| | 165 | == Example 3: ARP poisoning with MITM attack == |
| | 166 | |
| | 167 | This example used two metadescriptions. The first was ARP poisoning which is a flavor of cache poisoning, and the other is MITM attack. |
| | 168 | |
| | 169 | |
| | 170 | === ARP poisoning metadescription === |
| | 171 | |
| | 172 | This is a special case of cache poisoning where the target is ARP cache. I've highlighted customizations from the general cache poisoning metadescriptions to arrive at this one. |
| | 173 | |
| | 174 | [[Image(arpcpobj.jpg)]] |
| | 175 | |
| | 176 | (in English: There is one attacker node. There is a fakeIP of type IPaddress. A cache is simply a collection of ARPRecord items, one or more. These are subtypes of Info and in the domain knowledge DB there's syntax defined for an ARPRecord. Cache does not reside at the attacker.) |
| | 177 | |
| | 178 | |
| | 179 | * '''Timeline of events: ''' |
| | 180 | |
| | 181 | [[Image(arpwf.jpg, 50%)]] |
| | 182 | |
| | 183 | (in English: Attacker asks for something, anything and in the same message sends the fake mapping stealing somebody's ARP address and tying it to a fakeIP. This really could be anybody's IP but in most cases it is the attacker's.) |
| | 184 | |
| | 185 | * '''Invariants:''' |
| | 186 | |
| | 187 | Nothing in addition to the topology and timeline above. |
| | 188 | |
| | 189 | |
