Intercept: MITM Field Manual

A deep technical dive into how MITM attacks actually work in Ethernet, IPv4, and IPv6 networks from ARP and DHCP to IPv6 RA, DNS, and FHRP spoofing.

Intro

MITM attacks are widely used by penetration testers, as they have a significant impact in allowing them to intercept credentials from various services. MITM is also often part of relay attacks, when the attacker performs lateral movement across the infrastructure. However, conducting MITM attacks carries certain risks. In general, the concept of network spoofing is quite simple: just pretend to be the default gateway or DNS server that end hosts access. But if you make mistakes or lack knowledge of how networks work, you can disrupt the normal operation of the infrastructure. Network administrators, in particular, have never liked such attacks because of the high risk of disruption.

There is a lot of material on MITM attacks online, with examples of how to use various tools. But in this article, I will focus on how to perform MITM correctly. I will also focus on practical MITM attacks that have a tangible impact. The purpose of this article is not to teach MITM attacks from scratch; my goal is to give you a better understanding of the processes that occur during MITM attacks.

Disclaimer

This material is for educational purposes only and is intended for information security professionals. All examples and techniques are provided to demonstrate possible attack vectors and the subsequent development and integration of defense mechanisms. The use of the methods described outside of a legal and agreed-upon context is not permitted. Responsibility for the use of this information lies solely with the reader.

Preparing

First and foremost, before performing a MITM attack, the attacker must assess their risks and ensure that their OS is running smoothly, checking that there are no specific configurations that could interfere with normal traffic flow. In this chapter, I will discuss the best practices.

1. Promiscuous Mode

You need to switch your network adapter to promiscuous mode so that it can capture all network packets passing through the network segment:

:~$ sudo ip link set dev {iface} promisc on

2. Firewall

Check your firewall settings to make sure there aren't any rules that could mess up traffic after MITM:

:~$ sudo iptables -L
:~$ sudo iptables -t nat -L
:~$ sudo iptables -t mangle -L
:~$ sudo iptables -t raw -L

Netfilter is a kernel-level firewall, while iptables is an interface for managing it from userspace.

3. Routing

In Linux distributions, routing is disabled by default. You must enable it yourself. This can be done using the system utility sysctl If you do not explicitly enable routing, then when performing MITM, traffic from victims to your machine will be looped back to your interface, causing an unintended DoS.

:~$ sudo sysctl -w net.ipv4.ip_forward=1 
:~$ sudo sysctl -w net.ipv6.conf.all.forwarding=1
:~$ sudo ip6tables -A FORWARD -i {iface} -j ACCEPT

However, this method will fail if you reboot your system.

4. NAT

In most MITM scenarios, NAT is not used for the attack itself, but to see the second part of the traffic, which may potentially contain credentials. This is due to asymmetric routing, a phenomenon where traffic goes one way but returns another. Thanks to masquerading, asymmetric routing will not prevent the attacker from seeing traffic going in both directions.

:~$ sudo iptables -t nat -A POSTROUTING -o {iface} -j MASQUERADE

However, it should be understood that including NAT in a MITM scenario effectively changes the network topology at the L3 layer for the target host. For external services, multiple hosts behind the attacker begin to appear as a single source of traffic, which can lead to disruption of services tied to the IP address.

Particularly sensitive to this are:

• monitoring systems;
• protocols with high-duration connections;
• services that use reverse connections or strict ACLs.

In addition, NAT simplifies the detection of MITM presence: sudden traffic aggregation behind a single IP address, identical network parameters, and changes in behavioral patterns can be detected by monitoring and network protection tools. For this reason, NAT should be used consciously and selectively.

5. TTL Manipulation

MITM often adds an extra hop to the route: the packet physically passes through the attacker's host, which means that traceroute may show this host as a separate step. Since traceroute relies on TTL and ICMP responses from intermediate devices, any extra point on the path potentially becomes visible.

Sometimes the attacker tries to compensate for this by artificially changing the TTL of transit packets so that, from the traceroute perspective, the number of hops looks the same as before. The idea is simple: if MITM adds +1 hop, then the adjusted TTL can visually smooth out the added transition in the trace:

:~$ sudo iptables -t mangle -A PREROUTING -i {iface} -j TTL --ttl-inc 1

6. ICMP Redirect

During a MITM attack, your machine may generate ICMP Redirect packets, which may trigger IDS/IPS sensors, so disable ICMP Redirect with sysctl commands:

:~$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
:~$ sudo sysctl -w net.ipv4.conf.{iface}.send_redirects=0
:~$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
:~$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
:~$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
:~$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0

The same applies to IPv6:

:~$ sudo ip6tables -A INPUT -p ipv6-icmp --icmpv6-type redirect -j DROP
:~$ sudo ip6tables -A OUTPUT -p ipv6-icmp --icmpv6-type redirect -j DROP

7. In-line Traffic Processing (Forwarding)

During inline traffic processing in MITM, the attacker's host effectively becomes part of the data transmission path. In this mode, the load on the system is determined not only by the channel bandwidth, but also by the capabilities of the kernel network stack to process large numbers of packets and their states.

The limitations manifest themselves as follows:

• processing large amounts of traffic;
• network interface queues and delays when they are overloaded;
• an increase in the number of file descriptors;
• load on the stateful connection processing subsystem.

The following parameters are not mandatory and do not constitute a universal recipe. They are provided to help understand which Linux subsystems become bottlenecks during inline traffic processing.

8. File Descriptors

This allows you to increase the global limit for file descriptors. This is generally relevant for systems that process a large number of parallel connections.

:~$ sudo sysctl -w fs.file-max=100000

9. Queue of connections

Sets the max length of the queue of connections waiting to be accepted by the application.

:~$ sudo sysctl -w net.core.somaxconn=65535

10. Packet Queue Size

Controls the packet queue size at the network interface level. This can reduce packet loss during peak loads, but may increase latency.

:~$ sudo sysctl -w net.core.netdev_max_backlog=65536

11. TCP FIN Timeout

Allows you to reduce the connection retention time after FIN, thereby helping to free up resources faster when there are a large number of short-lived TCP sessions.

:~$ sudo sysctl -w net.ipv4.tcp_fin_timeout=15

12. TCP Window Scaling

Controls TCP window scaling. Increasing the TCP window can improve data transfer performance in networks with high latency or high load. In TCP, each side sets the window size. The corresponding number of bytes can be sent without confirmation.

:~$ sudo sysctl -w net.ipv4.tcp_window_scaling=1

In the context of inline traffic processing, such parameters can only partially mitigate the effects of increased load. They do not change the fundamental nature of an inline node, which is to aggregate traffic and the states of multiple hosts at a single point.

Credential Harvesting

One of the main goals of MITM is to intercept credentials transmitted over the network. Once intercepted, the attacker can use them for performing lateral movement. To automate the harvesting of logins and passwords in traffic, you can use the PCredz tool:

:~$ git clone https://github.com/lgandx/PCredz
:~$ sudo ./Pcredz -i {iface} -v
:~$ ./Pcredz -f capture.pcap -v

ARP Spoofing

ARP Spoofing is one of the oldest and most common methods of conducting MITM attacks on local networks. Its effectiveness is due to a fundamental feature of the ARP protocol: the absence of any authentication and a trust model for network interaction within a broadcast domain.

ARP (Address Resolution Protocol) was designed for an environment where each node is considered trusted a priori. Any host in the segment can send an ARP response, reporting the correspondence between the IP and MAC addresses, and this correspondence will be accepted by other nodes without checking the source. This model makes it possible to impose false ARP correspondences and intercept traffic between the victim and the default gateway.

The essence of ARP spoofing is that the attacker sends IS-AT type ARP frames, declaring their MAC address to be the IP address of the gateway (or another host in the segment). As a result:

• the victim begins sending traffic intended for the gateway to the attacker.
• the attacker forwards the traffic, maintaining network connectivity.
• the attacker becomes an inline node and gains the ability to analyze, modify, or redirect traffic.

It is important to understand that ARP spoofing actually changes the hosts' perception of the network topology. As a result of this