries to send data packets and the entry for the Server system has been manipulated. When the host uses the manipulated entry to send data packets to the Server, the data packets reach the hacker's system. The hacker changes the destination MAC address of data packets and reroutes them to the Server. The hacker does the same thing with packets that flow from Server to PC.
The following image shows this process.
Since packets sent from PC reach Server and packets sent from Server reach PC, PC and Server communicate without knowing that the hacker is listening to their communication. Since all packets pass through the hacker's system, the hacker can steal sensitive information from packets or can manipulate the data of packets to achieve his evil goals.
That's all for this tutorial. In this tutorial, we discuss what a man-in-the-middle attack is and how it works. If you like this tutorial, please share this tutorial on Facebook and subscribe to our YouTube channel.
