Man-In-The-Middle Attack

Layer 2 network attack

Once an attacker compromises the router through one of the above methods he is in a position to connect to the AP and capture the data through MITM attack.

Bettercap is a network reconnaissance tool designed to work with Layer 3 (network) of OSI layers. It’s first version came to light between 2015 and 2016 by Simone Margaritelli also known as Evilsocket – a guy with an inquisitive mind and a low tolerance for ineptness in others. The application was written in python programming language first and became a part of Kali Linux repository since its inception.

Just like any other tool up there it can be used in many ways – for good (understanding the way of the black hat hackers, and protecting yourself from the attacks) and bad (being that black hat hacker with malicious purposes).

Description:bettercap is a complete, modular, portable and easily extensible MITM tool and framework with every kind of diagnostic and offensive feature you could need in order to perform a man in the middle attack.”

It has many, very powerful features that can aid understanding of possible attacks on Layer 2:

Feature number one: ARP spoofing also known as ARP poisoning. Before understanding ARP spoofing we need to look at what ARP is. ARP known as address resolution protocol is a way of resolving/translating/mapping/assigning logical Internet Protocol addresses (IP) provided by the router you are connected to, to the physical machine addresses (MAC – media access control; xx:xx:xx:xx:xx:xx) embedded in the wireless cards, that are connected to the said router. This protocol in effect connects two OSI layers together (2->3): a data link – MAC addresses (2) with a network layer – IP addresses (3). It stands to reason, that depends on the wireless point/router you connect to, your IP address is more likely to change, MAC does not – it is hardwired into a wireless card and stays the same regardless of the access point you connect to. MAC addresses that once get assigned an IP address can now communicate freely with other devices on the network.

Wireshark showing initial address resolution protocol in action between a router (TP-Link - 192.168.1.1)

Picture shows broadcast requests of the devices and their IP addresses needed to establish communication on the network. Not shown is also ARP reply, where and assignment of IP to MAC happens. Since IP addresses can change, why can't devices (mobile phones, routers, laptops, tablets) then just use MAC addresses instead of IP to communicate with each other, to skip the whole Internet Protocol thing and why spoof ARP? The simple answer to this is: why cant postmen deliver packages addressed to: eg. “Joe Doe”?. Well first of all, postmen don’t know where Joe Doe is located in the first place. What if you change your home address or town, how will they know where to deliver your package ? In networking terms, MAC is your name, external IP is your home address; internal/private IP is your device address you used to initiate communication from.

If you can place yourself between the router and an internal IP or on the same level address, you are in a position to conduct ARP spoofing – a technique where you can masquerade as a router and intercept, modify and sniff internet traffic that was destined to that router in the first place. This allows you to capture outgoing and incoming (http/https) requests from the devices on the network as shown below.

Successfully executed ARP poisoning attack on the network intercepting HTTP and HTTPS communication. Here ARP reply assigns an IP to a MAC address "192.168.1.1 is at xx:xx:xx:xx:xx". Note, that the source of communication is coming from an attacker machine (IntelCor) and not a router as shown previously with the broadcasts. Router address however remained the same but the MAC address is the one belonging to an attacker. Conclusion: This type of attack can be compared to a nasty concierge in your home, sitting next to you saying “I will handle the post for you from now on”. Can you trust this person won’t open the outgoing and incoming envelopes? In fact, you can’t and you shouldn’t, because he will. This is the essence of the spoofing attack - a technique to impersonate/replace the device you trust to handle your connections. Yeah, just like a phishing attack but on a different level. Call it an evil twin or somebody who opens your envelopes and reads them aloud.