Man-in-the-Middle (MITM) Attacks: An Introduction
What is a Man-in-the-Middle (MITM) Attacks – Definition
MITM attack refers to the kind of cyberattack in which an attacker eavesdrops on the communication between two targets- two legitimately communicating hosts- and even hijacks the conversation between the two targets. Thus, the attacker is able to “listen” to a conversation that he is not supposed to listen to and even alter the course of the communication, remaining invisible and undetected all the while. The attacker can thus gather information, including personal data, from either participant and can even execute malicious activities, including launching a malware attack. A typical MITM (Man in the Middle) Attack is just like getting in between a telephone conversation, remaining transparent and at the same time interacting with both the participants posing as the person at the other end.
The Different Kinds of Man-in-the-Middle (MITM) Attacks
Rogue Access Point- This involves attackers setting up their own wireless access points and tricking nearby devices that are equipped with wireless cards to join the attackers’ domain. As we know, such devices with wireless cards sometimes auto connect to access points with the strongest of signals. It’s this aspect that’s utilized by attackers to manipulate victims’ network traffic and do malicious activities. The notable thing about such attacks is that the attackers need not be using even a trusted network. Proximity is the element that works in their favor; they exploit physical proximity to hijack networks and execute attacks.
ARP Spoofing- This involves an attacker sniffing the private traffic between two hosts by sending ARP (Address Resolution Protocol) messages onto a local area network. As we know, ARP messages are sent to resolve IP addresses to physical MAC (Media Access Control) addresses in local area networks. Thus, it’s by referencing the ARP cache that a host which needs to communicate with another host within a given IP address resolves the IP address to a MAC address. A request is made asking for the MAC address of the device in case the address is not known and if an attacker poses as another host and responds to such a request using some precisely placed packets, it becomes easy to sniff the private communication and extract all kinds of data from the traffic. The attacker is even able to get information regarding session tokens and thus gets full access to application accounts as well.
DNS Spoofing- DNS (Domain Name System) resolves domain names to IP addresses in a similar manner as ARP resolves IP addresses to MAC addresses. An attacker can attempt to introduce corrupt DNS cache information to a host and thus try to access another host using the same domain name. The victim would thus end up sending sensitive information to the infected, malicious host thinking that it’s being sent to the trusted source. Domain Name System (DNS) spoofing becomes easy once an attacker spoofs an IP address.
mDNS Spoofing- mDNS (Multicast DNS), unlike DNS, is done on a local area network (LAN) using broadcasts and thus it’s easy for hackers to do mDNS spoofing. Network devices like printers, TVs, entertainment systems etc make use of mDNS to connect to the network. Users just let the system resolve and find the address to communicate since they are typically on trusted networks. But then, when an app attempts to know the address of any device, a hacker can respond to such requests for connection with fake data and thus hijack the communication by instructing the app to resolve to an address under the hacker’s control. Such network devices keep a local cache of addresses and hence the victim would consider the hacker’s device as trusted for some time, during which data extraction takes place.
Man-in-the-Middle (MITM) Attacks : The Different Techniques
Sniffing- Hackers put some wireless devices on monitoring/promiscuous mode and thus are able to sniff out packets that they are not intended to see. Thus, they can sniff out or see packets meant for other hosts and use the same to hijack communication.
Packet injection- Hackers can inject malicious packets into streams of communication by exploiting the monitoring mode of devices. Such injected packets eventually behave like valid packets and can be used for malicious activities.
Session hijacking- A hacker sniffs sensitive traffic, identifies the temporary session token that’s generated for a user and then use the session token to make requests to the user. Once the session token is identified, there’s no need to do any further spoofing to hijack a session.
SSL stripping- Hackers intercept packets, alter their HTTPS-based address requests to go instead to their HTTP equivalent endpoint. Thus, the host ends up making unencrypted requests which eventually leads to sensitive data being leaked in plain text.
How to Prevent MITM Attacks
Let’s take a look at some basic things that could help prevent MITM attacks. They include:
- Having strong WEP/WAP encryption mechanism on wireless access points.
- Creating a secure environment by using a VPN (Virtual Private Network).
- Ensuring that websites use only HTTPS and do not provide HTTP versions; and installing browser plugins, at users’ ends, to enforce the use of HTTPS only.
- Using public key pair-based authentication, like RSA, to ensure the authenticity of communication.