A man-in-the-middle (MITM) attack is a network security attack where a malicious device enters a network and intercepts traffic between nodes or components.
To accomplish access to a network an attacker needs an entry point.
There are many ways for a malicious device to accomplish access into a network.
- Public networks, secured or not
- Social engineering into organization or internal networks
- WIFI password cracking or guessing with rainbow tables
- Rogue WIFI access point to trick auto-join
Once a malicious device obtains access to a network there are many possible vulnerabilities to exploit.
- Sniffing authentication and session tokens
- Address Resolution Protocol (ARP) spoofing
- Domain Name Service (DNS) spoofing
- HTTP(S) proxies
- Network sniffing and probing
- Routing packet proxy
- TCP tunnel proxy
- Injecting data or code addressed to other hosts
- Redirecting HTTP(s) traffic
- Stripping SSL certificates
Example
Best way to simulate a network attack is with virtual machines. Virtual hardware you can simulate attacks at any level of the TCP/IP stack while keeping your own network safe.
I have setup a github project using vagrant to setup the following virtual environment.
Attacker
A Linux (arch) virtual machine configured with
- kernel IP forwarding enabled
bettercap,nmapandiptools installed
Victim
A windows 10 virtual machine with a browser (IE).
Server
Another Linux virtual machine with a web server installed.
The web content is a login form and a landing page accessible in both HTTP and HTTPS.
Scenario
- The attacker scans the gateway (router) for IP addresses
- The attacker scans a specific IP address for information to target
- The attacker initiates bettercap configured to:
- ARP spoof the victims IP
- Start an HTTP proxy to inject a script
- Setup SSL stripping by using HTTP if available
- Sniff network traffic for exposed information like credentials
- The victim visits the server via HTTPS
- The attacker injects a script
- The victim logs into the server
- The attacker strips SSL and reads the credentials
Deeper into the Attack
Using the TCP/IP model we can look at the vulnerabilities and mitigations.
Data packets at any layer can be modified with malicious information as if they were a part of the normal stream.
Network Layer
Most vulnerabilities at this layer involve insecure protocols as manipulating a TCP packet in-stream is difficult to do:
- find the packet or a series of packets with the information you want (possibly decrypting)
- manipulate the data
- recalculate the checksums
IPSec is a secure network protocol suite that protects end-to-end inside TCP packets. It is most commonly deployed by Virtual Private Networks (VPN).
DNSSEC is a set of extensions to encrypt DNS data.
Internet Protocol Version 6
IPv6 improves the vulnerabilities in Internet Control Message Protocol (ICMP) over IPv4 with some important changes.
- replacing ARP with the Neighbor Discovery Protocol (NDP)
- introducing a secure extension to network discovery (SEND)
- replacing Router Discovery (RDISC) with Multicast Listener/Router Discovery (MLD/MRD)
New IPv6 specific MITM attacks have been found, such as the Stateless Address Auto Configuration (SLAAC) Attack (appears to be a windows configuration issue that allows IP4 vulnerabilities).
Transport Layer
TLS encryption is the main mitigation at this layer as a portal between the network and an application.
Closing or redirecting HTTP or other non-TLS ports will prevent SSL stripping.
Certificate authorities and certificate pinning help mitigate spoofing.
Application Layer
If an attacker reaches the application layer, the information already stolen allows further vulnerabilities like session hijacking, Cross-site Request Forgery (CSRF), sql injection, denial of service and accessing unauthorized data.
Mitigation strategies include:
- Applications and systems should be kept up to date and hardened.
- All network access points have strong authentication and authorization.
- Sandboxing in virtual machines, containers, jails, chroot or with file permissions.
- Follow other best-practices like security through obscurity and principle of least privilege.
Conclusion
Detection of an attack is difficult limited to tamper detection by testing and examining latency of messages or possibly machine learning from behaviours.
Forensic analysis of captured network traffic provides post-mortem detection, so observability in all aspects of your system is important.
The industry still needs to move toward an IPv6 dominated internet to help prevent vulnerabilities at the network layer.
Especially with 5G mobile networks, as the technology is positioned for integration into IoT and other firmware devices that are not easily updated.
That’s all for now folks.
- Man-in-the-middle Attack
- Intro to Wireshark and Man in the Middle Attacks
- Interlock Protocol
- mitm with wireshark analysis
- mitm engine
- caddy
- how to defend against mitm
- slaac - ipv6 vulnerability- Man-in-the-middle Attack
- SLAAC IPv6
- Intro to Wireshark and Man in the Middle Attacks
- Interlock Protocol
- mitm with wireshark analysis
- mitm engine
- security search engine
- bettercap
- testing mitm vulnerabilities
- metasploit
- mitm testing tools
- wifi pineapple
- offensive security
- the citizen lab
- intercepting ssl and https
- testloop mitm setup
- bettercap for mitm
- vbox sniffing
- bettercap usage examples
- IPSEC
- OWASP
- DNSSEC
- lightweight mitm detection
- blockchain mesh networks
- blockchain: a tale of peer-to-peer security
- AI driven network security
- Why AI is the future of network security
- 5G security risks