Man-In-The-Middle (MITM)

• Proxy only tools

Proxy tools only permit interaction with the parts of the HTTP protocol, like the header and the body of a transaction, but do not have the capability to intercept the TCP connection between client and server. To intercept the communication, it’s necessary to use other network attack tools or configure the browser.
https://www.owasp.org/index.php/Man-in-the-middle_attack

• mitmproxy is a free and open source interactive HTTPS proxy.

https://mitmproxy.org/

• A Man-In-The-Middle (MITM) attack is achieved when an attacker poisons the ARP cache of two devices with the (48-bit) MAC address of their Ethernet NIC (Network Interface Card). Once the ARP cache has been successfully poisoned, each of the victim devices send all their packets to the attacker when communicating to the other device. This puts the attacker in the middle of the communications path between the two victim devices; hence the name Man-In-The-Middle (MITM) attack. It allows an attacker to easily monitor all communication between victim devices.

http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/white_paper_c11_603839.html

• In cryptography and computer security, a man-in-the-middle attack (often abbreviated to MITM, MitM, MIM, MiM or MITMA) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other

https://en.wikipedia.org/wiki/Man-in-the-middle_attack

• In computer networking, ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.

ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic. Often the attack is used as an opening for other attacks, such as denial of service, man in the middle, or session hijacking attacks
https://en.wikipedia.org/wiki/ARP_spoofing

• ARP is the Address Resolution Protocol. Essentially all it does is resolve a logical IP address to a physical Hardware (MAC) address.

ARP stands for Address Resolution Protocol. It is used to associate a layer 3 (Network layer) address (such as an IP address) with a layer 2 (Data Link layer) address (MAC address).

http://mellowd.co.uk/ccie/?tag=how-does-arp-work
http://forums.sureshkumar.net/networking-interview-technical-questions/14810-networking-what-arp-how-does-work.html

• ARP cache

The ARP cache can contain dynamic (learned) entries and static (user-configured) entries

Entries in the static ARP table are user-configured.
You can add entries to the static ARP table regardless of whether or not the device the entry is for is connected to the Layer 3 switch.

Layer 3 switches have a static ARP table. Layer 2 switches do not.
http://www.brocade.com/content/html/en/configuration-guide/FI_08030_L3/GUID-B5A197B6-5EB5-481E-8535-5DC9FD66CA14.html

• Gratuitous ARP could mean both gratuitous ARP request or gratuitous ARP reply.

Gratuitous in this case means a request/reply that is not normally needed according to the ARP specification (RFC 826) but could be used in some cases.
A gratuitous ARP request is an AddressResolutionProtocol request packet where the source and destination IP are both set to the IP of the machine issuing the packet and the destination MAC is the broadcast address ff:ff:ff:ff:ff:ff. Ordinarily, no reply packet will occur. A gratuitous ARP reply is a reply to which no request has been made.

Gratuitous ARPs are useful for four reasons:

They can help detect IP conflicts. When a machine receives an ARP request containing a source IP that matches its own, then it knows there is an IP conflict.

They assist in the updating of other machines' ARP tables. Clustering solutions utilize this when they move an IP from one NIC to another, or from one machine to another. Other machines maintain an ARP table that contains the MAC associated with an IP. When the cluster needs to move the IP to a different NIC, be it on the same machine or a different one, it reconfigures the NICs appropriately then broadcasts a gratuitous ARP reply to inform the neighboring machines about the change in MAC for the IP. Machines receiving the ARP packet then update their ARP tables with the new MAC.

They inform switches of the MAC address of the machine on a given switch port, so that the switch knows that it should transmit packets sent to that MAC address on that switch port

Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts. Thus, a gratuitous ARP will tell us that that host just has had a link up event, such as a link bounce, a machine just being rebooted or the user/sysadmin on that host just configuring the interface up. If we see multiple gratuitous ARPs from the same host frequently, it can be an indication of bad Ethernet hardware/cabling resulting in frequent link bounces.


 A typical clustering scenario might play out like the following:

    Two nodes in a cluster are configured to share a common IP address 192.168.1.1. Node A has a hardware address of 01:01:01:01:01:01 and node B has a hardware address of 02:02:02:02:02:02.

    Assume that node A currently has IP address 192.168.1.1 already configured on its NIC. At this point, neighboring devices know to contact 192.168.1.1 using the MAC 01:01:01:01:01:01.
    Using the heartbeat protocol, node B determines that node A has died.

    Node B configures a secondary IP on an interface with ifconfig eth0:1 192.168.1.1.

    Node B issues a gratuitous ARP with send_arp eth0 192.168.1.1 02:02:02:02:02:02 192.168.1.255. All devices receiving this ARP update their table to point to 02:02:02:02:02:02 for the IP address 192.168.1.1.

https://wiki.wireshark.org/Gratuitous_ARP

• One such way is to spoof your MAC address and poison the arp table. Since arp keeps no state information, the arp cache can be overwritten (unless an entry is explicitly marked as permanent)

The attacker can then either respond to Computer A (pretending to be Computer B), or simply forward the packets to its intended destination, but only after the packet information is captured and logged for later use by the attacker.
http://www.admin-magazine.com/Articles/Arp-Cache-Poisoning-and-Packet-Sniffing

• ProxyFuzz

ProxyFuzz is a man-in-the-middle non-deterministic network fuzzer written in Python. ProxyFuzz randomly changes (fuzzes) contents on the network traffic. It supports TCP and UDP protocols and can also be configured to fuzz only one side of the communication

• Different types of network-based evidence

Full content data

Nothing is being filtered, exact copies ofall thetraffic (often called "packet captures", abbreviated toPCAP) are being stored.

Session data

 It usually consists of aggregated traffic metadata and usually refers to the conversation between two network entities, grouped together into"flows" and/or groups of network packets related to one another 

 session data areable to informthe investigator about questions such aswho talked to whom, when, for how long, etc. without looking at any contents of the conversation(s) at all.

all an investigator needs to know is that700,000 packets have been transferred between two otherwise "quiet" network nodeson a Sunday at 02:15 am. 

Alert data

Whenever network traffic triggers a pre-defined item of interest (such as a particular pattern of bytes, or counts of activity, or other characteristics) the analyst will be dealing withalert data. Alerts are typically generated by Network Intrusion Detection Systems (NIDS) such as Suricata or Snor

Statistical data

Statistical data providethe analyst with network-related aspects such as the number of bytes contained in a packet trace, start and end times of network conversations, number of services and protocols being used, most active network nodes, least active network nodes, outliers in network usage, average packet size, average packet rate, and so on. It can therefore also actas auseful source for anomaly detectio

Acquiring traffic in cables

Network taps

Inline network tapsare OSI layer 1 which can be insertedinlinebetween two physically connected network devices.The network tap will pass along the packetsandphysically replicate copies to one or more monitoring ports.They are commonly designed to require no power for passively passing packets. This reduces the risk of a network outage caused by the tap. This does not cover the power requirements of the monitoring station though

Vampire taps redevices that pierce the shielding of coaxial cables to provide access to the signal within. The device clamps onto and "bites" into the cable.

Unlike inline network taps, the cable does not need to be severed (or disconnected) for a vampire tap to be installed. 

Fibre Optic network taps work similarly to inline taps for copper cables.

Hubs

A network hub is an OSI Layer 1 device that physically connects all stations on a local subnet to one circuit. It maintains no knowledge of what devices are connected to what ports. When the hub receives a frame, it forwards it toall other ports. Therefore, every device connected to the hub physically receives all traffic destined to every other device attached to the hub. Thus, all traffic on the segment can be trivially captured by connecting to any unused port on a hub.A reliable way to determine if a device is actually a hub is to connect a station to it, put the network interface into promiscuous mode, and observe the traffic. If only packets destined for the monitoring station and broadcast traffic can be seen, then the device is a switch. If it is a hub, traffic to all other connected stations should be seen.

Switches

Unlike hubs, switches usesoftware to keep track of which stations are connected to which ports, in its CAM (Content Addressable Memory) table. 

A switches CAM table stores MAC addresses with corresponding switch ports.Switches can often be configured to replicate traffic from one or more ports to some other port for aggregation and analysis.The most vendor-neutral term for this is “port mirroring.” 

nvestigators will need administrative access to theswitch’s operating system to configure port mirroring. A monitoring station needs to be connected to the mirroring port to capture the traffic. Investigators mustconsider the bandwidth mirroring port in comparison tothe traffic on the monitored ports,not to drop packets

Active acquisition

In cases when the network administrators themselves are not trusted, investigators may need to use the same techniques asattackers.This is not recommended and should be seen only as a measure of last resort, as they cause the switch to operate outside normal parameters and will likely trigger intrusion detection mechanisms in the network.

First, the attacker can flood theCAM table of the switch with information (by sending packets with different MAC addresses). This attack is referred to as “MAC flooding” or “CAM table overflow”. When the CAM table overflows, switches by default will “fail open” to a hub mode of operationand send traffic for systems not in the CAM table out to every port.

Second, an “ARP spoofing”, or “ARP (cache) poisoning” attack can be conducted. The Address Resolution Protocol (ARP) is used by stations on a LAN to dynamically map IPv4 addresses (Layer 3) to corresponding MAC addresses (for IPv6 this function is carried out within ICMPv6, but the principle is otherwise identical). The attacker broadcasts bogus ARP packets, which link the attacker’s MAC address to the victim’s IP address. Other stationson the LAN add this bogus information to their ARP tables, and send traffic for the router’s IP address to the attacker’s MAC address instead. This causes all IP packets destined for the victim station to be sent instead to the attacker (who can then copy, change, and/or forward them on to the victim).

Acquiring traffic in radio networks

There are many protocols in use today that enable wireless networking.For each protocol, there are severalfrequency bandsover which data can be transmitted, with each band subdivided into smaller bands, called channels.Not all frequency bands or all channels are in use everywhere in the world. Most countries limit what frequency and channels are used within their jurisdiction. The consequence isthat network equipment made for one country may operate on different frequencies and channels than one made for another country.Thus, adversaries using wireless technology from a different country which may not be detected by that countries network equipment.

Spectrum analysers are designed to monitor RF frequencies and report on usage. They can be very helpful for identifying rogue wireless devices and channels in use.

WLAN passive evidence acquisition

Tocapture WLAN traffic, investigators need an 802.11 wireless card capable of running in Monitor mode.a mode that many WLAN cards do not support. There is a difference between Monitor mode and Promiscuous mode that can be summed up as follows

An important difference between Monitor mode and promiscuous mode is that in monitor mode the packets are captured in 802.11 format while in promiscuous mode theyare presented in Ethernet (802.3) format. From a forensic standpoint, monitor mode is preferable as it is completely passive and conveys more information. It is recommended to use a special-purpose WiFi monitoring card that can be configured to operate completely passively.

https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material/documents/introduction-to-network-forensics-handbook.pdf