Anatomy of Attack # 2 – Main in the Middle
Man-in-the-middle (MITM) attacks are a common type of cybersecurity attacks that allow attackers to eavesdrop on communications between two targets. MITM attacks occur when an unauthorized entity manages to intercept and decrypt communication between two parties and to monitor or manipulate the information exchanged for malicious purposes. So … between two communicating devices, e.g. A and B, the third “sneaks” – C – intercepting the traffic and being invisible to A and B. The communication looks as follows:
A ——message——> C (intercepts of modifies message) ——message——> B
The attacker can then:
- Get access data for user accounts, networks, and other resources
- Replace elements such as links or account numbers sent by one user to another
- Manipulate information in a different way – sometimes as part of a broader social engineering attack
These are the most common types of MitM attacks. It is worth adding that most of them require interference with the protocol or system (DNS, IP, ARP) to pass communication to the attacker. Often, Man in the Middle attacks begin by infecting the end station with a malware that allows the manipulation of the above on a given end station (Man-int-the-Browser is an exceptional attack of this type).
- Rogue Access Point – an attack using the universality of public WiFi networks. Attackers can set up their own wireless access point and trick nearby devices into joining its domain. The victim’s entire network traffic can now be manipulated by the attacker. This is dangerous because the attacker doesn’t even need to be on a trusted network. Treating it as an Access Point – you trust its network and Internet access through it.
- ARP Spoofing – ARP, Address Resolution Protocol is used to bind IP addresses to physical MAC (Media Access Control) addresses in the local network. When a host needs to “talk” to a host with a given IP address, it references the ARP cache to translate the IP address to a MAC address. If the address is unknown, a query for the MAC address of the device with the IP address is sent.
- mDNS Spoofing – Multicast DNS is similar to DNS but is done on a local area network (LAN) using a broadcast such as ARP. This makes it an ideal target for spoofing attacks. The local name resolution system is designed to make the configuration of network devices extremely simple. Users don’t need to know exactly what addresses their devices should communicate with; they allow the system to sort it out for them. Devices such as televisions, printers, and entertainment systems use this protocol because they are usually located on trusted networks. When an application needs to know the address of a specific device, such as tv.local, an attacker can easily respond to that request with false data by instructing the attacker to switch to an address under control. As the devices store a local address cache, the victim will now see the attacker’s device as trusted for some time.
- DNS Spoofing – Similar to the way ARP resolves IP addresses to MAC addresses on a LAN, DNS resolves domain names to IP addresses. By using a DNS spoofing attack, an attacker tries to inject spoofed DNS cache information into a host by attempting to access another host using its domain name, such as www.onlinebanking.com. This leads to the victim sending confidential information to a malicious host with the belief that he is sending the information to a trusted source
- SSL Stripping – Captures packets and changes requests to HTTPS-based addresses to go to the HTTP-responding endpoint, forcing the host to send requests to the server unencrypted. In order to “strip down” SSL, the attacker interferes with HTTP redirect to the secure HTTPS protocol (note the redirection to a site using HTTPS must be from an HTTP-only site for the technique to work) and intercepts the request from the user to the server. The attacker will then continue to establish an HTTPS connection between himself and the server and an unsecured HTTP connection with the user, acting as a “bridge” between them.
“Intercepting” unencrypted traffic is actually 90% of success. From here, the attacker moves on to activities that are crucial for him – eavesdropping, theft, and manipulation. Below is an overview of the behaviors that are enforced after taking control of the user communication stream:
- Sniffing – Attackers use packet interceptors to check packets at a low level. Using specific wireless devices that can be put into monitoring or distributed mode could allow an attacker to see packets that are not intended for them, such as packets that are addressed to other hosts.
- Packet injection – injection of malicious packets into data streams. Packets can connect to legitimate data streams, appearing to be part of the communication, but malicious in nature. Packet injection usually involves first “listening” to determine how and when to create and send packets.
- Session hijacking – Most web applications use a login mechanism that generates a temporary session token for use in future requests to avoid the user having to type a password on every page. An attacker, eavesdropping on sensitive traffic, can identify the session token for the user and use it to send requests as a user.
So … how to detect a man-in-the-middle attack?
In the beginning – unless you’re actively looking to determine if your communication has been intercepted, a Man-in-the-middle attack can go unnoticed until it’s too late. Validating a page’s authentication and implementing some type of tampering detection are usually key methods of detecting a possible attack, but these procedures may require additional forensic analysis after the fact. Prevention is better than cure – that’s why we show the best practices to prevent man-in-the-middle attacks:
Strong WEP / WAP encryption on access points
Having a strong encryption mechanism on your wireless access points prevents unwanted users from joining your network just because they are nearby. A weak encryption mechanism could allow an attacker to brute-force your network and initiate a man-in-the-middle attack. The stronger the encryption implementation, the more secure.
Strong router login credentials
It is imperative to make sure that the default router login has been changed. Ideally not only a router 🙂 Not only the Wi-Fi password, but also the login details for the router. If the attacker finds the router credentials, he can change DNS servers to his malicious servers. Or worse, infect the router with malware. On the other hand, strong passwords is the topic for weekly workshops, the basis of education and a constant problem …
Virtual Private Networks (VPN)
VPNs can be used to create a secure environment for sensitive information on a local network. They use key-based encryption to create a subnet for secure communication. This way, even if the attacker gets into the shared network, they won’t be able to decrypt the VPN traffic. It can also be a communicator based on a special encrypted protocol, or an application based on Zero Trust Network Access.
HTTPS can be used for secure communication over HTTP using public-private key exchange. This prevents an attacker from using the data that they can eavesdrop on. Websites should only use HTTPS and not provide HTTP alternatives. Users can install browser plug-ins to force requests to use HTTPS.
Authentication based on a pair of public keys
Man-in-the-middle attacks usually fake something – always. Public key pair-based authentication such as RSA can be used on different layers of the stack to ensure that the things you communicate with are actually the things you want to communicate with.
Thanks to the widespread use of the HTTPS standard, MitM attacks are no longer a mass phenomenon – however, it does make them more dangerous. The level of effort involved in gaining access makes MITM one of the final stages of a complex attack designed to intercept the content of our communications. As you know, efforts should be directly proportional to the reward – so we recommend the above practices to your attention so as not to make the life of thieves too easy.