MitM attacks are the type of attacks where the attacker eavesdrop between two consequently communicating hosts by putting himself in between the point of data transmission. This allows the attacker to “Listen” to what the hosts are communicating and “Read” them. The Attacker here could gather the data, alter it and send the manipulated data to the receiver and vice versa.
MitM is performed to steal credit card information, login credentials, data manipulation, Identity theft and so on and so forth. Most of this attack is performed in Open WiFi Hotspots in Bus stations, Railway stations or maybe at the nearest Starbucks. Once the victim/s is connected the malicious network, the attacker has complete control over the data exchange of the victim.
How a MitM attack is carried out?
MitM attack can be carried out in many places and in unimaginable ways. One cannot define the differences altered data and the original data unless they are an expert or their point of communication is secured. This post maybe is altered too, Maybe? I’m just kidding. No. But here are the ways how an attacker can sit through your computer, alter the data and send it to the receiver.
There are ( narrowed ) two phases to successfully perform a MitM attack which is Intercepting and Decrypting. Interception is where the attacker stays in between the data stream, ready to capture and collect the data received to later manipulate, reuse or sell the data. Decryption is where the attacker sends the data, analyze the data encryption used i.e., HTTPS and others, Try to Decrypt and Reuse.
Talking about Interception,
The first step intercepts user traffic through the attacker’s network before it reaches its intended destination.
#Rogue AP — Rogue Access Point
MitM attacks are most common and prevalent in Wireless networking scenario. The devices equipped with Wireless NIC’s tend to perform an Auto-connect to the known SSIDs’ and strongest Open networks which in this case is the most vulnerable point of target. If the attacker could pinpoint the SSID and could replicate the network using an Identical Network Name tricking the device to think as legitimate and establishes an Internet connection, then your data can completely be manipulated by the attacker. It is just that the attacker has to choose an area of proximity, Ex. Your rooftop or Bathroom Or Under the Bed.
Evil-Twin Attack is a type of attack where the attacker kills the original wifi hotspot by sending unlimited and unbearable loads of beacons until the device is dead forcing the user to think that the Rogue AP is the legit one and getting the user’s device connected to the Rogue AP.
ARP stands of Address Resolution Protocol. It resolves the IP address to corresponding MAC Addresses in a Local Area Network. Where the IP address is used to locate the device in a network and MAC identifies the Device. The Attacker in ARP poisoning attack links its MAC address to the IP of a Legitimate user and sends a constant series of ARP messages to establish a connection to this, attacker computer. As a result, data sent by the user to the host IP address is instead transmitted to the attacker.
DNS stands for Domain Name System. This is responsible for resolving domain names like “Google.com” to it’s IP address and vice versa. In this type of attack, the attacker corrupts the DNS cache of a certain device, rewriting it and redirecting to the Vulnerable server by altering its DNS records. As a result, users attempting to access the site are sent by the altered DNS record to the attacker’s site.
Where “www.stupidonlinebank.com” is supposed to be resolved to 220.127.116.11, the attacker poisons the DNS cache redirecting the user to “192.168.0.10” where he deployed a fake phishing site and is ready to collect the details entered.
After the Interception, any two-way SSL traffic needs to be decrypted without alerting the user or application. A number of methods exist to achieve this:
The attacker sends a fake certificate to the victim’s browser once the Initial connection is made to a protected site. It holds a digital thumbprint associated with the compromised application, which the browser verifies according to an existing list of trusted sites leaving the attacker is to be to access any data entered by the victim before it’s passed to the application.
On the web, around 79 out of 100 websites still have the generic and insecure HTTP port enabled and working. This provides the user with the extensive availability of the application with Backward capability. This is used by the attacker to Downgrade the HTTPS connection to basic HTTP Connection where the attacker could sniff the packets, read it and alter it on the spot as the user is browsing an unencrypted website.
Blocking MITM attacks requires several practical steps on the part of users, as well as a combination of encryption and verification methods for applications.
#Forcing HTTPS with HSTS header.
HTTPS can be used to securely communicate over HTTP using the public-private key exchange. This prevents an attacker from having any use of the data he may be sniffing. Websites should only use HTTPS and not provide HTTP alternatives. Users can install browser plugins to enforce always using HTTPS on requests.
#Virtual Private Network
VPNs can be used to create a secure environment for sensitive information within a local area network. They use key-based encryption to create a subnet for secure communication. This way, even if an attacker happens to get on a network that is shared, he will not be able to decipher the traffic in the VPN.
Sources: Rapid7, Imperva, OpenVPN.