2.4 – Social Engineering - On-Path Attacks

Questions and Answers

Which security vulnerability is exploited in an ARP poisoning attack?

• The automatic updating of ARP caches with verified information.
• The lack of authentication mechanisms in the ARP process. (correct)
• The reliance on encrypted communication channels between devices.
• The use of strong passwords for ARP requests.

In an ARP poisoning attack, what is the initial step taken by an attacker?

• Disabling the router's firewall.
• Flooding the network with SYN packets.
• Gaining physical access to the target devices.
• Sending a spoofed ARP response to the victim's device. (correct)

What information is contained within an ARP cache?

• A mapping of IP addresses to their associated MAC addresses. (correct)
• Encryption keys for secure communication.
• A record of visited websites and login credentials.
• A list of domain names and their corresponding IP addresses.

What is the primary advantage of an on-path browser attack compared to ARP poisoning?

It can bypass encryption by capturing data within the browser. (C)

How does an attacker complete an ARP poisoning attack to effectively monitor traffic?

By poisoning the ARP cache of both the victim and the router. (D)

What is a key limitation of ARP poisoning that on-path browser attacks overcome?

ARP poisoning is limited to the local subnet. (A)

After a successful ARP poisoning, where does the victim's traffic initially get directed?

To the attacker's machine. (B)

What type of information is most vulnerable to capture during an on-path browser attack?

Usernames and passwords entered into web forms. (D)

In an ARP poisoning scenario, how does the attacker typically maintain the flow of network traffic between the victim and the intended destination?

By forwarding the traffic between the victim and the destination after inspecting it. (D)

What is the purpose of sending an ARP broadcast message?

To determine the MAC address associated with a known IP address. (C)

How does the lifespan of entries in the ARP cache affect network communication?

Expired entries force devices to re-resolve MAC addresses, increasing network overhead. (B)

Why is capturing information within a browser during an on-path browser attack particularly advantageous for attackers?

Information is captured before it is encrypted by the browser. (A)

What makes on-path attacks difficult to detect from an end user's perspective?

The user is typically unaware that a third party is intercepting their communication. (C)

What is the significance of the attacker performing the same ARP poisoning attack to the router as well as the laptop?

It ensures that the attacker intercepts traffic in both directions. (D)

What is the immediate consequence of a laptop's ARP cache being poisoned?

The laptop sends data intended for the router to the attacker instead. (D)

Flashcards

On-Path Attack

An attack where an attacker intercepts and potentially modifies communication between two devices without their knowledge.

ARP Poisoning

An on-path attack on a local subnet that exploits ARP's lack of security to intercept communication.

ARP Cache

A table on a device that stores IP address to MAC address mappings, facilitating network communication.

ARP Spoofing

Sending unsolicited ARP replies to map the attacker's MAC address to the IP address of a legitimate device.

On-Path Browser Attack

Gaining unauthorized access to a device and installing malware to intercept browser communications before encryption.

Study Notes

• An on-path attack allows an attacker to intercept and view communications between two devices, and sometimes modify the data exchanged. It's also known as a man-in-the-middle attack. End users are typically unaware of the attacker's presence.

ARP Poisoning

• This is a type of on-path attack that occurs on a local subnet, exploiting the lack of security in ARP.
• Every device maintains an ARP cache, mapping IP addresses to MAC addresses. This cache is initially empty and populates as the device communicates with others.
• A laptop with IP address 192.168.1.9 and MAC address ending in 38 d5 needs to communicate with a router at 192.168.1.1, with a MAC address ending in bb fe.
• The laptop broadcasts an ARP message: "Who is 192.168.1.1?" to resolve the router's MAC address.
• The router responds with its MAC address (ending in bb fe), which the laptop then stores in its ARP cache, associating the IP address 192.168.1.1 with this MAC address of the router.
• The ARP cache entries expire after a few minutes on most systems, requiring the ARP process to repeat.
• The lack of security, such as usernames, passwords, or mutual authentication, makes ARP vulnerable to attacks.
• An attacker on the same local network, with an IP address of 192.168.1.14 and a MAC address ending in ee ff, sends a spoofed ARP response.
• The spoofed response claims that the attacker is 192.168.1.1 and provides the attacker's MAC address (ee ff).
• Upon receiving this, the laptop updates its ARP cache, incorrectly associating the router's IP address (192.168.1.1) with the attacker's MAC address (ee ff).
• Traffic intended for the router is now sent to the attacker.
• To complete the attack, the attacker performs the same ARP poisoning on the router.
• The attacker can now intercepts and monitors of all traffic between the laptop and the router.
• Limitations include the attacker needing access to the network and being on the same IP subnet as the target devices.

On-Path Browser Attack

• An on-path browser attack involves malware inside the user's web browser.
• It circumvents the limitations of ARP poisoning, as the attacker doesn't need local network access or to be on the same subnet.
• The attacker can capture unencrypted data within the browser, even if the network traffic is encrypted.
• The attacker gains access to anything typed into the browser as well as information sent and received.
• By capturing login credentials, the attacker can control the system, open sessions, and perform actions like transferring money.