man in the middle – MITM attack using ICMP packet injection

I came across an infosec presentation from a conference which discussed how ICMP packets can be used to compromise a connection between two machines. More specifically, they described the process as:

The attacker can forge a spoofed ICMP packets to force the host to make an ARP request. As a response, an illegitimate ARP replay is generated and effectively routes the victim’s traffic to the attacker’s machine.

But it is not clear to me how this works and how the attacker exactly would be able to compromise the connection. Could you please explain this further? Additionally, why would someone use this approach?

wifi – Why Man In The Middle (MITM) is not working with my router?

Man-in-the-Middle is not working with my router (Huawei) on my Windows machine/any device.

But it works with another router on my same Windows machine/any device.

When I doing MITM with Huawei router:

Linux MAC: a0:af:bd:c5:21:87  
Router's MAC: 7c-11-cb-1f-ad-85

My Windows ARP table before doing MITM on it:

c:Usersacer>arp -a

Interface: 192.168.1.113 --- 0x4
 Internet Address        Physical Address      Type
 192.168.1.1             7c-11-cb-1f-ad-85     dynamic
 192.168.1.255           ff-ff-ff-ff-ff-ff     static
 224.0.0.022             01-00-5e-00-00-16     static

arpspoof to do MITM:

1st terminal:

arpspoof -i wlan0 -t 192.168.1.113 192.168.1.1

2nd terminal:

arpspoof -i wlan0 -t 192.168.1.1 192.168.1.113

Then the Windows machine ARP table is:

c:Usersacer>arp -a

Interface: 192.168.1.113 --- 0x4
 Internet Address        Physical Address      Type
 192.168.1.1             7c-11-cb-1f-ad-85     dynamic
 192.168.1.112           a0:af:bd:c5:21:87     dynamic
 192.168.1.255           ff-ff-ff-ff-ff-ff     static
 224.0.0.022             01-00-5e-00-00-16     static

I tried with bettercap, ettercap, my own python script and I done ‘echo 1 > /proc/sys/net/ipv4/ip_forward’ in Linux. It is still not working! Not capturing anything.

The expected ARP table on Windows:

Interface: 192.168.1.113 --- 0x4
 Internet Address        Physical Address      Type
 192.168.1.1             a0:af:bd:c5:21:87     dynamic
 192.168.1.255           ff-ff-ff-ff-ff-ff     static
 224.0.0.022             01-00-5e-00-00-16     static

tls – Burp Proxy vs MITM

I have recently started using Burp as a proxy for hunting bugs on websites and I see many submissions where people have intercepted and modified requests/responses to exploit certain logic flaws in web applications. However, this is possible only because we have installed Burp’s certificate in our browser that allows it to decrypt the traffic to and from the web application. However, in a realistic scenario, the attacker would have to conduct a MITM attack to intercept/modify traffic. This makes me wonder what the point is of traffic interceptions using Burp.

Do SAML responses containing encrypted assertions provide protection against MiTM attacks?

A previously asked question touches on topics which are very similar to what I am having trouble understanding.

In a web application I am testing, SAML SSO is brokered using Keycloak. The SAML Response messages contain Encrypted Assertions (<saml:EncryptedAssertion>). Before the encrypted assertion is a Signature (<dsig:Signature>); if the signature is removed, the SP still accepts the user authentication.

  1. Can the content of these messages only be read by the SP/IdP/Keycloak?
  2. Can new assertions be encrypted using an available public key, thus replacing the original assertion? If so, where/how can the relevant public key be found?
  3. What is the purpose of the signature if removing it does nothing? Is this an issue with Keycloak (the broker)? Is the SP responsible for verifying the signature?

I may be missing some knowledge regarding Keycloak’s way of broekering authentication, or the SAML flow itself, but I can’t seem to find much info about any of this online, apart from the above linked question, which is still partially unanswered.

tls – DNS spoofing via ssl (https) by mitm with own wlan server

Problem: I have a local machine (IoT, lets call it MCC) which connects via SSL to a website (mcc.com) to get some JSON data. I would like to send modified JSON from my own server.

Idea: Setup a local device (lets call is rasp) which opens a wifi hotspot. The MCC should then connect to the rasp. The rasp answers with a certificate from the public server mcc.com, but sends the modified JSON data.

I am not familiar with DNS, but I expect this to be difficult as we do not own the public key of mcc.com. Does someone know some solution here? The MCC does not use some kind of DNS over https.

Middle Man – What Are Some Malware-Based MITM Attacks That Can Endanger the Company When Working Remotely?

I understand your safety concerns regarding the use of non-work (therefore not controlled and not backed up by your usual standards).

I don't think there is any kind of malware that could potentially compromise the security of the company as long as they use SSL through a MiTM attack.
However, if we look outside of the MiTM attacks, as you probably know, there are several attacks that could compromise your working VDEs as they could emulate your user's access. A simple keylogger can allow an attacker to access a particular user's VDE and offer multiple attack options if the VDI permissions are not configured correctly.

In summary, I don't think MiTM is the threat model for this type of operation, although other types of attacks could allow a perpetrator to access your VDEs, so they should be properly configured in terms of authorization and you should always be careful about what happens type of data that you store on the VDE / to which you grant access.

Does HSTS prevent MITM from using a valid certificate?

HSTS does not contain any fingerprints (that would be HPKP instead). It just means that the site has to be loaded with HTTPS and that the certificate has to be trusted directly, i.e. H. Avoidance of user warnings should not be allowed. In this respect, HSTS does not prevent MITM if the attacker can use a valid certificate that was issued by a certification authority trusted by the client.

It's unclear exactly what you saw with the Burp suite, but maybe you have been used to bypass certificate warnings only when using Burp instead of importing Burp's certificate authority as trustworthy, and bypassing certificate warnings no longer works with HSTS.