What is Man-in-the-Middle-Attack?
Cyber-attacks are becoming a significant criminal violation, as well as a widely discussed topic. One of the most common types of attacks, a man-in-the-middle (MITM) attack is a type of spying attempt in which an intruder hijacks an ongoing conversation or data transfer. After inserting themselves in the "between" of the transfer, the attackers impersonate as both real users. In this way, the attacker can capture and record information and data coming from both sides of the communication and also send different information to both participants. It can do all these things unnoticed. MITM, MitM, and MiM are all can be used as abbreviations for man-in-the-middle attacks.
The most common purposes of this attack are; gathering personal information, accessing login information, passwords, obtaining bank and credit card information for financial gain. Clients of banking apps, SaaS firms, web-based company locations, and other sites that need signing in are typical targets. Information gathered during an intrusion might be used for a variety of objectives, such as fraud, unauthorized support exchanges, or unauthorized password changes.
The Royal British Intelligence carried out the first reported MITM attack during WWII to collect German military radio communications. We can compare the MITM attack to this. Before you, the postman reads your bank statement from the bank where you have investments, writes your account information, seals the envelope again, and delivers it to you. Then you receive your postal mail without suspecting anything.
How Does a Man in the Middle (MITM) Attack Work?
The word MITM comes from a ball game in which two individuals play catch while a third person in the center tries to intercept the ball. There is an analogy explaining how the MITM attack works basically. There are three entities, X(victim client), Y(server), Z (attacker).
- Z listens in on a channel where X and Y are communicating in secret. X delivers a message to Y. Without X or Y's knowledge, Z intercepts and reads X's communication. Z modifies information sent between X and Y, resulting in unwelcomed responses.
A MITM attack happens when an attacker manipulates a secure encrypted connection between a client and server. Through this attack;
- The attacker might be a proxy that hijacks active traffic, decrypts it, analyzes it, and then forwards the traffic.
- The attacker might be a proxy that redirects traffic to another system that appears to be genuine but is actually under the attacker's control.
- Being in the middle between connections, an attacker can use a phishing site to get user credentials, then use root access to acquire administrator access to the system and redirect incoming connections to a malicious site.
- Attackers can spoof a domain name by compromising the domain name service (DNS) system and causing it to resolve to a malicious IP address (DNS spoofing).
How to MITM Attack?
In MITM attacks, the methods and tools used vary depending on the physical closeness between the attacker and the victim. While most attacks are carried out on the same wifi network(WLAN), malicious software that allows remote access is sometimes used. A malware-based attack is also known as a man-in-the-browser attack. Effective MITM execution consists of two independent stages: interception and decryption.
During the interception phase, the attacker seems to be legitimate to deceive victims into giving personal information. Some various approaches and techniques are used in this step. The most well-known (and simplest) way is an inactive attack in which an attacker creates free/open wifi hotspots that are available to the entire public. They aren't password-protected and are commonly titled in a way that corresponds to their location. When a victim interacts with such a hotspot, the attacker gets complete access to any information. Apart from these, the attacker can use IP spoofing, DNS spoofing, ARP spoofing techniques to have full access.
An effective man-in-the-middle attack does not end with an interception. The encrypted data of the victim must then be decrypted so that the attacker can move on. After an interception, in the decryption phase; any two-way SSL communication should be decrypted without notifying the victim. Several approaches may be used to accomplish this. Some of these approaches are; HTTPS spoofing, sending browser exploits, SSL session hijacking.
A communication channel is required to carry out a MITM attack. GSM, Bluetooth, NFC, Radio Frequency, and Wi-Fi are the most often utilized communication channels for MITM attacks. Today, most MITM attacks are made through social media, where human communication is the most common.
Which Tool can be Used to Perform the Man-in-the-Middle Attack?
There are many open-source tools to use in MITM attack operations that work in both Kali Linux and Windows. Most commonly used are as follows:
- MITMf: MITM Framework (MITMf) is a toolkit that allows us to perform Man-In-the-Middle attacks by intervening during the communication of two devices on the network and gathering all threats that can be simulated with this attack under one roof. It contains DNS, HTTP, SMB services. It comes with a version of SSLStrip that allows you to manipulate and modify HTTP requests.
- Ettercap: This program can perform operations such as monitoring the traffic flow, directing and analyzing the traffic flow by using methods such as ARP spoofing, ARP poisoning, mac address cloning. The program allows you to perform attacks such as "Man in the Middle (MITM)" to force another computer to forward packets directly to you and not to the router. For a robust and comprehensive sniffing suite, many sniffing modes are provided. Sniffing may be done in four different ways: IP-based, MAC-based, ARP-based (full-duplex), and PublicARP-based (half-duplex). It also allows for active and passive spying, as well as dissecting and analyzing network protocols, even those including encryption.
- Hetty: Hetty is a powerful open-source HTTP toolkit. An HTTP man in the middle proxy is included in the lightweight tool, which includes an embedded Next.js web interface. It includes a sender mechanism that enables you to manually send HTTP requests based on either off requests from the proxy log or by constructing them from zero.
- Bettercap: Bettercap is a comprehensive and scalable tool used for network reconnaissance as well as attack. It offers easy-to-use to experts for reverse engineering solutions. It allows security-related teams to perform tests for WIFI, IP4, IP6 networks, Bluetooth, and wireless devices. In addition to being able to monitor networks simultaneously, it also has features such as creating a fake access point, password sniffer, handshake capture, and DNS spoofer. The tool has some other capabilities, it can extract all of the information and it collects in a separate file, including POP, IMAP, SMTP and FTP passwords, URLs and HTTPS hosts visited, HTTP cookies, HTTP posted data, and more.
- Burp: Burp is a vulnerability scanning tool. Many security experts will find the tool useful. In general, it allows researchers to test online apps and find weaknesses that criminals might use to execute MITM attacks. It can monitor and analyze unfiltered network communication in both ways between the web browser and server. This tool allows the attacker to access and manipulate encrypted data by breaking the TLS connection in HTTPS communication between the browser and the destination server.
And there are also various tools for decrypting phase. Some of them are; Nessus, Hydra comes with Kali Linux, John the Ripper, etc.
What are Types of Man in the Middle (MITM) Attacks?
MITM attacks may be used by cybercriminals in several methods to take control of devices. Here are the most commonly used attack techniques;
Figure 1. What are Types of Man in the Middle (MITM) Attacks?
1. Wi-Fi Eavesdropping
Wi-Fi eavesdropping is a kind of man-in-the-middle attack in which attackers trick unsuspecting users into connecting to a harmful Wi-Fi network. A hacker sets up a Wi-Fi hotspot in an area where people often connect to a public Wi-Fi network to do Wi-Fi eavesdropping. This can be public areas such as a restaurant, coffee shop, hotel. The user will believe they are connected to a real network at this point, but they are already connected to twin fake wifi networks. It is like a trap.
Attackers can now use a variety of man-in-the-middle tactics. They can, for example, conduct SSL stripping attacks to compel users to connect to unsecured versions of their favorite websites, or they can perform DNS hijacking operations to redirect users to fake copies of the websites they're attempting to connect to. Having a VPN protects us against Wi-Fi eavesdropping and other issues in public networks. This will enable us to encrypt the connection and avoid problems with privacy and security.
2. DNS Spoofing
The Domain Name System (DNS) is a hierarchical Internet name system based on a client-server architecture. The primary function of a DNS server is to resolve URLs. DNS spoofing, which is carried out via cache poisoning, is one of the most well-known and serious attacks against DNS. DNS poisoning is also another name for DNS spoofing. The DNS service makes use of a cache mechanism to improve performance, although it has several weaknesses. DNS spoofing causes DNS resolvers to store incorrect or malicious mappings between symbolic names and IP addresses.
To carry out DNS spoofing, attackers must replace local DNS routing records with fake data, causing the victim to connect to a malicious server. DNS changes its cache based on entries, therefore it requests other DNSs for updates from time to time. An attacker may use this to carry out a DNS spoofing attack.
3. Session Hijacking
Session hijacking also known as TCP session hijacking is a technique used to describe an attack that takes control of a server-client session. Because the authentication technique is one-way, a hijacker may easily wait for the authentication cycle to finish before sending a signal to the client. The client believes it has been disconnected from the access point as a result of this signal. Meanwhile, the hijacker continues transacting data traffic under the appearance of the original client. This begins with a man-in-the-middle attack and then adds a client reset request. As a result, the client is disconnected from the session, while the malicious computer continues to communicate with the server.
When you login into an online account, the program sends you a "session cookie" which is a set of data that recognizes you to the server and allows you access to your account. The server will allow the user to utilize the application as long as their device keeps the session token. When a user quits an application, the server resets the session token, and any later access to the account needs the user to provide their login credentials again. An attacker grabs the user's session token and uses it to get access to the user's account in a session hijacking attack.
4. ARP Cache Poisoning
ARP is a mechanism used by network devices to connect network addresses to MAC addresses (Media Access Control). Because each frame leaving a host must include a destination MAC address, ARP is essential in LAN communications. ARP is an insecure protocol that was not created with malicious hosts in mind. The attacker can connect a malicious host's MAC address to the IP of a target host by manipulating the victims' local ARP cache table by adding and updating cache entries.
Fake data is injected into this system by attackers to make your computer assume the attacker's machine is the network gateway. When you connect to the internet, the attacker receives all of your network traffic (rather than your actual network gateway) and forwards it to its intended destination. Everything appears to be normal to you. All of your packets are visible to the attacker anymore.
5. Man in the Browser
A man-in-the-browser attack is a type of man-in-the-middle attack in which an attacker compromises a Web browser used by one of the parties to infuse himself into the communications channel between two trustworthy parties for the goal of eavesdropping, data theft, or session altering. The Man-in-the-Browser attack is similar to the Man-in-the-Middle attack, but instead of intercepting and manipulating calls between the primary application's and its security mechanisms or libraries on the fly, a Trojan Horse is utilized. The most typical goal of this attack is to commit financial fraud by manipulating Internet Banking transactions, even when other authentication methods are in operation.
6. IP Spoofing
At the network layer, IP is the most common protocol. Its function is to transport packets from a source host to a destination host simply based on the IP addresses in the packet headers. The Internet Protocol (IP) establishes packet structures that encapsulate the data to be sent. IP spoofing is a type of spoofing that involves changing the IP address of MITM (Man in the Middle) in which a malicious user intercepts a genuine communication between two non-malicious parties. Without the knowledge of either of the original endpoints, the malicious entity can manipulate the flow of communication and remove or change data supplied by one of the original parties.
7. Secure Sockets Layer (SSL) Hijacking
The Secure Socket Layer (SSL) and Transport Layer Security (TLS), are encryption protocols for secure communication and data transfers over the Internet. Both protocols were designed to provide a secure communication channel between two communicative parties: a client and a server, or two clients. The validity of the certificate determines the security guarantees provided by SSL/TLS. As a result, one of the attacks' goals is to hijack or fake the certificate. To prevent SSL hijacking, avoid connecting to non-secure (HTTP) URLs, take caution while connecting to public wi-fi, utilize the secure cookie flag, use anti-malware on both client and server workstations, and time-out inactive connections.
8. Email Hijacking
Another type of man-in-the-middle attack is email hijacking, in which the hacker intercepts and gains access to a target's email account. The attacker then discreetly observes the client-provider communications and utilizes the information for malicious purposes. Email hijacking is typically carried out via phishing and other social engineering scams in which attackers trick victims into uncovering their login details by redirecting them to fake login pages or tricking them into installing keylogger malware, which records the victim's keystrokes and sends them to a remote server owned by the attacker.
How to Detect a Man-in-the-Middle Attack?
MitM attacks are difficult to detect, but they can cause ripples in the otherwise normal network activity, which cybersecurity experts and end-users can detect. The conventional wisdom is more prevention than detection. To identify a MITM attack, pay attention to the URL in your browser's address bar. The absence of an 'S' in HTTPS or any other unusual-looking address is usually a warning signal. You should also be on the lookout for frequent disconnections or connections to unknown sites. Here are some indicators that you may have extra viewers on your networks;
- Unusual URLs in your browser's address bar: If anything in the address appears to be off, double-check it. It may be a DNS hijack.
- Disconnections that are unexpected or repeated: Attackers aggressively disconnect users to capture the username and password when the user attempts to reconnect.
How to Prevent Man-in-the-Middle Attacks?
Most MITM attacks may be recognized and avoided if basic security and encryption procedures are followed. Here are some practical preventions;
- Keep an eye out for unprotected website alerts on your browser.
- After the session is finished, properly log out of all online programs.
- When utilizing e-commerce or banking websites, stay away from the public and unsecured Wi-Fi networks. You may boost your security by not entering your bank's online transaction credentials on public wifi hotspots.
- Use an intrusion detection system(IDS) to protect your device. To prevent unwanted intrusions, set up powerful firewalls and protocols.
- Before visiting an unfamiliar or insecure website, double-check the domain names and browsers.
- For verification, look for a green or gray padlock to the left of the web address. The website may be insecure if the browser displays a red padlock.
- Using a firewall to protect your browsing info is also a good idea. When utilizing public Wi-Fi, a firewall adds an extra degree of security, albeit it isn't perfect. If you often use public Wi-Fi, it's a good idea to set up a virtual secured network (VPN). This form of network encrypts your data and makes it much harder for attackers to intercept it.
- Secure communication protocols, such as TLS and HTTPS, assist website owners in preventing spoofing attacks by encrypting and authenticating transferred data. This prevents the interception of site traffic as well as the decryption of sensitive data such as login passwords.
- Using two-factor authentication, which needs an extra authentication vector in addition to your password, is an excellent technique to avoid email hijacking.
- Wireless access points with robust WEP/WPA encryption mechanisms prevent unauthorized users from entering your network just by being nearby. Weakness in an encryption system can allow an attacker to brute-force his way into a network and perform man-in-the-middle attacks.
What is an Example of Man-in-the-Middle?
Here are some MITM attack examples from real life;
- In 2011, the Dutch registrar site DigiNotar was hijacked, allowing a threat actor to obtain access to 500 certificates for websites such as Google, Skype, and others. With access to these certificates, the attacker was able to pose as genuine websites in a MITM attack, collecting users' data after fooling them into entering passwords on malicious mirror sites. As a result of the breach, DigiNotar filed for bankruptcy.
- In 2013, it was reported that the Nokia Express browser encrypted HTTPS traffic on Nokia's proxy servers. This enabled them access to the encrypted browser traffic of its clients.
- In 2017, Equifax, a credit scoring firm, had its applications banned from Google and Apple after a data breach resulted in the release of personal information. The app did not always use HTTPS, allowing attackers to intercept data while users access their accounts, according to a researcher.
- CrowdStrike has identified shaDll, a Trickbot module, as a recent MITM attacker. The module installed fake SSL certificates on infected devices, allowing the program to access the user network. The module could then redirect web traffic, inject code, capture screenshots, and collect data. This attack was especially interesting since it appeared to be the result of a partnership between two well-known cybercrime organizations.