there's an interesting attack that allows an attacker to sit in the middle of a conversation and be able to see everything sent back and forth between two devices and in some cases modify the information that's sent back and forth we refer to this as an on path attack sometimes you'll hear this referred to as a man-in-the-middle attack from the end user's perspective they have no idea that someone's in the middle of their conversation and potentially changing the data that they're sending to each other one of these types of on path attacks can be done on a local subnet and it's called arp poisoning where we take advantage of the lack of security associated with arp to be able to get into the middle of a conversation on every device there is an arp cache where this device will have a list of all of the ip addresses and mac addresses associated with those ip addresses when you first start your computer the cache is empty and as you begin connecting to other devices you begin adding different combinations of ip addresses and mac addresses to the cache here's an example of an arp spoofing where we have a laptop and this laptop will be logging in and using the command line on a router the laptop has an ip address of 192.168.1.9 and the router is 192.168.1.1 you can also see the mac addresses of these two devices the laptop ends in a mac address of 38d5 and the router ends in a mac address of bbfe the laptop knows the ip address of the router but can't communicate to it until it receives the mac address and of course the way that you resolve that mac address is sending an address resolution protocol broadcast so here we're sending that our message who is 192.168.1.1 that message is obviously sent to everyone on the local network the router is obviously in the local network so it sends back a message saying that i am 192.16 and here is my mac address ending in bbfe so that you'll know who to communicate with when that message is received by the laptop it adds that information to the arp cache so now that we know 192.168. is equal to that mac address associated with the router on most operating systems that arp cache sticks around for a number of minutes and then it drops out of the cache at which time that arp process will need to occur again you may have noticed that there was no security associated with that conversation there were no usernames no passwords there was no mutual authentication or any other method that would confirm that we were really communicating to the router this is the vulnerability that the attackers take advantage of with our poisoning let's say that we have an attacker that's on this local network this attacker has an ip address of 192.168.1.14 and the mac address ends with f f to begin the attack the attacker sends a spoofed arp response saying that the attacker is 192.168.1.1 and the mac address of this ip address ends in ee ff which of course is the mac address of the attacker's computer when this is received by the laptop it realizes the mac address must have changed so it modifies the arp cache to have exactly the same ip address but now you can see that the mac address has been set to the mac address of the attacker this means that anything that would be sent to the ip address of 192.168.1.1 would not directly go to the router but instead be sent to the attacker to complete this attack this attacker would perform exactly the same arp poisoning to the router and now it's sitting in the middle of a conversation and watching all of the traffic that goes back and forth there are a number of limitations to an arp poisoning attack someone first has to gain access to your network and then be on the same ip subnet as the two devices that it would like to intercept but there are ways to perform an on path attack that doesn't have these limitations one of these attack types is an on path browser attack where the middleman is inside the browser that you're using this means that you don't have to be on a local subnet or gain access to a local network you just need to gain access to that device so that you can install the malware that will provide that on path functionality this solves a lot of problems that you have when capturing traffic over the network especially if the network traffic is encrypted if you're capturing the information in the browser itself it hasn't been encrypted yet and the attacker can see all of the information sent back and forth now the attacker is monitoring everything you type into the browser all information sent and received by the browser and anything else that you're doing inside of that browser session so the next time you log into your bank and you use your username and password all of that information is provided to the attacker and now that the attacker has control of this system they can send information back to this device to open up additional sessions to your bank and begin transferring money from one account to another