Man-in-the-Middle Attacks A man-in-the-middle attack becomes a very sensible follow up action for a criminal hacker after he successfully performs a spoofing attack. While some passive hackers would be content in simply being able to view the data he needs and avoid manipulation while listening in on a vulnerable host, some may want to perform an active attack right after being able to successfully pull off a spoofing attack.

A man-in-the middle attack can be performed when a hacker conducts an ARP spoofing, which is done by sending false Address Resolution Protocol, or ARP, messages over the infiltrated local area network. When pulled off successfully, the falsified ARP messages allow the hackers MAC address to be successfully linked to an IP address of a legitimate user or an entire server in a targeted network. Once the hacker is able to link his MAC address to a legitimate IP address, the hacker will be able to receive all data that other users over the network sends over to the IP address he is using. Since he already has access to all data that the hacked user (the owner of the IP address) enters and the information that he is receiving over the network, the hacker can opt to do the following during an ARP spoofing session: 1. Session hijacking this allows the hacker to use the spoofed ARP to steal a users session ID, and then use those credentials at a later time to gain access to an account.

2. Denial of Service attack This attack can be done when the ARP spoofing is done to link several multiple IP addresses to a targeted devices MAC address. What happens in this type of attack is that all the data that is supposedly sent to other IP addresses are instead redirected to a single device, which can result in a data overload. You will know more about DoS attacks on a later chapter. 3. Man-in-the-middle attack the hacker pretends to be non-existent in a network, and then intercept or modify messages that are being sent between two or more victims. Here is how a hacker may conduct an ARP spoofing to perform a man-in-the-middle attack using a tool called Backtrack, a hacking toolkit that is similar to Kali Linux: Step 1: Sniff out the data you need This can be done by using the tools Wireshark, dsniff, and tcpdump. By firing up these tools, you can see all the traffic that you can connect to through wireless or wired networks.

Step 2: Use a wireless adapter and put it into monitor mode When you place your wireless adapter or your NIC into monitor mode, you will be able to pick up all the traffic available to your connection, even the ones that are not intended for your IP address. If you are connected to hubbed networks, you can pick up the traffic that you need without any difficulty. However, if you are planning to infiltrate a switched system, you may need to opt for a different tactic, since switches are regulate the traffic and ensure that specific data packets are sent to specific MAC addresses or IP addresses. If you want to bypass switches, or at least know what types of information are being sent to other users, you can attempt to change the entries on the CAM table that maps out IP and MAC addresses that send information to each other. If you change the entries, you can successfully get the traffic intended for somebody else. To do this, you need to perform an ARP spoofing attack.