International Journal of Pure and Applied Mathematics Volume 119 No. 12 2018, 1187-1195 ISSN: 1314-3395 (on-line version) url: http://www.ijpam.eu Special Issue ijpam.eu Sniffing HTTPS Traffic in LAN by Address Resolution Protocol Poisoning Nagendran.K1, Adithyan.A1, Balaji.S1, S.Balakrishnan1 1 Department of Information Technology, Sri Krishna College of Engineering and Technology, Coimbatore, India. Abstract Cyber Security has become an inevitable factor in today’s era. Hacking & cracking attempts lifted to an unimaginable levels and securing ourselves and our surroundings from them is our prime responsibility. Today’s cyber world is full of network and web application attacks. Lot of security researchers are working day and night to find zero days and to secure their network black hat Hackers. This paper in details describes about a type of attack performed on your local network and how to prevent from them. Keywords: ARP Poisoning, Network Security, Hacking, DNS Spoofing, Ettercap, Burpsuite. 1. Introduction 1187 International Journal of Pure and Applied Mathematics Special Issue Men In the Middle (MITM) is an attack carried out by the intruder who intercepts the Network Traffic for hacking credentials. But the intruder can only capture HTTP traffic since HTTPS traffic has SSL certificate as an extra pattern of security. Capturing HTTP traffic can be done easily with tools like Wireshark which displays all the inbound and outbound network traffic in form of packets. This Paper in detail describes about how an attacker can sniff the SSL traffic on his Local Network using Address Resolution Protocol (ARP) poisoning. 2. Literature Review MV Tripunitara and P Dutta (1999) made a middleware approach to asynchronous and backward compatible detection and prevention of ARP Cache Poisoning. Goyal and Rohit Tripathy (2005) presented an efficient cryptographic technique to secure against ARP Spoofing. It’s a well-known fact that ARP is a stateless protocol. That is, it can go on changing the Mac address in the ARP table based on the latest received ARP reply. Zouheir Trabelsi and Wassim El-Hajj (2007) changed this and implemented a prototype of Stateful and Secure ARP Cache. Wesam Lootah, William Enck, Patrick McDaniel (2007) introduced an Ticket based Address Resolution Protocol as an alternative for ARP. CL Abad and RI Bonilla (2007) made an analysis on the schemes for detection and preventing ARP Cache Poisoning attacks. SY Nam and D Kim (2010) proposed an enhanced ARP poisoning prevention method based on Man-In-Middle-Attacks. A Packet Based Technique has been proposed by P Pandey (2013) for the Prevention of ARP Spoofing. 3. Description All the servers mostly have an SSL certificate installed in them for security purposes. In general, these SSL certificates provide an additional layer of security by encrypting the communication between server and end user. But intruders can use some specialized attack vectors to perform attacks and steal data even on SSL enabled websites. Most common method to bypass SSL mechanism is SSL strip. An Attacker uses SSL strip on victim to downgrade him from HTTPS to HTTP which is insecure. In SSL strip attack, the attacker impersonates as a proxy server and receives all HTTPS (encrypted) request from the Victim’s browser and forwards them to the server. The server responds the proxy server (Attacker) with a HTTPS response. Now, the attacker changes the HTTPS to HTTP and forwards the response to the Victim. Thus, the victim receives a HTTP response and the information he enters through the HTTP website will get compromised by the attacker. This is how SSL strip works. But this attack was prohibited by the use of HSTS (HTTP Strict Transport Security) header in the HTTP request and response. This HSTS helps in confirming whether all the users are browsing via HTTPS or not and immediately aborts the connection in case if the user isn’t using HTTPS or any valid SSL certificate. 1188 International Journal of Pure and Applied Mathematics Special Issue Though all SSL enabled websites doesn’t use this header, most social networks comes with this HSTS header. It ceases the attackers from performing SSL strip.The following method can be used as an alternative for SSL strip where an attacker can capture the HTTPS traffic of his Victims in a local area network without downgrading them to HTTP as we do in SSL Strip. The authors are not responsible for any kind of hacktivities performed based on this paper. 4. Methodology For this attack to take place, the attacker and the victim must remain on the same network. The attack scenario is strictly LAN based. Since the aim is to intercept the network traffic of others, the attacker converts his machine into a router or a gateway through which the IP packets are going to pass. By default, the non-addressed IP packets are discarded by Linux. So IP forwarding must be enabled to make the IP packets pass through our machine. To IP forward in linux, echo 1 >/proc/sys/net/ipv4/ip_forward Linux has special firewall rules for managing the in & outbound traffic and this rules are managed using an inbuilt Linux framework called IP tables. Hence, the attacker must add a firewall rule to accept all incoming traffic via port 443 (HTTPS) and port 80 (HTTP). Let’s assume that the attacker’s IP address is 192.168.43.146. Adding firewall rules can be done by the following commands Fig.1. Configuring Firewall Rules using IPtables iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.43.146 iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.43.146 After adding the firewall rules, the attacker finds the IP address of the victim on his network. Using Ettercap, the attacker can find all the hosts connected in a network. The attacker may even use Arp Scan where the attacker sends the ARP request to all the clients of the network and find the list of the devices connected to it. Sometimes, ping may even fail if firewall isn’t configured to allow ping, but ARP can bypass the firewall and scans for live hosts. The Attacker must find the Victim’s IP to carry out ARP poisoning. Let’s consider that the victim has an IP of 192.168.43.244. 1189 International Journal of Pure and Applied Mathematics Special Issue Fig.2. Identifying Hosts using Ettercap 5. ARP Cache Poisoning Now, ARP poisoning is carried out by the attacker to intercept the HTTPS requests. The Address Resolution Protocol (ARP) is used to link Network Address to the hardware address using data link protocol.The ether type field of Ethernet frame header working at layer 2 of OSI modelidentifies whether the encapsulated data of Layer 3 is IPv4 or IPv6 or ARP. ARP has an Ether type of 0x0806. ARP header(28bytes) contains the target and source’s Mac & IP addresses. The ARP header contains Operational Code. If the operational code is 1, it denotes the ARP Request and if the Operational code is 2, it denotes to ARP Reply. The attacker sends spoofed ARP messages in the local area network and links his physical address (MAC address) with the victim’s IP address. By this, the traffic meant for the victim will be received by the attacker. This process is termed as ARP spoofing. Typically, all the routers by default over write the Mac addresses and this leaves them vulnerability for ARP Spoofing. When the attacker creates a large number of ARP Requests impersonating his MAC Address as victim’s, the router over writes the Attacker’s MAC with Victim’s MAC, poisoning the ARP table of the Router. When a switch is subjected to ARP DOS attack, Switch turns the “Forwarding Mode” On and the ARP Table is flooded with spoofed ARP request enabling the attacker to capture the network traffic. Hence, ARP Spoofing can also be called as ARP Cache Poisoning. It enables the attacker to interpret the data, manipulate the traffic and even stop all the traffic flowing through his network. There are robust collections of tools available for performing this ARP poisoning attack. Some common tools used for carrying out this attack are Ettercap and ARPspoof. After a 1190 International Journal of Pure and Applied Mathematics Special Issue successful ARP cache poisoning, the attacker can view the images in the websites which the victim visits using Driftnet and he can sniff the emails which are meant for vicitm’s mail address using MailSnarf. Instant messages sent on social messaging platforms and the files transferred on the network can be intercepted using msgsnarf and filesnarf respectivlely. The ARP cache poisoning attack can be carried out by the attacker using the command arpspoof -i wlan0 -t 192.168.43.244 192.168.43.1 where 192.168.43.244 is the victim’s IP address which the Attacker is going to link with his Mac Address.192.168.43.1is the router IP address. Fig.3. ARP Poisoning using ARP Spoof After successfully poisoning the ARP messages in the local network, the attacker intercepts the HTTPS requests using a HTTP interceptor tool. Burp suite and ZED Attack proxy are most used for this kind of interception in Web Application Penetration Testing. 1191 International Journal of Pure and Applied Mathematics Special Issue Fig.4. Configuring Burp to Capture SSL Request This is a sample configuration done in Burp suite for capturing the HTTPS traffic. Here, the attacker has made the Burp Suite’s Proxy Listener to bind with port 443 (HTTPS). After sticking with the port, the attacker turns on “Intercept” to capture the HTTPS Request. When the victim requests for a HTTPS website, his request reaches the router and due to ARP Poisoning and IP Forwarding, the request is routed through the attacker machine and the Attacker can view the Request in plain text format. The Attacker has full control over the captured HTTPS request. He can forward the request, drop the request or he can even perform MITM Attack by redirecting the victim to malicious website by adding a location response header in the captured HTTPS request and forwarding the request to Victim. Fig.5. Intercepting SSL Credentials using Burp Suite The above picture shows the captured HTTPS request by the attacker with the help of Burp suite’s Interceptor tool. The HTTPS request captured above has sensitive credentials like Username and Password and the by capturing the request, the attacker can view the plain text credentials, hack into the Victim’s account and gain access to their profiles. The Attacker can also use DNS Spoofing instead of ARP poisoning to intercept SSL requests. DNS Spoofing is achieved by injecting an infected DNS data into the DNS Resolver’s Cache causing the DNS to return false name server typically an IP address of Attacker’s choice. This method can be used by attackers as an alternative for ARP spoofing while capturing the HTTPS request in the Local network. 6. Prevention 1192 International Journal of Pure and Applied Mathematics Special Issue • Use Virtual Private Network (VPN). This will tunnel your traffic and protect your credentials from the attacker. • Placing a good Intrusion detection system in your network. • Configuring Secure Mac Address in Router to detect security violation and ARP Spoofing. • To instantly detect the attack, Type arp –an in linux terminal and look for same copy of Mac addresses in the ARP tables. • Setting up a Static ARP entry in the ARP Cache for frequently communicating machines in the Local Network may reduce this attack. • Usage of Snort for real time traffic analysis. • UNIX utilities like arpWatch, arpSNMP and arpON does a decent job in detecting these attacks. • Use Spoof-Proof Switches to stay away from spoofing attacks. • Monitoring ARP spoofing logs using CISCO Routers. • Reset the ARP Table in case of ARP Denial Of Service Attack. • Buying a third party ARP spoofing detection tool or anti ARP tools. Ex : XArp. • Installation of Packet Filtering and Inspection Tools • Try spoofing your Own Network after implementation of the above listed measures. 7. Conclusion and Future Work The above explained attack scenario is confined to local network. The attacker cannot poison the ARP Tables of a remote network to which he has no access. Similarly, the attack cannot be carried out on a remote host who is outside your network. Therefore, future research can be attempted to perform this attack on a remote victim who is out of your Local Network. ARP still remains a stateless protocol due to several reasons. Research can be made to mould ARP into a constant and secure protocol. References 1. Navid Behboodian “ARP Poisoning Attack: An Introduction to Attack and Mitigations”CreateSpace Independent Publishing Platform (2 January 2012). 2. Indranil Jana, "Effect of ARP poisoning attacks on modern operating systems", Information Security Journal: A Global Perspective, pp. 1, 2016, ISSN 1939-3555. 3. B. Prabadevi, N. Jeyanthi, "Security Solution for ARP Cache Poisoning Attacks in Large Data Centre Networks", Cybernetics and Information Technologies, vol. 17, pp. , 2017, ISSN 1314-4081. 4. Sumit Kumar, Shashikala Tapaswi, "A centralized detection and prevention technique against ARP poisoning", Cyber Security Cyber 1193 International Journal of Pure and Applied Mathematics Warfare and Digital Forensic (CyberSec) 2012 International Conference on, pp. 259-264, 2012 5. Bastian Ballmann “Understanding Network Hacks: Attack and Defense with Python” Springer, 2015. 6. Wang Shuwen “A Lightweight ARP Spoofing Detection Mechanism Using ICMP and ARP Replies in WLAN”, National Cheng Kung University Institute of Computer & Communication, 2017. 7. Haider Salim, Zhitang Li, Hao Tu, and Zhengbiao Guo “A Client/Server Based Mechanism to Prevent ARP Spoofing Attacks” Network Center, Huazhong University of Science and Technology. 8. Zouheir Trabelsi, Kadhim Hayawi, Arwa Al Braiki, Sujith Samuel Mathew “Network Attacks and Defenses: A Hands-on Approach”, CRC Press. 9. Working of ARP by CISCO https://www.cisco.com/c/en/us/td/docs/iosxml/ios/ipaddr_arp/configuration/xe-3se/3850/arp-xe-3se-3850book/arp-config-arp.pdf 10. Akash Mahajan “Burp Suite Essentials” Packt Publishing Limited (28 November 2014). 1194 Special Issue 1195 1196