How Man-in-the-Middle Attacks work

A man-in-the-middle attack is a common hacking technique used to steal sensitive information. In this method, an unauthorized device is covertly inserted into a communication path. As devices exchange information along this path, the data passes through the attacker's device. The attacker can intercept and modify the information, causing the target device to believe it is communicating directly with the intended recipient.

To communicate on a local network, each computer requires two types of addresses: a software address, known as the IP address, and a hardware address, known as the MAC address. These addresses enable computers to identify one another within the network.

To initiate communication, a computer must know both the software and hardware addresses of the target device. If only the software address is known, the Address Resolution Protocol (ARP) enables automatic discovery of the corresponding hardware address.

The ARP operates as follows:

  • A device seeking another device's hardware address sends an ARP Request to the network's broadcast address, including the target's software address.
  • All devices on the network receive this request, but only the device with the matching software address responds with an ARP Reply containing its hardware address.
  • Upon receiving the ARP Reply, the requesting computer acquires the necessary hardware address and can then establish communication.
  • To avoid repeating the same process each time a computer wants to communicate with another computer, it saves the other computer's hardware address in its ARP table.

How the ARP protocol works

In this scenario, PC-A intends to communicate with the Server. PC-A knows the Server's IP address, but lacks the MAC address. Therefore, it sends an ARP Request to the network's broadcast address. All hosts on the local network receive it. PC-B disregards the request, as it is not the intended recipient. The Server responds with an ARP Reply to the broadcast address. Again, PC-B ignores the reply. PC-A obtains the Server's MAC address from the ARP Reply and stores it in its ARP table.

This sequence represents the standard ARP workflow. However, attackers can exploit this process to conduct a man-in-the-middle attack by following the steps outlined next.

  • The attacker connects a device to the network and observes ongoing ARP operations.
  • By monitoring ARP Requests and Replies, the attacker identifies the participating systems and extracts their IP and MAC addresses.
  • The attacker then saves a copy of the ARP Reply message for subsequent use.

Man-in-middle process step 1

After the ARP operation concludes, the attacker alters the saved ARP Reply message by replacing the original MAC address with their own. The attacker then sends this spoofed ARP Reply to the host. Address spoofing involves using another device's IP address to transmit packets, rather than the attacker's own IP address. Upon receiving the spoofed ARP Reply, the host assumes the information has changed and updates its ARP table accordingly.

Man-in-middle process step 2

The host uses the ARP table entries to send data packets, and the entry for the host relies on them to direct data packets. Because the Server's entry has been altered, packets intended for the Server are first sent to the attacker's device. The attacker modifies the destination MAC address and forwards the packets to the Server. The same process is applied to packets traveling from the Server to the PC.

Man-in-middle process step 3

Since packets sent from the PC reach the Server and packets sent from the Server reach the PC, the PC and Server communicate without knowing that the hacker is listening to their communication. Since all packets pass through the hacker's system, the hacker can steal sensitive information from them or manipulate their data to achieve their evil goals.

Conclusion

Man-in-the-middle attacks exploit vulnerabilities in network protocols, such as ARP, to intercept, modify, or steal sensitive information in transit. Comprehending the mechanisms and targeted vulnerabilities of these attacks is crucial for implementing robust security measures. This tutorial explained how this process works through an example. By increasing awareness and deploying protective technologies, you can enhance the security of their communications and data.

ComputerNetworkingNotes CCNA Study Guide How Man-in-the-Middle Attacks work

We do not accept any kind of Guest Post. Except Guest post submission, for any other query (such as adverting opportunity, product advertisement, feedback, suggestion, error reporting and technical issue) or simply just say to hello mail us ComputerNetworkingNotes@gmail.com