Simple man-in-the-middle detectors?

For discussions about security.
Post Reply
Message
Author
Wognath
Posts: 423
Joined: Sun 19 Apr 2009, 17:23

Simple man-in-the-middle detectors?

#1 Post by Wognath »

Hello,
I posted a question in the Programming section about the awk syntax in a mitm detector. My followup questions about the detector itself are more appropriate here.

The first script prints a warning if a duplicate mac address appears in /proc/net/arp
:?: Why would a mitm produce a duplicate entry in /proc/net/arp?

The second script warns if mac address (of the router, I think) changes.
:?: Am I right that this script is pointless unless I can be sure my initial connection is to the intended router?

:?: Is it true that a mitm produces either a duplicate mac or a new one? It can't really be that simple, right?

Note: I have no need to use these, I would just like to understand how (or if) they work. Thanks in advance.
Top
april

#2 Post by april »

I'd like to understand that too but first"mitm" stands for "man in the middle" and it is where an alien invasive web site inserts itself as a part of the line of communication on the internet ?

So how is that done . Each site has an IP so another hooking in must show somewhere.Mac numbers are supposed to be unique so I would have thought a change of IP would be looked for.
Top
Wognath
Posts: 423
Joined: Sun 19 Apr 2009, 17:23

#3 Post by Wognath »

My understanding of this is limited, which is why I'm asking about it :wink: . I believe the possibility addressed by the scripts is this:
https://www.ab9il.net/wlan-projects/wifi-security2.html wrote:In wireless networking, the MITM scheme is implemented in a number of ways. One is to operate a rogue access point resembling a legitimate wireless hotspot. Often the real access point is jammed or blocked while the rogue, with the same SSID, is in the clear with a strong signal [and a different mac address?]. Another method is to break a client's connection and lure the client's hardware into reconnecting to the middleman. In this case the middleman has faked the access point MAC address.[so, a duplicate in arp?]
I see this example a lot: the mitm, acting as my router,establishes https to my bank and to me (using its own certificate and a faked web page) and reads private information by allowing me to log in through him.
Top
april

#4 Post by april »

If your wifi connected to the MITM's wifi then you would have the MITM's SSID name and his MAC number so I don't see how you would know any different.

If that helps . I hope someone might jump in with a bit of understanding and help us both out-Sorry to mess up your thread
Top
Scooby
Posts: 599
Joined: Sat 03 Mar 2012, 09:04

#5 Post by Scooby »

read more about ARP spoofing

https://en.wikipedia.org/wiki/ARP_spoofing


quote from that URL
ARP spoofing attacks can be run from a compromised host on the LAN, or
from an attacker's machine that is connected directly to the target
LAN.
Doesn't seem to be posssibel to attack from internet?
Top
Wognath
Posts: 423
Joined: Sun 19 Apr 2009, 17:23

#6 Post by Wognath »

Scooby, thanks, that link was informative. Beginning to understand better :? My impression is that each detector might pick up one particular kind of mitm.
April: Mess up my thread? On the contrary, it's good to know that someone else is interested and asking better questions!
Top
Post Reply

Return to “Security”