Uploaded by User61789


International Journal of Pure and Applied Mathematics
Volume 119 No. 12 2018, 1187-1195
ISSN: 1314-3395 (on-line version)
url: http://www.ijpam.eu
Special Issue
Sniffing HTTPS Traffic in LAN by Address
Resolution Protocol Poisoning
Nagendran.K1, Adithyan.A1, Balaji.S1, S.Balakrishnan1
Department of Information Technology,
Sri Krishna College of Engineering and Technology,
Coimbatore, India.
Cyber Security has become an inevitable factor in today’s era. Hacking
& cracking attempts lifted to an unimaginable levels and securing
ourselves and our surroundings from them is our prime responsibility.
Today’s cyber world is full of network and web application attacks. Lot
of security researchers are working day and night to find zero days and
to secure their network black hat Hackers. This paper in details
describes about a type of attack performed on your local network and
how to prevent from them.
Keywords: ARP Poisoning, Network Security, Hacking, DNS Spoofing,
Ettercap, Burpsuite.
1. Introduction
International Journal of Pure and Applied Mathematics
Special Issue
Men In the Middle (MITM) is an attack carried out by the intruder who
intercepts the Network Traffic for hacking credentials. But the intruder can only
capture HTTP traffic since HTTPS traffic has SSL certificate as an extra pattern of
security. Capturing HTTP traffic can be done easily with tools like Wireshark which
displays all the inbound and outbound network traffic in form of packets. This
Paper in detail describes about how an attacker can sniff the SSL traffic on his
Local Network using Address Resolution Protocol (ARP) poisoning.
2. Literature Review
MV Tripunitara and P Dutta (1999) made a middleware approach to
asynchronous and backward compatible detection and prevention of ARP Cache
Poisoning. Goyal and Rohit Tripathy (2005) presented an efficient cryptographic
technique to secure against ARP Spoofing. It’s a well-known fact that ARP is a
stateless protocol. That is, it can go on changing the Mac address in the ARP table
based on the latest received ARP reply. Zouheir Trabelsi and Wassim El-Hajj (2007)
changed this and implemented a prototype of Stateful and Secure ARP Cache.
Wesam Lootah, William Enck, Patrick McDaniel (2007) introduced an Ticket based
Address Resolution Protocol as an alternative for ARP. CL Abad and RI Bonilla
(2007) made an analysis on the schemes for detection and preventing ARP Cache
Poisoning attacks. SY Nam and D Kim (2010) proposed an enhanced ARP poisoning
prevention method based on Man-In-Middle-Attacks. A Packet Based Technique
has been proposed by P Pandey (2013) for the Prevention of ARP Spoofing.
3. Description
All the servers mostly have an SSL certificate installed in them for security
purposes. In general, these SSL certificates provide an additional layer of security
by encrypting the communication between server and end user. But intruders can
use some specialized attack vectors to perform attacks and steal data even on SSL
enabled websites. Most common method to bypass SSL mechanism is SSL strip. An
Attacker uses SSL strip on victim to downgrade him from HTTPS to HTTP which is
insecure. In SSL strip attack, the attacker impersonates as a proxy server and
receives all HTTPS (encrypted) request from the Victim’s browser and forwards
them to the server. The server responds the proxy server (Attacker) with a HTTPS
response. Now, the attacker changes the HTTPS to HTTP and forwards the
response to the Victim. Thus, the victim receives a HTTP response and the
information he enters through the HTTP website will get compromised by the
attacker. This is how SSL strip works.
But this attack was prohibited by the use of HSTS (HTTP Strict Transport
Security) header in the HTTP request and response. This HSTS helps in confirming
whether all the users are browsing via HTTPS or not and immediately aborts the
connection in case if the user isn’t using HTTPS or any valid SSL certificate.
International Journal of Pure and Applied Mathematics
Special Issue
Though all SSL enabled websites doesn’t use this header, most social networks
comes with this HSTS header. It ceases the attackers from performing SSL
strip.The following method can be used as an alternative for SSL strip where an
attacker can capture the HTTPS traffic of his Victims in a local area network
without downgrading them to HTTP as we do in SSL Strip. The authors are not
responsible for any kind of hacktivities performed based on this paper.
4. Methodology
For this attack to take place, the attacker and the victim must remain on the
same network. The attack scenario is strictly LAN based. Since the aim is to
intercept the network traffic of others, the attacker converts his machine into a
router or a gateway through which the IP packets are going to pass. By default, the
non-addressed IP packets are discarded by Linux. So IP forwarding must be
enabled to make the IP packets pass through our machine. To IP forward in linux,
echo 1 >/proc/sys/net/ipv4/ip_forward
Linux has special firewall rules for managing the in & outbound traffic and this
rules are managed using an inbuilt Linux framework called IP tables. Hence, the
attacker must add a firewall rule to accept all incoming traffic via port 443 (HTTPS)
and port 80 (HTTP). Let’s assume that the attacker’s IP address is
Adding firewall rules can be done by the following commands
Fig.1. Configuring Firewall Rules using IPtables
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
After adding the firewall rules, the attacker finds the IP address of the victim on
his network. Using Ettercap, the attacker can find all the hosts connected in a
network. The attacker may even use Arp Scan where the attacker sends the ARP
request to all the clients of the network and find the list of the devices connected to
it. Sometimes, ping may even fail if firewall isn’t configured to allow ping, but ARP
can bypass the firewall and scans for live hosts. The Attacker must find the Victim’s
IP to carry out ARP poisoning. Let’s consider that the victim has an IP of
International Journal of Pure and Applied Mathematics
Special Issue
Fig.2. Identifying Hosts using Ettercap
5. ARP Cache Poisoning
Now, ARP poisoning is carried out by the attacker to intercept the HTTPS
requests. The Address Resolution Protocol (ARP) is used to link Network Address to
the hardware address using data link protocol.The ether type field of Ethernet
frame header working at layer 2 of OSI modelidentifies whether the encapsulated
data of Layer 3 is IPv4 or IPv6 or ARP. ARP has an Ether type of 0x0806. ARP
header(28bytes) contains the target and source’s Mac & IP addresses. The ARP
header contains Operational Code. If the operational code is 1, it denotes the ARP
Request and if the Operational code is 2, it denotes to ARP Reply. The attacker
sends spoofed ARP messages in the local area network and links his physical
address (MAC address) with the victim’s IP address. By this, the traffic meant for
the victim will be received by the attacker. This process is termed as ARP spoofing.
Typically, all the routers by default over write the Mac addresses and this leaves
them vulnerability for ARP Spoofing. When the attacker creates a large number of
ARP Requests impersonating his MAC Address as victim’s, the router over writes
the Attacker’s MAC with Victim’s MAC, poisoning the ARP table of the Router.
When a switch is subjected to ARP DOS attack, Switch turns the “Forwarding
Mode” On and the ARP Table is flooded with spoofed ARP request enabling the
attacker to capture the network traffic. Hence, ARP Spoofing can also be called as
ARP Cache Poisoning. It enables the attacker to interpret the data, manipulate the
traffic and even stop all the traffic flowing through his network. There are robust
collections of tools available for performing this ARP poisoning attack. Some
common tools used for carrying out this attack are Ettercap and ARPspoof. After a
International Journal of Pure and Applied Mathematics
Special Issue
successful ARP cache poisoning, the attacker can view the images in the websites
which the victim visits using Driftnet and he can sniff the emails which are meant
for vicitm’s mail address using MailSnarf. Instant messages sent on social
messaging platforms and the files transferred on the network can be intercepted
using msgsnarf and filesnarf respectivlely. The ARP cache poisoning attack can be
carried out by the attacker using the command arpspoof -i wlan0 -t where is the victim’s IP address which the Attacker is
going to link with his Mac Address. the router IP address.
Fig.3. ARP Poisoning using ARP Spoof
After successfully poisoning the ARP messages in the local network, the attacker
intercepts the HTTPS requests using a HTTP interceptor tool. Burp suite and ZED
Attack proxy are most used for this kind of interception in Web Application
Penetration Testing.
International Journal of Pure and Applied Mathematics
Special Issue
Fig.4. Configuring Burp to Capture SSL Request
This is a sample configuration done in Burp suite for capturing the HTTPS
traffic. Here, the attacker has made the Burp Suite’s Proxy Listener to bind with
port 443 (HTTPS). After sticking with the port, the attacker turns on “Intercept” to
capture the HTTPS Request. When the victim requests for a HTTPS website, his
request reaches the router and due to ARP Poisoning and IP Forwarding, the
request is routed through the attacker machine and the Attacker can view the
Request in plain text format. The Attacker has full control over the captured
HTTPS request. He can forward the request, drop the request or he can even
perform MITM Attack by redirecting the victim to malicious website by adding a
location response header in the captured HTTPS request and forwarding the
request to Victim.
Fig.5. Intercepting SSL Credentials using Burp Suite
The above picture shows the captured HTTPS request by the attacker with the
help of Burp suite’s Interceptor tool. The HTTPS request captured above has
sensitive credentials like Username and Password and the by capturing the
request, the attacker can view the plain text credentials, hack into the Victim’s
account and gain access to their profiles. The Attacker can also use DNS Spoofing
instead of ARP poisoning to intercept SSL requests. DNS Spoofing is achieved by
injecting an infected DNS data into the DNS Resolver’s Cache causing the DNS to
return false name server typically an IP address of Attacker’s choice. This method
can be used by attackers as an alternative for ARP spoofing while capturing the
HTTPS request in the Local network.
6. Prevention
International Journal of Pure and Applied Mathematics
Special Issue
• Use Virtual Private Network (VPN). This will tunnel your traffic and protect
your credentials from the attacker.
• Placing a good Intrusion detection system in your network.
• Configuring Secure Mac Address in Router to detect security violation and
ARP Spoofing.
• To instantly detect the attack, Type arp –an in linux terminal and look for
same copy of Mac addresses in the ARP tables.
• Setting up a Static ARP entry in the ARP Cache for frequently
communicating machines in the Local Network may reduce this attack.
• Usage of Snort for real time traffic analysis.
• UNIX utilities like arpWatch, arpSNMP and arpON does a decent job in
detecting these attacks.
• Use Spoof-Proof Switches to stay away from spoofing attacks.
• Monitoring ARP spoofing logs using CISCO Routers.
• Reset the ARP Table in case of ARP Denial Of Service Attack.
• Buying a third party ARP spoofing detection tool or anti ARP tools. Ex :
• Installation of Packet Filtering and Inspection Tools
• Try spoofing your Own Network after implementation of the above listed
7. Conclusion and Future Work
The above explained attack scenario is confined to local network. The
attacker cannot poison the ARP Tables of a remote network to which he has no
access. Similarly, the attack cannot be carried out on a remote host who is outside
your network. Therefore, future research can be attempted to perform this attack on
a remote victim who is out of your Local Network. ARP still remains a stateless
protocol due to several reasons. Research can be made to mould ARP into a constant
and secure protocol.
1. Navid Behboodian “ARP Poisoning Attack: An Introduction to Attack
and Mitigations”CreateSpace Independent Publishing Platform (2
January 2012).
2. Indranil Jana, "Effect of ARP poisoning attacks on modern operating
systems", Information Security Journal: A Global Perspective, pp. 1,
2016, ISSN 1939-3555.
3. B. Prabadevi, N. Jeyanthi, "Security Solution for ARP Cache
Poisoning Attacks in Large Data Centre Networks", Cybernetics and
Information Technologies, vol. 17, pp. , 2017, ISSN 1314-4081.
4. Sumit Kumar, Shashikala Tapaswi, "A centralized detection and
prevention technique against ARP poisoning", Cyber Security Cyber
International Journal of Pure and Applied Mathematics
Warfare and Digital Forensic (CyberSec) 2012 International
Conference on, pp. 259-264, 2012
5. Bastian Ballmann “Understanding Network Hacks: Attack and
Defense with Python” Springer, 2015.
6. Wang Shuwen “A Lightweight ARP Spoofing Detection Mechanism
Using ICMP and ARP Replies in WLAN”, National Cheng Kung
University Institute of Computer & Communication, 2017.
7. Haider Salim, Zhitang Li, Hao Tu, and Zhengbiao Guo “A
Client/Server Based Mechanism to Prevent ARP Spoofing Attacks”
Network Center, Huazhong University of Science and Technology.
8. Zouheir Trabelsi, Kadhim Hayawi, Arwa Al Braiki, Sujith Samuel
Mathew “Network Attacks and Defenses: A Hands-on Approach”,
CRC Press.
9. Working of ARP by CISCO https://www.cisco.com/c/en/us/td/docs/iosxml/ios/ipaddr_arp/configuration/xe-3se/3850/arp-xe-3se-3850book/arp-config-arp.pdf
10. Akash Mahajan “Burp Suite Essentials” Packt Publishing Limited
(28 November 2014).
Special Issue