Hacking Pattern of Man-in-the-Middle Attack
Start ARP poisoning to ntec3-20 and ntec4-20 hosts
<![CDATA[
17:45:15.970769 arp reply ntec3-20 is-at 0:50:56:45:0:64
17:45:15.988499 arp reply ntec4-20 is-at 0:50:56:45:0:64
17:45:18.007476 arp reply ntec3-20 is-at 0:50:56:45:0:64
17:45:18.027447 arp reply ntec4-20 is-at 0:50:56:45:0:64
17:45:20.036945 arp reply ntec3-20 is-at 0:50:56:45:0:64
17:45:20.056938 arp reply ntec4-20 is-at 0:50:56:45:0:64
]]>
Playing man-in-the-middle in ssh session
<![CDATA[
17:45:21.625824 ntec3-20.685 > ntec4-20.ssh: S 1025449535:1025449535(0) win 32120 <mss 1460,sackOK,timestamp 676717615[|tcp]> (DF)
17:45:21.637364 ntec3-20.685 > ntec4-20.ssh: S 1025449535:1025449535(0) win 32120 <mss 1460,sackOK,timestamp 676717615[|tcp]> (DF)
17:45:21.656341 ntec4-20.ssh > ntec3-20.685: S 1013394171:1013394171(0) ack 1025449536 win 32120 <mss 1460,sackOK,timestamp 676527531[|tcp]> (DF)
17:45:21.656839 ntec4-20.ssh > ntec3-20.685: S 1013394171:1013394171(0) ack 1025449536 win 32120 <mss 1460,sackOK,timestamp 676527531[|tcp]> (DF)
17:45:21.657847 ntec3-20.685 > ntec4-20.ssh: . ack 1 win 32120 <nop,nop,timestamp 676717617 676527531> (DF)
17:45:21.686558 ntec3-20.685 > ntec4-20.ssh: . ack 1 win 32120 <nop,nop,timestamp 676717617 676527531> (DF)
17:45:21.691507 ntec4-20.ssh > ntec3-20.685: P 1:24(23) ack 1 win 32120 <nop,nop,timestamp 676527535 676717617> (DF)
17:45:21.717009 ntec4-20.ssh > ntec3-20.685: P 1:24(23) ack 1 win 32120 <nop,nop,timestamp 676527535 676717617> (DF)
17:45:21.718553 ntec3-20.685 > ntec4-20.ssh: . ack 24 win 32120 <nop,nop,timestamp 676717623 676527535> (DF)
17:45:21.719690 ntec3-20.685 > ntec4-20.ssh: P 1:23(22) ack 24 win 32120 <nop,nop,timestamp 676717623 676527535> (DF)
17:45:21.737066 ntec3-20.685 > ntec4-20.ssh: . ack 24 win 32120 <nop,nop,timestamp 676717623 676527535> (DF)
17:45:21.737322 ntec3-20.685 > ntec4-20.ssh: P 1:23(22) ack 24 win 32120 <nop,nop,timestamp 676717623 676527535> (DF)
17:45:21.738157 ntec4-20.ssh > ntec3-20.685: . ack 23 win 32120 <nop,nop,timestamp 676527541 676717623> (DF)
17:45:21.739153 ntec4-20.ssh > ntec3-20.685: P 24:300(276) ack 23 win 32120 <nop,nop,timestamp 676527541 676717623> (DF)
17:45:21.756931 ntec4-20.ssh > ntec3-20.685: . ack 23 win 32120 <nop,nop,timestamp 676527541 676717623> (DF)
17:45:21.945775 ntec4-20.ssh > ntec3-20.685: P 24:300(276) ack 23 win 32120 <nop,nop,timestamp 676527541 676717623> (DF)
17:45:21.966291 ntec3-20.685 > ntec4-20.ssh: . ack 300 win 32120 <nop,nop,timestamp 676717649 676527541> (DF)
17:45:21.966758 ntec3-20.685 > ntec4-20.ssh: . ack 300 win 32120 <nop,nop,timestamp 676717649 676527541> (DF)
]]>
Keep ARP poisoning to the two hosts
<![CDATA[
17:45:22.056873 arp reply ntec3-20 is-at 0:50:56:45:0:64
17:45:22.076790 arp reply ntec4-20 is-at 0:50:56:45:0:64
]]>
Continue the SSH session intercept
<![CDATA[
17:45:23.331674 ntec3-20.685 > ntec4-20.ssh: P 23:179(156) ack 300 win 32120 <nop,nop,timestamp 676717785 676527541> (DF)
17:45:23.358652 ntec3-20.685 > ntec4-20.ssh: P 23:179(156) ack 300 win 32120 <nop,nop,timestamp 676717785 676527541> (DF)
17:45:23.366500 ntec4-20.ssh > ntec3-20.685: . ack 179 win 32120 <nop,nop,timestamp 676527703 676717785> (DF)
17:45:23.371005 ntec4-20.ssh > ntec3-20.685: P 300:312(12) ack 179 win 32120 <nop,nop,timestamp 676527703 676717785> (DF)
17:45:23.378350 ntec4-20.ssh > ntec3-20.685: . ack 179 win 32120 <nop,nop,timestamp 676527703 676717785> (DF)
17:45:23.379355 ntec4-20.ssh > ntec3-20.685: P 300:312(12) ack 179 win 32120 <nop,nop,timestamp 676527703 676717785> (DF)
17:45:23.380662 ntec3-20.685 > ntec4-20.ssh: P 179:199(20) ack 312 win 32120 <nop,nop,timestamp 676717790 676527703> (DF)
17:45:23.396944 ntec3-20.685 > ntec4-20.ssh: P 179:199(20) ack 312 win 32120 <nop,nop,timestamp 676717790 676527703> (DF)
17:45:23.405904 ntec4-20.ssh > ntec3-20.685: P 312:324(12) ack 199 win 32120 <nop,nop,timestamp 676527707 676717790> (DF)
17:45:23.417001 ntec4-20.ssh > ntec3-20.685: P 312:324(12) ack 199 win 32120 <nop,nop,timestamp 676527707 676717790> (DF)
17:45:23.435769 ntec3-20.685 > ntec4-20.ssh: . ack 324 win 32120 <nop,nop,timestamp 676717796 676527707> (DF)
17:45:23.456595 ntec3-20.685 > ntec4-20.ssh: . ack 324 win 32120 <nop,nop,timestamp 676717796 676527707> (DF)
17:45:24.086256 arp reply ntec3-20 is-at 0:50:56:45:0:64
17:45:24.108556 arp reply ntec4-20 is-at 0:50:56:45:0:64
17:45:26.551072 ntec3-20.685 > ntec4-20.ssh: P 199:227(28) ack 324 win 32120 <nop,nop,timestamp 676718107 676527707> (DF)
17:45:26.555768 ntec3-20.685 > ntec4-20.ssh: P 199:227(28) ack 324 win 32120 <nop,nop,timestamp 676718107 676527707> (DF)
17:45:26.567140 ntec4-20.ssh > ntec3-20.685: . ack 227 win 32120 <nop,nop,timestamp 676528018 676718107> (DF)
17:45:26.571269 ntec4-20.ssh > ntec3-20.685: P 324:336(12) ack 227 win 32120 <nop,nop,timestamp 676528020 676718107> (DF)
17:45:26.577578 ntec4-20.ssh > ntec3-20.685: . ack 227 win 32120 <nop,nop,timestamp 676528018 676718107> (DF)
...... Skip most of the SSH session packets here .....
17:45:35.313700 ntec4-20.ssh > ntec3-20.685: P 4392:4428(36) ack 767 win 32120 <nop,nop,timestamp 676528903 676718981> (DF) [tos 0x10]
17:45:35.313931 ntec4-20.ssh > ntec3-20.685: P 4428:4448(20) ack 767 win 32120 <nop,nop,timestamp 676528904 676718981> (DF) [tos 0x10]
17:45:35.315795 ntec3-20.685 > ntec4-20.ssh: P 767:779(12) ack 4448 win 32120 <nop,nop,timestamp 676718983 676528903> (DF) [tos 0x10]
17:45:35.316101 ntec3-20.685 > ntec4-20.ssh: F 779:779(0) ack 4448 win 32120 <nop,nop,timestamp 676718984 676528903> (DF) [tos 0x10]
17:45:35.333220 ntec3-20.685 > ntec4-20.ssh: P 767:779(12) ack 4448 win 32120 <nop,nop,timestamp 676718983 676528903> (DF) [tos 0x10]
17:45:35.333481 ntec3-20.685 > ntec4-20.ssh: F 779:779(0) ack 4448 win 32120 <nop,nop,timestamp 676718984 676528903> (DF) [tos 0x10]
17:45:35.334786 ntec4-20.ssh > ntec3-20.685: . ack 780 win 32120 <nop,nop,timestamp 676528906 676718983> (DF) [tos 0x10]
17:45:35.339182 ntec4-20.ssh > ntec3-20.685: F 4448:4448(0) ack 780 win 32120 <nop,nop,timestamp 676528907 676718983> (DF) [tos 0x10]
17:45:35.353680 ntec4-20.ssh > ntec3-20.685: . ack 780 win 32120 <nop,nop,timestamp 676528906 676718983> (DF) [tos 0x10]
17:45:35.353922 ntec4-20.ssh > ntec3-20.685: F 4448:4448(0) ack 780 win 32120 <nop,nop,timestamp 676528907 676718983> (DF) [tos 0x10]
17:45:35.354186 ntec3-20.685 > ntec4-20.ssh: . ack 4449 win 32120 <nop,nop,timestamp 676718988 676528907> (DF) [tos 0x10]
17:45:35.373441 ntec3-20.685 > ntec4-20.ssh: . ack 4449 win 32120 <nop,nop,timestamp 676718988 676528907> (DF) [tos 0x10]
]]>
Restore the normal ARP after the intercept
<![CDATA[
17:45:39.242166 arp reply ntec3-20 (0:50:56:45:0:62) is-at 0:50:56:45:0:62
17:45:39.261981 arp reply ntec4-20 (0:50:56:45:0:41) is-at 0:50:56:45:0:41
17:45:40.271742 arp who-has ntec4-20 (0:50:56:45:0:41) tell ntec3-20 (0:50:56:45:0:62)
17:45:40.291667 arp who-has ntec3-20 (0:50:56:45:0:62) tell ntec4-20 (0:50:56:45:0:41)
17:45:41.301440 arp reply ntec3-20 (0:50:56:45:0:62) is-at 0:50:56:45:0:62
17:45:41.321357 arp reply ntec4-20 (0:50:56:45:0:41) is-at 0:50:56:45:0:41
17:45:42.331143 arp who-has ntec4-20 (0:50:56:45:0:41) tell ntec3-20 (0:50:56:45:0:62)
17:45:42.351100 arp who-has ntec3-20 (0:50:56:45:0:62) tell ntec4-20 (0:50:56:45:0:41)
17:45:43.360848 arp reply ntec3-20 (0:50:56:45:0:62) is-at 0:50:56:45:0:62
17:45:43.380799 arp reply ntec4-20 (0:50:56:45:0:41) is-at 0:50:56:45:0:41
]]>