Man-in-the-Middle

A man-in-the-middle (MITM) attack is a network security attack where a malicious device enters a network and intercepts traffic between nodes or components.

To accomplish access to a network an attacker needs an entry point.
There are many ways for a malicious device to accomplish access into a network.

  • Public networks, secured or not
  • Social engineering into organization or internal networks
  • WIFI password cracking or guessing with rainbow tables
  • Rogue WIFI access point to trick auto-join

Once a malicious device obtains access to a network there are many possible vulnerabilities to exploit.

  • Sniffing authentication and session tokens
  • Address Resolution Protocol (ARP) spoofing
  • Domain Name Service (DNS) spoofing
  • HTTP(S) proxies
  • Network sniffing and probing
  • Routing packet proxy
  • TCP tunnel proxy
  • Injecting data or code addressed to other hosts
  • Redirecting HTTP(s) traffic
  • Stripping SSL certificates

Example

Best way to simulate a network attack is with virtual machines. Virtual hardware you can simulate attacks at any level of the TCP/IP stack while keeping your own network safe.

I have setup a github project using vagrant to setup the following virtual environment.

Attacker

A Linux (arch) virtual machine configured with

  • kernel IP forwarding enabled
  • bettercap, nmap and ip tools installed

Victim

A windows 10 virtual machine with a browser (IE).

Server

Another Linux virtual machine with a web server installed.

The web content is a login form and a landing page accessible in both HTTP and HTTPS.

Scenario

  1. The attacker scans the gateway (router) for IP addresses
  2. The attacker scans a specific IP address for information to target
  3. The attacker initiates bettercap configured to:
    1. ARP spoof the victims IP
    2. Start an HTTP proxy to inject a script
    3. Setup SSL stripping by using HTTP if available
    4. Sniff network traffic for exposed information like credentials
  4. The victim visits the server via HTTPS
  5. The attacker injects a script
  6. The victim logs into the server
  7. The attacker strips SSL and reads the credentials

Deeper into the Attack

Using the TCP/IP model we can look at the vulnerabilities and mitigations.

Data packets at any layer can be modified with malicious information as if they were a part of the normal stream.

Network Layer

Most vulnerabilities at this layer involve insecure protocols as manipulating a TCP packet in-stream is difficult to do:

  1. find the packet or a series of packets with the information you want (possibly decrypting)
  2. manipulate the data
  3. recalculate the checksums

IPSec is a secure network protocol suite that protects end-to-end inside TCP packets. It is most commonly deployed by Virtual Private Networks (VPN).

DNSSEC is a set of extensions to encrypt DNS data.

Internet Protocol Version 6

IPv6 improves the vulnerabilities in Internet Control Message Protocol (ICMP) over IPv4 with some important changes.

  • replacing ARP with the Neighbor Discovery Protocol (NDP)
  • introducing a secure extension to network discovery (SEND)
  • replacing Router Discovery (RDISC) with Multicast Listener/Router Discovery (MLD/MRD)

New IPv6 specific MITM attacks have been found, such as the Stateless Address Auto Configuration (SLAAC) Attack (appears to be a windows configuration issue that allows IP4 vulnerabilities).

Transport Layer

TLS encryption is the main mitigation at this layer as a portal between the network and an application.

Closing or redirecting HTTP or other non-TLS ports will prevent SSL stripping.

Certificate authorities and certificate pinning help mitigate spoofing.

Application Layer

If an attacker reaches the application layer, the information already stolen allows further vulnerabilities like session hijacking, Cross-site Request Forgery (CSRF), sql injection, denial of service and accessing unauthorized data.

Mitigation strategies include:

  • Applications and systems should be kept up to date and hardened.
  • All network access points have strong authentication and authorization.
  • Sandboxing in virtual machines, containers, jails, chroot or with file permissions.
  • Follow other best-practices like security through obscurity and principle of least privilege.

Conclusion

Detection of an attack is difficult limited to tamper detection by testing and examining latency of messages or possibly machine learning from behaviours.

Forensic analysis of captured network traffic provides post-mortem detection, so observability in all aspects of your system is important.

The industry still needs to move toward an IPv6 dominated internet to help prevent vulnerabilities at the network layer.

Especially with 5G mobile networks, as the technology is positioned for integration into IoT and other firmware devices that are not easily updated.

That’s all for now folks.