LAN MitM Attacks: Beyond Interception

TL;DR

Yes, an attacker with Man-in-the-Middle (MitM) privileges on a local LAN can perform denial of service (DoS) and other attacks beyond simply intercepting traffic. They can modify packets, inject malicious content, redirect users, and more. This guide explains how.

Understanding the Threat

A MitM attack means the attacker sits between two communicating parties, able to see and potentially alter all data exchanged. While eavesdropping is common, it’s just the beginning. The attacker controls the communication flow.

Attacks Possible with LAN MitM Privileges

1. Denial of Service (DoS)

• Packet Flooding: The attacker can send a large volume of packets to overwhelm the target, making it unavailable.
• SYN Flood: If the attacker is intercepting TCP connections, they can initiate many connection requests without completing them, exhausting the target’s resources.

  hping3 -S --flood -p 80 

• Amplification Attacks: The attacker can use the MitM position to redirect legitimate traffic towards a victim, amplifying its impact.

Data Modification & Injection

• Packet Tampering: Altering data in transit (e.g., changing bank account numbers in HTTP requests).
• Malicious Code Injection: Injecting JavaScript into web pages to steal credentials or redirect users.

  # Using a tool like Burp Suite, intercept the response and modify the HTML

Redirection & Phishing

• DNS Spoofing: Redirecting users to fake websites by providing incorrect DNS information.
• ARP Poisoning: Manipulating ARP tables to redirect traffic.

  arpspoof -i  -t  

Session Hijacking

• Stealing Cookies: Intercepting and using session cookies to impersonate legitimate users.
• Replaying Sessions: Capturing and re-sending valid session data.

How an Attacker Gains MitM Privileges

1. ARP Poisoning: The most common method on LANs, exploiting the trust in ARP protocol.

   # Example using ettercap

2. DHCP Spoofing: Providing false DHCP information to redirect traffic.
3. MAC Flooding: Overwhelming a switch’s MAC address table causing it to act as a hub, allowing the attacker to see all traffic.
4. Switch Port Stealing: Exploiting vulnerabilities in switches to gain control of ports.

Mitigation Strategies

1. Use HTTPS: Encrypts communication, making data modification difficult.
   Ensure all sensitive websites use valid SSL/TLS certificates.
2. Static ARP Entries: Manually configure ARP entries on critical devices to prevent poisoning.
3. Port Security: Limit the number of MAC addresses allowed on switch ports.
4. Network Monitoring & Intrusion Detection Systems (IDS): Detect suspicious activity like ARP spoofing or unusual traffic patterns.
   Tools like Wireshark can help analyze network traffic.
5. 802.1X Authentication: Requires users to authenticate before gaining network access.
6. Regular Security Audits: Identify and address vulnerabilities in your network infrastructure.

Tools Used by Attackers

• Ettercap: A comprehensive MitM tool for ARP poisoning, packet sniffing, and more.
• Burp Suite: A web application security testing suite used for intercepting and modifying HTTP traffic.
• Wireshark: A network protocol analyzer for capturing and analyzing packets.
• hping3: A command-line packet crafting tool useful for DoS attacks.