Terms. All About the Man in the Middle (MitM) Attack Understanding How the Internet Works

A three-step process for starting a TCP session. The client sends a packet with the SYN flag to the server. Having received a packet with the SYN flag from the client, in response the server sends a packet with the SYN + ACK flags and enters the ESTABLISHED state. Having received a correct response from the server, the client sends a packet with the ACK flag and enters the ESTABLISHED state

Ban list

List of clients who are not entitled to certain actions. A ban list is usually used to limit the capabilities of bots when a DDoS attack is detected. Also, in the realities of game servers, this list includes players with a bad reputation, using cheat codes, or committing illegal actions.

The bot

The computer used to carry out the DDoS attack with "real" traffic. In most cases, this is an ordinary user's computer infected with a virus. Often the user cannot notice that his computer is infected and is being used for illegal purposes

Web server

A computer on a network that accepts HTTP requests from clients, usually web browsers, and issues HTTP responses to them. Typically, along with the HTTP response, the web server responds with an HTML page, image, media stream, or other data.

Web service

Web services are services rendered on the Internet. When you use this term, we can talk about searching, webmail, storing documents, files, bookmarks, etc. Usually, web services can be used regardless of the computer, browser or Internet access location.

Domain

Domain can be used in a variety of contexts when it comes to networking technologies. Most often, a domain means the domain name of the site. Domains are divided into different levels, for example, in the example.com domain, com is the first level domain and example is the second level domain. To facilitate communication, people also use the term "Subdomain", meaning a domain with a level greater than two. For example, in the domain mail.example.com, mail is a subdomain.

Search robot

Search engine service for discovering new pages on the Internet and changing existing ones. The principle of action is similar to the browser. It analyzes the content of the page, stores it in some special form on the server of the search engine that it belongs to, and is sent through links to the following pages.

Bandwidth

The maximum possible amount of transmitted data per unit of time. Often Internet providers, promising high speed Internet access, do not fulfill their promises. In most cases, this is due to full bandwidth consumption.

18.10.2016 | Vladimir Khazov

The plans of the FSB, the Ministry of Telecom and Mass Communications and the Ministry of Industry and Trade to implement the provisions of the Yarovaya law in terms of intercepting and decrypting the correspondence of Russians are no longer just plans, and are already starting to be triggered by an order for the preparation of an expert opinion on the possibility of intercepting WhatsApp, Viber, Facebook Messenger, Telegram, Skype messages using MITM attacks and demonstration of a prototype of such a tool.

We wrote about the scheme of organizing a "legitimate" MITM attack in the last article. Today we will dwell in more detail on the very principle of such an attack and the methods of its implementation.

What is a MITM attack

Man In The Middle (MITM) translates as “man in the middle”. This term refers to a network attack where an attacker is between the Internet user and the application that he is accessing. Not in the physical plane, of course, but with the help of special software. It is presented to the user by the requested application (it can be a website or an Internet service), simulates working with it, and does so in such a way as to give the impression of normal operation and information exchange.

The target of the attack is the user's personal data, such as login credentials for various systems, bank details and card numbers, personal correspondence and other confidential information. In most cases, attacks target financial applications (client banks, online banks, payment and money transfer services), company SaaS services, e-commerce sites (online stores) and other sites where authorization is required to enter the system.

The information received by the attacker can be used for various purposes, including illegal money transfers, changing accounts, intercepting personal correspondence, buying at someone else's expense, compromising and blackmailing.

In addition, after theft of credentials and hacking of the system, criminals can install malicious software on the corporate network to organize the theft of intellectual property (patents, projects, databases) and cause economic damage by deleting important data.

A MITM attack can be compared to a postman who, during the delivery of your correspondence, opens a letter, rewrites its contents for personal use, or even, having faked handwriting, adds something of his own, and then seals the envelope and delivers it to the addressee as if nothing had happened ... Moreover, if you encrypted the text of the letter, and you want to tell the decryption code personally to the addressee, the postman will introduce himself as the addressee so that you will not even notice the substitution.

How a MITM attack is carried out

The execution of a MITM attack consists of two phases: interception and decryption.

Interception

The first stage of an attack is to intercept traffic from a user to a designated target and direct it to the attacker's network.

The most common and easiest way to intercept is a passive attack, when an attacker creates Wi-Fi hotspots with free access (no password and no authorization). The moment a user connects to such a point, the attacker gains access to all traffic passing through it, and can extract any data from it for interception.

The second method is active interception, which can be carried out by one of the following options:

IP spoofing- spoofing the target's IP address in the packet header with the attacker's address. As a result, users, instead of going to the requested URL, end up on the attacker's site.

ARP spoofing- substitution of the real MAC address of the host for the address of the attacker in the victim's ARP table. As a result, the data sent by the user to the IP address of the required host gets to the address of the attacker.

DNS spoofing - DNS cache infection, DNS server infiltration and substitution of a website address match record. As a result, the user tries to access the requested site, but receives the attacker's site address from the DNS server.

Decryption

After interception, two-way SSL traffic must be decrypted, and this must be done in such a way that the user and the resource requested by him do not notice the interference.

There are several methods for this:

HTTPS-spoofing- a fake certificate is sent to the victim's browser at the moment of establishing a connection to the site using the HTTPS protocol. This certificate contains the digital signature of the compromised application, which makes the browser accept the connection with the attacker as reliable. Once such a connection is established, the attacker gains access to any data entered by the victim before it is passed on to the application.

SSL BEAST(browser exploit against SSL / TLS) - The attack exploits the SSL vulnerability in TLS versions 1.0 and 1.2. The victim's computer is infected with malicious JavaScript that intercepts encrypted cookies sent to the web application. This compromises the "cipher block chaining" encryption mode so that the attacker obtains the decrypted cookies and authentication keys.

SSL-hijacking- transfer of fake authentication keys to the user and the application at the moment of the beginning of the TCP session. This creates the appearance of a secure connection when in fact the session is controlled by a man in the middle.

SSL stripping- Downgrades the connection from secure HTTPS to plain HTTP by intercepting the TLS authentication sent by the application to the user. The attacker provides the user with unencrypted access to the site, and he himself maintains a secure session with the application, gaining the opportunity to see the victim's transmitted data. \

Protection against MITM attacks

Reliable protection against MITM attacks is possible when the user performs several preventive actions and uses a combination of encryption and authentication methods by web application developers.

User actions:

Avoid connecting to Wi-Fi hotspots that do not have password protection. Disable the function of automatic connection to known access points - an attacker can disguise his Wi-Fi as legitimate.
Pay attention to the notification of the browser about the transition to an unprotected site. Such a message may indicate a transition to a fake site of an attacker or a problem with the protection of a legitimate site.
Logout the application if it is not in use.
Do not use public networks (cafes, parks, hotels, etc.) for confidential transactions (business correspondence, financial transactions, purchases in online stores, etc.).
Use an antivirus with up-to-date databases on your computer or laptop, it will help protect against attacks using malicious software.

Developers of web applications and sites must use secure TLS and HTTPS protocols, which greatly complicate spoofing attacks by encrypting the transmitted data. Also, their use prevents interception of traffic in order to obtain authorization parameters and access keys.

It is considered good practice to secure TLS and HTTPS not only of the authorization pages, but also all other sections of the site. This reduces the chance of an attacker to steal the user's cookies at the moment when he navigates through unprotected pages after passing authorization.

Protection against MITM attacks is the responsibility of the user and the telecom operator. The most important thing for the user is not to lose vigilance, use only proven methods of accessing the Internet, and choose sites with HTTPS encryption to transfer personal data. Telecom operators can be advised to use Deep Packet Inspection (DPI) systems to detect anomalies in data networks and prevent spoofing attacks.

Government agencies are planning to use the MITM attack to protect citizens, and not to harm, unlike attackers. Interception of private messages and other user traffic is carried out within the framework of the current legislation, carried out by decision of the judicial authorities to combat terrorism, drug trafficking and other prohibited activities. For ordinary users, “legitimate” MITM attacks are not dangerous.

Designating a situation when an attacker is able to read and modify at will the messages exchanged by correspondents, and none of the latter can guess about his presence in the channel.

Wikimedia Foundation. 2010.

See what "Man in the middle (attack)" is in other dictionaries:

Attack "man in the middle", MITM attack (English Man in the middle) is a term in cryptography, denoting a situation when a cryptanalyst (attacker) is able to read and modify at will the messages exchanged ... ... Wikipedia

- ... Wikipedia

Cryptanalysis (from the Greek. Κρυπτός hidden and analysis) is the science of methods of obtaining the initial value of encrypted information without having access to the secret information (key) necessary for this. In most cases, this means ... ... Wikipedia

Hacker attack in the narrow sense of the word at present under the phrase means "Attempt on the security system", and tends more towards the meaning of the following term Cracker attack. This happened due to the distortion of the meaning of the word "hacker" ... Wikipedia

- (from other Greek. κρυptός hidden and analysis) the science of methods of decrypting encrypted information without a key intended for such decryption. The term was coined by the American cryptographer William F. Friedman in 1920. Informally ... ... Wikipedia

Man-in-the-middle attack is a generic name for various techniques aimed at gaining access to traffic as an intermediary. Due to the wide variety of these techniques, it is problematic to implement a single tool for detecting these attacks that would work for all possible situations. For example, in a man-in-the-middle attack on a local network, ARP spoofing is usually used. And many man-in-the-middle attack detection tools watch for changes in Ethernet / address pairs or report suspicious ARP activity by passively monitoring ARP requests / responses. But if this attack is used on a maliciously configured proxy server, VPN, or in other cases where ARP poisoning is not used, then such tools are helpless.

The purpose of this section is to look at some of the techniques for detecting man-in-the-middle attacks, as well as some tools designed to determine if a MitM attack is taking place against you. Due to the variety of methods and implementation scenarios, it is impossible to guarantee 100% detection.

1. Traffic modification detection

As already mentioned, ARP spoofing is not always used in man-in-the-middle attacks. Therefore, while ARP-level activity detection is the most popular detection method, traffic modification detection is a more general method. The mitmcanary program can help us with this.

The principle of the program is that it makes "control" requests and saves the received responses. After that, she repeats the same requests at certain intervals and compares the responses received. The program is intelligent enough and to avoid false positives it detects dynamic elements in responses and processes them correctly. As soon as the program detects traces of the activity of tools for MitM attacks, it reports this.

Examples of how some tools can "inherit":

MITMf, by default, changes all HTTPS URLs in HTML code to HTTP. Revealed by comparing HTTP content.
Zarp + MITMProxy, MITMProxy has functionality that allows you to clear HTTP compression, this is used for the transparency of transmitted traffic, this bundle is detected by the disappearance of previously present compression
Responder, detected by sudden changes in the conversion of mDNS responses: unexpected response; the answer is internal, but external is expected; response is different from expected IP

MITMCanary vs MITMf:

MITMCanary vs Responder:

MITMCanary vs Zarp + MITMProxy:

Sudo pip install Cython sudo apt-get install python-kivy python-dbus sudo pip install plyer uuid urlopen analysis request simplejson datetime git clone https://github.com/CylanceSPEAR/mitmcanary.git cd mitmcanary /

As already mentioned, mitmcanary should start with control requests. To do this, go to the directory

Cd service /

And run the file setup_test_persistence.py:

Python2 setup_test_persistence.py

This will take some time - wait until the end. No error messages should be displayed (if so, then you are missing some dependencies).

Something like this will be output:

[email protected]: ~ / bin / mitmcanary / service $ python2 setup_test_persistence.py Older configuration version detected (0 instead of 14) Upgrading configuration in progress. Purge log fired. Analysing ... Purge finished! Record log in /home/mial/.kivy/logs/kivy_16-11-01_0.txt v1.9.1 v2.7.12 + (default, Sep 1 2016, 20:27:38)

After the end of this process, in the same directory execute (this will start the background process):

Python2 main.py

After that open a new terminal window and change to the horse directory with mitmcanary. I have this directory bin / mitmcanary /, so I enter

Cd bin / mitmcanary /

and execute there:

Python2 main.py

The first window displays something like:

[email protected]: ~ / bin / mitmcanary / service $ python2 main.py Record log in /home/mial/.kivy/logs/kivy_16-11-01_1.txt v1.9.1 v2.7.12 + (default, Sep 1 2016, 20:27 : 38) using for socket listening for Tuio on 127.0.0.1:3000 Sleeping for 60 seconds Sleeping for 60 seconds Sleeping for 60 seconds Sleeping for 60 seconds Sleeping for 60 seconds Sleeping for 60 seconds

Those. the program makes control requests once a minute and looks for signs of a man-in-the-middle attack in them.

In the second window there is also output + a dark window opens, the authors of the program call this window a "graphical interface":

You can wait a while, surf the Internet to make sure that the program does not give any false warnings.

Let's try the classic Ettercap program.

I am running a regular MitM attack with ARP spoofing. The mitmcanary does not react to etching itself. The mitmcanary tool generates traffic itself, that is, no user action is required. After some time, one single warning appears, which is not confirmed during subsequent next checks. But a similar warning appears after a few minutes. Without additional analysis, I find it difficult to say whether this is an example of a false positive - it is very similar to that. It is possible that this warning is caused by a communication disruption caused by the need for traffic to pass additional routes, or by the peculiarities of my poor-quality Internet connection.

Since the result is not obvious (more "no" than "yes"), let's try the Bettercap program, which has a variety of modules. I have no doubt that when using various Ettercap plugins and / or additional programs to expand functionality, we would also "light up" for mitmcanary.

For the purity of the experiment, I restart the equipment, run mitmcanary on the attacked machine and Bettercap on the attacking one. At the same time, it is not necessary to make control requests again on the attacked machine - they are saved in a file inside the directory with the program. Those. just start the service and the GUI.

And in the attacking machine, we will run Bettercap with the parsers enabled:

Sudo bettercap -X

Individual warnings appear, which also look more like false positives.

But running a command like this:

Sudo bettercap -X --proxy

On the attacked machine, it generates a large number of warnings about a possible man-in-the-middle attack:

So, the more functional a man-in-the-middle attack tool, the more traces it leaves in traffic. For the practical use of mitmcanary, the following conditions must be met:

make initial requests on a trusted network when you are sure that there is no intermediary in the transmission of traffic;
edit the resources to which verification requests are made, since a professional attacker can add default resources to exceptions, which will make him invisible to this tool.

2. Revealing ARP spoofing (ARP cache poisoning)

Very often, a man-in-the-middle attack on a LAN begins with ARP poisoning. That is why many tools designed to detect MitM attacks are based on a mechanism for tracking changes in the ARP cache, in which the correspondence between Ethernet (MAC addresses) and IP addresses is assigned.

Examples of such programs include arpwatch, arpalert, and a large number of new programs. ArpON not only monitors ARP cache changes, but also protects it from them.

As an example, let's run arpwatch in debug mode, without forking in the background and sending messages by mail. Instead, messages are sent to stderr (standard error output).

Sudo / usr / sbin / arpwatch -d

Launch Ettercap on the attacking machine and start ARP spoofing. On the attacked machine, we observe:

The arpwatch program will help you quickly find out about new connected devices to your local network, as well as about changes in the ARP cache.

Another tool for detecting ARP spoofing in real time is a plugin from Ettercap itself called arp_cop... Launch Ettercap on the attacked machine as follows:

Sudo ettercap -TQP arp_cop ///

And on the attacker, let's start ARP-etching. The attacked machine immediately starts displaying warnings:

3. DNS spoofing detection

DNS spoofing indicates that there is an intermediary between you and the destination that can modify your traffic. How can you tell if DNS records have been spoofed? The easiest way to do this is to compare with the responses of a trusted nameserver. But the records in the response sent to your request can also be spoofed ...

Those. you need to check either through an encrypted channel (for example, through Tor), or use non-standard settings (another port, TCP instead of UDP). This is roughly what XiaoxiaoPu's sans program is for (at least that's what I understand). Using this program, I managed to redirect DNS requests through Tor and through non-standard settings to my DNS server. But I still could not get her to show me messages about spoofing DNS responses. And without this, the meaning of the program is lost.

I could not find more worthy alternatives.

In principle, given that DNS spoofers usually monitor only port 53, and only the UDP protocol, then even manually it is enough just to check the fact of DNS spoofing, although this requires your own DNS server with a non-standard configuration. For example, on the attacking machine, I created the file dns.conf with the following content:

Local mi-al.ru

Those. when requesting a DNS record for the mi-al.ru site, instead of the real IP, the IP of the attacker's machine will be sent.

I run it on the attacking machine:

Sudo bettercap --dns dns.conf

And on the attacked one I do two checks:

Dig mi-al.ru # and dig mi-al.ru -p 4560 @ 185.117.153.79

Results:

[email protected]: ~ $ dig mi-al.ru;<<>> DiG 9.10.3-P4-Debian<<>> mi-al.ru ;; global options: + cmd ;; Got answer: ;; - >> HEADER<<- opcode: QUERY, status: NOERROR, id: 51993 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mi-al.ru. IN A ;; ANSWER SECTION: mi-al.ru. 86400 IN A 192.168.1.48 ;; Query time: 2 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Nov 02 09:25:20 MSK 2016 ;; MSG SIZE rcvd: 42 [email protected]: ~ $ dig mi-al.ru -p 4560 @ 185.117.153.79;<<>> DiG 9.10.3-P4-Debian<<>> mi-al.ru -p 4560 @ 185.117.153.79 ;; global options: + cmd ;; Got answer: ;; - >> HEADER<<- opcode: QUERY, status: NOERROR, id: 401 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;mi-al.ru. IN A ;; ANSWER SECTION: mi-al.ru. 3799 IN A 185.26.122.50 ;; Query time: 304 msec ;; SERVER: 185.117.153.79#4560(185.117.153.79) ;; WHEN: Wed Nov 02 09:25:27 MSK 2016 ;; MSG SIZE rcvd: 53

It can be seen that the local IP 192.168.1.48 was sent for a "normal" DNS query, and the correct server IP is sent when querying the DNS on an atypical port.

If the server were configured to work with TCP (not UDP), then the command would look like this:

Dig mi-al.ru -p 4560 + tcp @ 185.117.153.79

There is clearly a lack of a tool that would itself track DNS responses in traffic, recheck them against an alternative source and raise an alarm in case of spoofing.

To avoid setting up your own remote DNS, you can query the nameserver over Tor. Since all Tor traffic is encrypted, the DNS responses obtained in this way are too tough for an intermediary. If Tor is not already installed, then install it.

Sudo apt-get install tor

Sudo pacman -S tor

Start the service:

Sudo systemctl start tor

If you need it, add this service to startup:

Sudo systemctl enable tor

Open the file / etc / tor / torrc and add the following lines there:

DNSPort 530 AutomapHostsOnResolve 1 AutomapHostsSuffixes .exit, .onion

Pay attention to the number 530. This is the port number, instead of 530 you can specify any other (unoccupied) port. The main thing is to remember it.

We do checks again:

Dig mi-al.ru # and dig mi-al.ru -p 530 @localhost

Now we specify as the server localhost, and write the port number that you specified in the / etc / tor / torrc settings.

As you can see from the following screenshot, a DNS spoofing attack is being carried out against the machine on which the check was made:

4. Searching for network interfaces in promiscuous mode

If your local network has (and especially if it suddenly appeared) equipment in an illegible mode, this is very suspicious, although it does not unequivocally indicate a man-in-the-middle attack.

In this mode, the network card allows all packets to be received regardless of who they are addressed to.

In the normal state, the Ethernet interface uses link layer packet filtering, and if the MAC address in the destination header of the received packet does not match the MAC address of the current network interface and is not broadcast, then the packet is dropped. In promiscuous mode, filtering on the network interface is disabled and all packets, including those not intended for the current host, are allowed into the system.

Most operating systems require administrator rights to enable promiscuous mode. Those. Promoting a NIC is a deliberate action that can serve the purpose of sniffing.

To search for network interfaces in promiscuous mode, there is an Ettercap plugin called search_promisc.

An example of starting a plugin:

Sudo ettercap -TQP search_promisc ///

The plug-in is not completely reliable, there may be errors in determining the mode of the network interface.

Conclusion

Some man-in-the-middle attacks leave many traces, and some (like passively looking for credentials on a proxy) are impossible or nearly impossible to detect.

Attack principle

The attack usually starts with listening to the communication channel and ends with the cryptanalyst trying to replace the intercepted message, extract useful information from it, and redirect it to some external resource.

Suppose object A plans to convey some information to object B. Object C has knowledge about the structure and properties of the used data transfer method, as well as about the fact of the planned transfer of the actual information that C plans to intercept. To carry out an attack, C "appears" to object A as B, and to object B as A. Object A, mistakenly believing that it sends information to B, sends it to object C. Object C, having received information, and having performed some actions with it (for example having copied or modified for their own purposes) sends the data to the recipient proper - B; subject B, in turn, believes that the information was received directly from A.

An example of an attack

Injection of malicious code

A man-in-the-middle attack allows a cryptanalyst to inject his code into emails, SQL statements, and web pages (ie, allows SQL injection, HTML / script injection, or XSS attacks), and even modify user-uploaded binaries to to access a user account or change the behavior of a program downloaded by a user from the Internet.

Downgrade attack

The term "Downgrade Attack" refers to an attack in which a cryptanalyst forces the user to use less secure functions, protocols that are still supported for compatibility reasons. This type of attack can be carried out against the SSH, IPsec and PPTP protocols.

SSH V1 instead of SSH V2

An attacker can try to change the connection parameters between the server and the client when establishing a connection between them. According to a talk given at Blackhat Conference Europe 2003, a cryptanalyst can "force" a client to start an SSH1 session instead of SSH2 by changing the version number "1.99" for the SSH session to "1.51", which means using SSH V1. The SSH-1 protocol has vulnerabilities that can be exploited by a cryptanalyst.

IPsec

In this scenario, the cryptanalyst misleads his victim into thinking that the IPsec session cannot start on the other end (server). This leads to the fact that messages will be forwarded explicitly, if the host machine is running in rollback mode.

PPTP

At the stage of negotiating PPTP session parameters, the attacker can force the victim to use the less secure PAP authentication, MSCHAP V1 (that is, "roll back" from MSCHAP V2 to version 1), or not use encryption at all.

The attacker can force his victim to repeat the stage of negotiating the PPTP session parameters (send a Terminate-Ack packet), steal the password from the existing tunnel and repeat the attack.

Will encryption save you?

Consider the case of a standard HTTP transaction. In this case, an attacker can quite easily split the original TCP connection into two new ones: one between himself and the client, the other between himself and the server. This is quite easy to do, since it is very rare that the connection between the client and the server is direct, and in most cases they are connected through a number of intermediate servers. An MITM attack can be carried out on any of these servers.

However, if the client and server communicate over HTTPS, a protocol that supports encryption, a man-in-the-middle attack can also be carried out. This type of connection uses TLS or SSL to encrypt requests, which seemingly makes the channel secure from sniffing and MITM attacks. An attacker can create two independent SSL sessions for each TCP connection. The client establishes an SSL connection with the attacker, who in turn creates a connection to the server. In such cases, the browser usually warns that the certificate is not signed by a trusted certification authority, but an ordinary user can easily ignore this warning. In addition, an attacker may have a certificate signed by a certification authority. Thus, the HTTPS protocol cannot be considered secure against MITM attacks.

MITM attack detection

To detect a man-in-the-middle attack, you need to analyze network traffic. For example, to detect an SSL attack, you should pay attention to the following parameters:

Server IP
DNS server
X.509 - server certificate
- Is the certificate self-signed?
- Is the certificate signed?
- Has the certificate been revoked?
- Has the certificate changed recently?
- Have other customers on the Internet received the same certificate?

MITM attack implementations

The listed programs can be used to carry out man-in-the-middle attacks, as well as to detect them and test the system for vulnerabilities.

An example in the literature

A vivid literary example can be seen in "The Tale of Tsar Saltan" by Alexander Pushkin, where three "people in the middle" appear: a weaver, a cook and Babarikha. It is they who replace the letters addressed to the tsar and his return correspondence.

Literature

Links