Man In The Middle Attack
What is a Man-in-the-middle Attack?
A Man-in-the-Middle attack is a type of cyber attack where a malicious actor
inserts him/herself into a conversation between two parties, impersonates both parties and
gains access to information that the two parties were trying to send to each other. A Man-in-
the-Middle Attack allows a malicious actor to intercept, send, and receive data meant
for someone else, or not meant to be sent at all, without either outside party knowing until it
is too late. Man-in-the-Middle attacks can be abbreviated in many ways including,
MITM, MitM, MiM, or MIM.
The attacker must be able to intercept all messages going between the two victims
and inject new ones, which is straightforward in many circumstances (for example, an
attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert
himself as a man-in-the-middle).
A man-in-the-middle attack can succeed only when the attacker can impersonate
each endpoint to the satisfaction of the other—it is an attack on mutual authentication (or
lack thereof). Most cryptographic protocols include some form
of endpoint authentication specifically to prevent MITM attacks. For example,
Key Concepts of a Man in the Middle Attack
• Man-in-the-Middle is a type of eavesdropping attack that occurs when a malicious actor
inserts himself as a relay/proxy into a communication session between people or systems.
• A MITM attack exploits the real time processing of transactions, conversations, or transfer
of other data.
• A Man-in-the-Middle attack allows an attacker to intercept, send, and receive data never
meant to be for them without either outside party knowing until it is too late.
Man in the Middle Examples
In the image above you will notice that the attacker inserted him/herself in-between the
flow of traffic between client and server. Now that the attacker has intruded
into the communication between the two endpoints he/she can inject false information
and intercept the data transferred between them.Below is another example of what
might happen once the Man in the Middle has inserted him/herself.
The hacker is impersonating the both sides of the conversation to gain access to funds.
This example holds true for a conversation with a client and server as well as person to
person conversations. In the example above the attacker intercepts a public key and with
that can transpose his own credentials to trick the people on either end into believing they
are talking to one another securely.
Interactions Susceptible to MITM Attacks
• Financial sites – between login and authentication
• Connections meant to be secured by public or private keys
• Other sites that require logins – where there is something to be gained by having access.
Other forms of Sidejacking
Man in the Middle is a form of session hijacking, other forms of session hijacking similar to
man in the middle are:
Sidejacking - This attack involves sniffing data packets to steal session cookies and hijack
a user’s session. These cookies can contain unencrypted login information, even if the site
was secure.
Evil Twin - This is a rogue Wi-Fi network that appears to be a legitimate network. When
users unknowingly join the rogue network, the attacker can launch a man-in-the-middle
attack, intercepting all data between you and the network.
Sniffing - This involves a malicious actor using readily available software to intercept data
being sent from, or to, your device.
Defense against MITM
Various defenses against MITM attacks use authentication techniques that include:
2. Strong encryption(as opposed to relying on small symmetric or asymmetric key sizes
broken ciphers or unproven ciphers)
3. Public key infrastructure
4. A recorded media attestment (assuming that the user's identity can be recognized from
the recording), which can either be:
• An audio/visual communication of the public key hash (which can be easily distributed via PKI)
5. Stronger mutual authentication, such as:
• Secret keys (which are usually high information entropy secrets, and thus more secure), or
• Passwords (which are usually low information entropy secrets, and thus less secure)
6. Latency examination, such as with long cryptographic hash function calculations that
lead into tens of seconds; if both parties take 20 seconds normally, and the calculation
takes 60 seconds to reach each party, this can indicate a third party.
lead into tens of seconds; if both parties take 20 seconds normally, and the calculation
takes 60 seconds to reach each party, this can indicate a third party.
7. Second (secure) channel verification.
Implementation
Cain and Abel – a Windows GUI tool which can perform MITM attacks, along with sniffing
and ARP poisoning
Subterfuge – a framework to launch multiple MITM attacks
Ettercap – a tool for LAN based MITM attacks
Karma – a tool that uses 802.11 Evil Twin attacks to perform MITM attacks
Airjack– a tool that demonstrates 802.11 based MITM attacks
Internet Explorer.
Interceptor-NG – a network password sniffer for windows with ARP poisoning abilities.
Includes SSLStrip for SSL based MITM attacks.
Mallory– a transparent TCP and UDP MiTMing proxy. Extensible to MiTM SSL, SSH, and
many other protocols.
wsniff – a tool for 802.11 HTTP/HTTPS based MITM attacks.
Websense Content Gateway– used to perform inspection of SSL traffic at the proxy
Fiddler2 - HTTP(S) diagnostic tool
Authma – a PKI allowing users to self-register media attestments of their public keys. Has
developer API for integrated lookup and registration by client applications.
Simsang – a Windows GUI tool which can perform MITM attacks and ARP poisoning.
Related Attacks
Keep updated i will post a step by step tutorial on how to execute a MITM attack.
Tools needed for attack:
or
or
any linux system with ettercap installed on it.
Labels:
Hacking
No comments:
Post a Comment