MITM 2: The OSI model (layer 1-2-3)

Posted on January 17, 2012

1


A Man In The Middle (MITM) attack uses the protocol ARP to:

  • impersonate the router used as default gateway from the target computer point of view.
  • impersonate the target computer from the router point of view.

Once the impersonification done, the attacker uses the protocol IP to:

  • Forward the communication from the target computer to the router.
  • Forward the communication from the router to the target computer.

From now, any IP communication over internet with the victim computer will be intercepted by the attacker, who can read its content (including login and password) and even tamper it.

OSI model

Before learning how to perform the attack, it is important to understand how does internet communications works. A communications system can be broken down in several abstraction layers regarding the purpose of the protocol used (which make concepts easier to understand). The OSI model is one of the most used standard to describe the communications system. The model is split in 7 layers: physical layer, data link layer, network layer, transport layer, session layer, presentation layer and application layer. Only the second and third layer is involved a MITM attack, therefore only the 3 first layers will be described from an internet communication point of view.

Physical layer

This layer describes the physical specifications  of the communication. In other words the physical layer describes the carrier (e.g. RJ45, optical cable, etc.), the modulation (e.g. PSK, FSK, ASK, etc.), the encoding (e.g. Manchester, NRZ, etc.).

Data link layer

This layer is responsible for the physical addressing. Each device connected on a computer network has a unique number (MAC address) per interface. The data link layer carries the communication between point-to-point devices. Switches use the 1st and 2nd layer. In private networks, computers are connected to a switch. The switch has in memory a table that bind interfaces with a MAC address:

For instance, in a communication between the computer A with the MAC address 12:34:56:78:9A:BC and the computer B with the MAC address FE:DC:BA:98:76:54, the computer creates a frame with the source address: 12:34:56:78:9A:BC and the destination address FE:DC:BA:98:76:54. The frame is carried by the physical layer to the switch. The switch checks its table (find the interface bound to the MAC address FE:DC:BA:98:76:54) to know on which interface it has to forward the frame.

Network layer

This layer is responsible for the determination of the path the packets has to follow between two devices from different networks. Devices using the third layer has logical address (IP address) together with the physical address (MAC address). The logical isn’t unique and proper to a computer but has a logical structure used for routing of the communication.

An IP address is structured in 2 parts: the network + the sub-network and the client number. To illustrate the concept, the network number is like the address street’s name while the client number is the building’s number. To differentiate the network and the client number, the IP address is assigned together with a mask. The mask is used to “mask” a part of the IP address to reveal the client number or the network number. Here is how it works:

IP addresses and a masks consist of 4 bytes. For instance, my IP address is 10.0.1.2 and my mask is 255.255.255.0. To reveal the network number and the client number the IP address and the mask need to be converted in binary:

  • 00001010.00000000.00000001.00000010 (the IP address)
  • 11111111.11111111.11111111.00000000 (the mask)

To get the network number, you need to execute a logical AND operation between the IP address and the mask while to get the client number, you need to execute a logical AND operation between the IP address and the mask negation.

  • 00001010.00000000.000000001.00000000 (the network number)
  • 00000000.00000000.00000000.00000010 (the client number)

Once converted in decimal, the network number is 10.0.1.0 and the client number is 0.0.0.2. For the path decision only the network is used for routing the packets (the communication): In a computer network, computers from the same network are connected to the same router and networks are connected together via routers. Routers have 2 tables, one — the routing table — that binds networks with the IP of the next device that should handle the packet, and the other — the ARP table — that binds the MAC address of a computer with its assigned IP address.

For instance, in a communication between the computer A (10.0.1.2) and the computer C (10.0.2.2), the computer A sent a packet to the computer C with the source IP 10.0.1.2 and the destination IP  10.0.2.2. Next, the computer A check if the destination IP is in the same network than its IP address. As it isn’t the case, the computer check its routing table to know on which IP it should forward the packet (the Router 1: 10.0.1.1).

The IP packet is then sent to the second layer: the source MAC address is set with 12:34:56:78:9A:BC. Since the destination IP is not in the same network than the computer A, the destination MAC address is the one that match 10.0.1.1 (regarding the routing table in the previous layer): the Router 1 MAC address. Finally the frame (thereafter) is sent on the interface bound to the destination MAC address.

[Source MAC: Computer A | Destination MAC: Router 1] (Source IP: Computer A | Destination IP: Computer C) DATA

Once the Router 1 get the frame, it checks if the source MAC is its MAC address. If it’s not, the router ignores the frame. Since it’s the case, the router decapsulates the frame to get the IP packet and checks the destination IP. As the destination IP is not from one of its IP network, it checks its routing table to know which computer should handle this packet: Router 2 (10.0.3.1).

The IP packet is then sent to the second layer: the source MAC address is set with MAC address bound with the IP of the router that belongs to the same network than the Router 2 (10.0.3.1), and the destination MAC address is the MAC address bound to the IP of the Router 2 (10.0.3.2). Both MAC address are found in the ARP table. Finally the frame (thereafter) is sent on the interface bound to the destination MAC address.

[Source MAC: Router 1 | Destination MAC: Router 2] (Source IP: Computer A | Destination IP: Computer C) DATA

Once the Router 2 get the frame, it checks if the source MAC is its MAC address. If it’s not, the router ignores the frame. Since it’s the case, the router decapsulates the frame to get the IP packet and checks the destination IP. As the destination IP is from one of its IP network, it directly sends the packet to the second layer: the source MAC address is set with MAC address bound with the IP of the router that belongs to the same network than the Computer C (10.0.2.1), and the destination MAC address is the MAC address of Computer C. Both MAC address are found in the ARP table. Finally the frame (thereafter) is sent on the interface bound to the destination MAC address.

[Source MAC: Router 2 | Destination MAC: Computer C] (Source IP: Computer A | Destination IP: Computer C) DATA

Once the Computer C get the frame, it checks if the source MAC is its MAC address, then it checks if the destination IP is its IP address. Since it’s the case, it decapsulates the packet and read the data.

Advertisements
Posted in: Tutorials