Mitm apartment-wide attack
How it all began
Some time ago, the Internet was transferred to the apartment from a new provider, earlier Internet services were delivered to the apartment using ADSL technology. Since I spend little time at home, mobile Internet was more in demand than home. With the transition to udalenka, I decided that the speed of 50-60 Mb/s for the home Internet was very small and decided to increase the speed. According to ADSL technology, for technical reasons, speeds above 60 Mb/s will not work. It was decided to switch to another provider with a different stated speed and already with the provision of services not on ADSL.
It could be somehow different
I contacted the representative of the Internet provider. The installers came, drilled a hole in the apartment, conducted an RJ-45 patch cord. They gave a contract and instructions with the network settings that need to be set on the router (dedicated ip, gateway, subnet mask and ip addresses of their DNS), took payment for the first month of work and left. When I entered the network settings that were given to me in the home router, the Internet burst into the apartment. The procedure for initial entry into the network of a new subscriber seemed to me too simple. No primary authorization was made, and my identifier was the ip address given to me. The Internet worked quickly and stably. A wifi router worked in the apartment and the connection speed sank a bit through the load-bearing wall. One day, it was necessary to download a file the size of two dozen gigabytes. I thought, why not connect the person going to the RJ-45 apartment directly to the PC.
Know your neighbor
Having downloaded the whole file, I decided to get to know my neighbors on the switch sockets closer.
In apartment buildings, the Internet connection often comes from the optics provider, enters a wiring closet in one of the switches and is distributed between entrances, apartments via Ethernet cables, if we consider the most primitive connection scheme. Yes, there is already technology when the optics go straight to the apartment (GPON), but this is not so widespread yet.
If we take a very simplified topology at the scale of one house, then it looks something like this:
It turns out that the clients of this provider, some neighboring apartments, work in the same local area network on the same switching equipment.
By enabling listening to the interface connected directly to the provider's network, you can see broadcast ARP traffic flying from all hosts on the network.
The provider decided not to bother with dividing the network into small segments, so broadcast traffic from 253 hosts could go for a walk on one switch, except for those that were turned off, thereby clogging the channel bandwidth.
Having scanned the network using nmap, we determined the number of active hosts from the entire address pool, software version, and open ports of the main switch:
And where ARP is near there and ARP-spoofing
The ettercap-graphical utility was used to carry out further actions, there are more modern analogues, but this software attracts with its primitive graphical interface and ease of use.
In the first column, IP addresses of all routers that responded to ping, in the second, their physical addresses.
The physical address is unique, it can be used to collect information about the geographic location of the router and more, so it will be hidden in this article.
Goal 1 add the main gateway with the address 192.168.xxx.1, goal 2 add one of the other addresses.
We introduce ourselves to the gateway as a host with the address 192.168.xxx.204, but with its own MAC address. Then we introduce ourselves to the user router as a gateway with the address 192.168.xxx.1 with its MAC. Details of this vulnerability of the ARP protocol are detailed in other articles that are easily google.
As a result of all the manipulations, we have traffic from hosts that goes through us, having previously enabled packet forwarding:
Yes, https is already used almost everywhere, but the network is still full of other insecure protocols. For example, the same DNS with a DNS-spoofing attack. The very fact that MITM attacks can be implemented gives rise to many other attacks. Things get worse when several dozen active hosts are available on the network. It is worth considering that this is a private sector, not a corporate network, and not everyone has the means to protect detection and counteract related attacks.
How to avoid this
The provider should be concerned about this problem; setting up protection against such attacks is very simple, in the case of the same Cisco switch.
Enabling Dynamic ARP Inspection (DAI) would prevent a MAC gateway spoofing. Breaking the broadcast domain into smaller segments prevented at least the spread of ARP traffic to all hosts in a row and a decrease in the number of hosts that could be attacked. The client, in turn, can protect itself from such manipulations by setting up the VPN client directly on the home router, most devices already support this functionality.
Most likely, providers do not care about this, all efforts are aimed at increasing the number of customers. This material was not written to demonstrate an attack, but to remind you that even your provider's network may not be very secure for transferring your data. I am sure that there will be many small regional providers of Internet services that have done nothing more than necessary for the basic operation of network equipment.