Your machine can send itself packets to the loopback address.
Wireshark is a good idea, the mechanism (or one mechanism) for a MITM over a wifi network is for the attacker to arp poison you and the router so that each thinks that the attackers machine is the other. So if you see lots of arps, could be this.
A quick look on airodump for other stuff on your network might help, as could an nmap scan over your private IP range looking for other devices.
There are other (better) ways to MITM a wireless network- jasager, etc. If you're really that worried, factory reset your router, update your firmware, change your key to something nice and strong and move to a better crypto like wpa2 or use a wire/ssl. Oh, and attempt to enter the incorrect network key and still if you still connect, if you do…. probably a jasager.
edit Miss read WAN as WLAN. derp.
Your machine can send itself packets to the loopback address.
Wireshark is a good idea, the mechanism (or one mechanism) for a MITM over a wifi network is for the attacker to arp poison you and the router so that each thinks that the attackers machine is the other. So if you see lots of arps, could be this.
A quick look on airodump for other stuff on your network might help, as could an nmap scan over your private IP range looking for other devices.
There are other (better) ways to MITM a wireless network- jasager, etc. If you're really that worried, factory reset your router, update your firmware, change your key to something nice and strong and move to a better crypto like wpa2 or use a wire/ssl. Oh, and attempt to enter the incorrect network key and still if you still connect, if you do…. probably a jasager.
Yes I understand ARP poisoning, that's why I mentioned clearing the ARP cache, which in turn forces a home generated ARP request/response pair.
But I am trying to understand how a WAN based MITM attack can be mounted. Until I understand this I can't start looking around for those tell tale signs. Agreed that the router is central, but I also have a dynamic WAN ip address. So if there is a WAN based MITM attack taking place, then there must be something on my PC to tell said MITM what my ip address is, that's unless the router firmware has been in some way modified.
As far as the LAN goes, I have audited all the IPAddress/MAC pairs on my LAN, viewed the contents of the arp cache and it all looks OK.
Regards
Richard
Look into something called source routing, its a bit old now of course.
If you've done a proper sweep of the network and cant see any unexpected devices using something like an nmap -PP/PE/PM/PS etcetcetc then the problem is unlikely to be something on your network, time to start looking at your actual router as a next step, has someone wandered in and physically intercepted a cable or some hardware? Has someone got into the router itself? Have you been rooted?
If this all comes up negative then its time to call in the pros and / or switch to entirely encrypted comms.
Look into something called source routing, its a bit old now of course.
If you've done a proper sweep of the network and cant see any unexpected devices using something like an nmap -PP/PE/PM/PS etcetcetc then the problem is unlikely to be something on your network, time to start looking at your actual router as a next step, has someone wandered in and physically intercepted a cable or some hardware? Has someone got into the router itself? Have you been rooted?
If this all comes up negative then its time to call in the pros and / or switch to entirely encrypted comms.
NMAP is on the TODO list, so no I haven't done a sweep as yet.
But the arp cache shows only expected MAC entries, except for some 224.0.0.nnn multi-cast thing and another LAN ip address which is marked a broadcast address. But these type of entries also showed up on other systems, so for the time being I am accepting them as genuine.
Didn't know about 'source routing' although I think I can guess what it does and it sounds like the kind of thing I'm looking for, so thanks for that.
Regards
Richard
I would second (third?) WireShark.
By examining the content of the packets, types of packets, you may find more about the possible data.
If your machine is truly impacted by a man-in-the-middle attack, the packets have a purpose. Once you figure out the purpose, you maybe able to figure out further how the attack is performed.
I would second (third?) WireShark.
By examining the content of the packets, types of packets, you may find more about the possible data.
If your machine is truly impacted by a man-in-the-middle attack, the packets have a purpose. Once you figure out the purpose, you maybe able to figure out further how the attack is performed.
Do you have any idea how many packets that would mean examining? And a lot of them are SSL encrypted. I understand where your coming from, but it's just not a practical solution. All the malware forensic books I've looked at start with detecting some anomaly and working back from there.
That's not to say that I am not capturing packets, I am, in fact I am capturing 100% of internet traffic and daily filter out/delete traffic I deem to be authentic. The approach I am using was inspired by Wireshark. It just hasn't yielded any definitive results yet. So I have now moved on to look at MITH attacks. Everything I'm picking up on is consistent with this type of attack.
At the moment my more secure router is getting and blocking OSPF packets (circa 16 packets per minute) ip address '224.0.0.5'. My knowledge of routing protocols is limited, so I have no idea if this amount of traffic is normal or not. But I can say that my router thinks that this traffic is not normal and is discarding the packets with no ill effects being felt on the PC. So I guess that for the time being, that I shall just have to keep digging around until the MITH attack is either proved or can be dispelled.
Regards
Richard
Hi Richard,
A quick Google indicates that 16 pps from OSPF isn't particularly "out-there" as a figure, and that's the default multicast address, so they don't exactly look suspicious.
Your conclusion that it's most likely to be a MITM attack seems to be a bit of stretch to me - unless you have excluded _all_ other possiblities it's one of the less likely causes of the behaviour that you are experiencing. You may well have done the following, but I'd suggest that before you continue trying to prove something like this that you eliminate other problems
1) Is your router firmware patched up to date ?
2) Is the router configured properly ? ( You've said that you're not a routing expert - do you know someone who is who could have a look ? )
3) Is your ISP configured correctly ? This is a pain, especially if it is BT, but is worth checking - they can also do a line test, which is often responsible for slow speeds and occasional drop outs.
4) Check that your AV is up-to-date, again, the behaviour that you see could be caused by malware more easily than by a MITM attack.
5) If you are using Wi-Fi check that no-one else is broadcasting on the same channels …
Incidentally, your ARP cache only speeds things up if the entries in are correct, otherwise it slows things down - if you are on a network with a lot of changing IP allocations then the ARP cache will need to either refresh or be cleared regularly to be effective.
However, if we do assume that the ARP cache is being manipulated, then we already know that the MITM attack is occuring on the same subnet as you are on … ARP only works on the local subnet. You could verify that ARP poisoning is taking place using WireShark, and you can circumvent it easily enough by hardcoding your ARP cache entries ( arp -s IP_ADDR ARP_ADDR ).
You also state that your PC is sending itself packets, and you list both your WAN and your LAN address - what would these packets be ? How are they going from a non-routable LAN to a WAN IP ? More information here would be good - as it's been stated earlier, there are plenty of legitimate packets that can be sent to loopback, and there are, with Windows, plenty of things shoved out to the network at large - it can get pretty noisy on even the smallest network.
Remember - just because you are paranoid, doesn't mean that they aren't out to get you 😉 you may well be right - just ensure that you eliminate everything, then whatever you are left with, however improbable must be the truth ( with appologies to Conan Doyle ).
I do. No more than 1,953,125.
Of course, you could simply use WireShark's built in "capture filter", and further reduce the subset using the "display filter".
But, this is moot as you pointed out, you are approaching it differently.
I would second (third?) WireShark.
By examining the content of the packets, types of packets, you may find more about the possible data.
If your machine is truly impacted by a man-in-the-middle attack, the packets have a purpose. Once you figure out the purpose, you maybe able to figure out further how the attack is performed.
Do you have any idea how many packets that would mean examining? And a lot of them are SSL encrypted. I understand where your coming from, but it's just not a practical solution. All the malware forensic books I've looked at start with detecting some anomaly and working back from there.
That's not to say that I am not capturing packets, I am, in fact I am capturing 100% of internet traffic and daily filter out/delete traffic I deem to be authentic. The approach I am using was inspired by Wireshark. It just hasn't yielded any definitive results yet. So I have now moved on to look at MITH attacks. Everything I'm picking up on is consistent with this type of attack.
At the moment my more secure router is getting and blocking OSPF packets (circa 16 packets per minute) ip address '224.0.0.5'. My knowledge of routing protocols is limited, so I have no idea if this amount of traffic is normal or not. But I can say that my router thinks that this traffic is not normal and is discarding the packets with no ill effects being felt on the PC. So I guess that for the time being, that I shall just have to keep digging around until the MITH attack is either proved or can be dispelled.
Regards
Richard
Who provides your WAN connection? What type of router do you have?
When your internet stops can you PING any IP addresses? Try doing a continuous PING to Google or something and then leave it running till the connection drops and see if the PING has dropped.
Sorry for the late reply
I agree with CaptainF, also as a matter of interest what type of WAN connection are we talking about? Are talking ADSL, FrameRelay, E1, T1, Diginet, Wifi, WiMAx? Are you using point to point or point to multi point? Are you behind a firewall? If you are and it is set correctly PING (ICMP) may not function. Is your network NAT'ed? If so your single (possible) external address may be the target and not your LAN address.
As previously mentioned all (majority) of the criteria you have discussed so far is LAN based and has little or nothing to do with WAN communications.
A WAN based MITM attack acts as a proxy as previously mentioned. It intercepts your conversation and then places itself in the middle and acts as a pass through accepting and forwarding requests to and from your network. This is usually used as an information gathering excercise, and could be used to see what ports are open on your network etc.
Rgds
Deon.