A man-in-the-middle attack is a generic name for various techniques aimed at gaining access to traffic as an intermediary. Due to the wide variety of these techniques, it is problematic to implement a single tool for detecting these attacks that would work for all possible situations. For example, in a man-in-the-middle attack on a local network, ARP spoofing (poisoning) is commonly used. And many man-in-the-middle attack detection tools watch for Ethernet address pair changes/or report suspicious ARP activity by passive monitoring of ARP requests/responses. But if this attack is used on a maliciously configured proxy server, VPN, or other options when ARP poisoning is not used, then such tools are helpless.

The purpose of this section is to look at some techniques for detecting man-in-the-middle attacks, as well as some tools designed to determine that you are under a MitM attack. Due to the variety of methodologies and implementation scenarios, 100% detection cannot be guaranteed.

1. Traffic modification detection

As already mentioned, ARP spoofing is not always used in man-in-the-middle attacks. Therefore, although ARP level activity detection is the most popular detection method, traffic modification detection is a more universal method. The mitmcanary program can help us with this.

The principle of the program is that it makes "control" requests and saves the received answers. After that, it repeats the same requests at certain intervals and compares the responses received. The program is quite intelligent and, to avoid false positives, it detects dynamic elements in responses and processes them correctly. As soon as the program has recorded traces of the activity of tools for MitM attacks, it reports about it.

Examples of how some tools can "inherit":

  • MITMf , by default changes all HTTPS URLs in HTML code to HTTP. Detected by comparing HTTP content.
  • Zarp + MITMProxy , MITMProxy has a feature that allows you to clear HTTP compression, this is used for the transparency of transmitted traffic, this bundle is detected by the disappearance of previously present compression
  • Responder , detected by sudden changes in mDNS response translation: unexpected response; the response is internal, but external is expected; response is different than expected IP
  • MITMCanary vs MITMF:

  • MITMCanary vs Responder:

  • MITMCanary vs Zarp + MITMProxy:

sudo pip install Cython sudo apt-get install python-kivy python-dbus sudo pip install plyer uuid urlopen analysis request simplejson datetime git clone https://github.com/CylanceSPEAR/mitmcanary.git cd mitmcanary/

As already mentioned, the work of mitmcanary must be started with control requests. To do this, go to the directory

cd service/

And run the file setup_test_persistence.py:

Python2 setup_test_persistence.py

This will take some time - wait until the end. No error messages should be displayed (if so, then you are missing some dependencies).

Something like this will be output:

[email protected]:~/bin/mitmcanary/service$ python2 setup_test_persistence.py Older configuration version detected (0 instead of 14) Upgrading configuration in progress. Purge log fired. Analyzing... Purge finished! Record log in /home/mial/.kivy/logs/kivy_16-11-01_0.txt v1.9.1 v2.7.12+ (default, Sep 1 2016, 20:27:38)

After finishing this process, in the same directory, execute (this will start a background process):

Python2 main.py

After that, open a new terminal window and change to the root directory with mitmcanary. My directory is bin/mitmcanary/, so I enter

cd bin/mitmcanary/

and execute there:

Python2 main.py

The first window will display something like:

[email protected]:~/bin/mitmcanary/service$ python2 main.py Record log in /home/mial/.kivy/logs/kivy_16-11-01_1.txt v1.9.1 v2.7.12+ (default, Sep 1 2016, 20:27 :38) using for socket listening for Tuio on 127.0.0.1:3000 Sleeping for 60 seconds Sleeping for 60 seconds Sleeping for 60 seconds Sleeping for 60 seconds Sleeping for 60 seconds Sleeping for 60 seconds

Those. the program makes control requests once a minute and looks for signs of a man-in-the-middle attack in them.

In the second window there is also an output + a dark window opens, the authors of the program call this window a “graphical interface”:

You can wait a while, surf the Internet to make sure that the program does not make any false alerts.

Let's try the classic Ettercap program.

I'm running a regular MitM attack with ARP spoofing. mitmcanary does not react to etching itself. The mitmcanary tool generates traffic itself, i.e. no user action is required. After some time, one single warning appears, which is not confirmed during subsequent next checks. But the same warning appears after a few minutes. Without additional analysis, I find it difficult to say whether this is an example of a false positive - it is very similar to this. It is possible that this warning is caused by a connection failure due to the need for traffic to go through additional routes, or by the peculiarities of my poor Internet connection.

Since the result is not obvious (rather "no" than "yes"), then let's try the Bettercap program, which has a variety of modules. I have no doubt that when using various Ettercap plugins and/or additional programs to expand the functionality, we would also "light up" for mitmcanary.

For the purity of the experiment, I restart the equipment, run mitmcanary on the attacked machine and Bettercap on the attacking one. At the same time, it is not necessary to make control requests again on the attacked machine - they are saved in a file inside the directory with the program. Those. it is enough to start the service and the graphical interface.

And in the attacking machine, we will run Bettercap with parsers enabled:

Sudocap -X

Separate warnings appear, which also look more like false positives.

But running this command:

sudo bettercap -X --proxy

On the attacked machine, it causes a large number of warnings about a possible man-in-the-middle attack:

So what more functional tool for a man-in-the-middle attack, the more footprints it leaves in traffic. For the practical use of mitmcanary, the following conditions must be met:

  • make initial requests in a trusted network when you are sure that there is no intermediary in the transmission of traffic;
  • edit the resources to which verification requests are made, since a professional attacker can add default resources to exceptions, which will make him invisible to this tool.

2. Detection of ARP spoofing (arp cache poisoning)

Very often, a man-in-the-middle attack on a local network starts with ARP poisoning. That is why many tools designed to detect MitM attacks are based on a mechanism for tracking changes in the ARP cache, in which correspondences between Ethernet (MAC addresses) and IP addresses are assigned.

Examples of such programs include arpwatch , arpalert and a large number of new programs. The ArpON program not only monitors ARP cache changes, but also protects it from them.

As an example, let's run arpwatch in debug mode, without creating forks in the background and sending messages by mail. Instead, messages are sent to stderr (standard error output).

sudo /usr/sbin/arpwatch -d

On the attacking machine, run Ettercap and start ARP spoofing. On the attacked machine we observe:

The arpwatch program will help you quickly find out about new connected devices in your local network, as well as ARP cache changes.

Another tool for detecting real-time ARP spoofing is a plugin by Ettercap itself called arp_cop. On the attacked machine, run Ettercap as follows:

sudo ettercap -TQP arp_cop ///

And on the attacker, let's start ARP-etching. Warnings immediately begin to appear on the attacked machine:

3. DNS Spoofing Detection

DNS spoofing indicates that there is an intermediary between you and the destination that can modify your traffic. How can you detect that DNS records have been spoofed? The easiest way to do this is to compare against the responses of a nameserver you trust. But after all, the entries in the response sent to your request can also be substituted ...

Those. you need to check either through an encrypted channel (for example, via Tor), or use non-standard settings (another port, TCP instead of UDP). The sans program from XiaoxiaoPu is intended for this approximately (at least, as I understand it). I managed to use this program to redirect DNS queries through Tor and through non-standard settings to my DNS server. But I was never able to get her to show me messages about DNS response spoofing. And without this, the meaning of the program is lost.

I couldn't find better alternatives.

In principle, given that DNS spoofers usually monitor only port 53, and only UDP protocol, even manually it is enough to simply check the fact of DNS spoofing, although this requires your own DNS server with a non-standard configuration. For example, on the attacking machine, I created the file dns.conf with the following content:

Local mi-al.ru

Those. when requesting a DNS record for the site mi-al.ru, instead of the real IP, the IP of the attacker's machine will be sent.

I run on the attacking machine:

sudo bettercap --dns dns.conf

And on the attacked I do two checks:

Dig mi-al.ru # and dig mi-al.ru -p 4560 @185.117.153.79

Results:

[email protected]:~$ dig mi-al.ru ;<<>> DiG 9.10.3-P4-Debian<<>> mi-al.ru ;; global options: +cmd ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51993 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mi-al.ru. IN A ;; ANSWER SECTION: mi-al.ru. 86400 IN A 192.168.1.48 ;; Query time: 2 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Nov 02 09:25:20 MSK 2016 ;; MSG SIZE rcvd: 42 [email protected]:~$ dig mi-al.ru -p 4560 @185.117.153.79 ;<<>> DiG 9.10.3-P4-Debian<<>> mi-al.ru -p 4560 @185.117.153.79 ;; global options: +cmd ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 401 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;mi-al.ru. IN A ;; ANSWER SECTION: mi-al.ru. 3799 IN A 185.26.122.50 ;; Query time: 304 msec ;; SERVER: 185.117.153.79#4560(185.117.153.79) ;; WHEN: Wed Nov 02 09:25:27 MSK 2016 ;; MSG SIZE rcvd: 53

It can be seen that for a “normal” DNS query, the local IP 192.168.1.48 was sent, and when querying DNS on an atypical port, the correct server IP is sent.

If the server were configured to work with TCP (rather than UDP), then the command would look like this:

Dig mi-al.ru -p 4560 +tcp @185.117.153.79

Obviously, there is a lack of a tool that would track DNS responses in traffic itself, double-check them against an alternative source, and raise an alarm in case of spoofing.

To avoid setting up your own remote DNS, you can query the nameserver via Tor. Since all Tor traffic is encrypted, the DNS responses received in this way are too tough for an intermediary. If Tor is not already installed, then install it.

sudo apt-get install tor

Sudo pacman -S tor

Start the service:

sudo systemctl start tor

If you need it, add this service to startup:

sudo systemctl enable tor

Open file /etc/tor/torrc and add the following lines there:

DNSPort 530 AutomapHostsOnResolve 1 AutomapHostsSuffixes .exit, .onion

Pay attention to the number 530. This is the port number, instead of 530, you can specify any other (unoccupied) port. Most importantly, remember it.

Again we check:

Dig mi-al.ru # and dig mi-al.ru -p 530 @localhost

Now we specify as the server localhost, and write the port number as specified in the /etc/tor/torrc.

As you can see from the following screenshot, a DNS spoofing attack is being carried out against the machine on which the check was made:

4. Search for network interfaces in promiscuous mode

If your local network has (and especially if it suddenly appeared) equipment in promiscuous mode, this is very suspicious, although it does not clearly indicate a man-in-the-middle attack.

In this mode, the network card allows you to receive all packets, regardless of who they are addressed to.

In the normal state, link layer packet filtering is used on the Ethernet interface, and if the MAC address in the destination header of the received packet does not match the MAC address of the current network interface and is not broadcast, then the packet is discarded. In promiscuous mode, filtering on the network interface is disabled and all packets, including those not destined for the current host, are allowed into the system.

Most operating systems require administrator rights to enable promiscuous mode. Those. putting a network card into promiscuous mode is a conscious act that may serve the purpose of sniffing.

To search for network interfaces in promiscuous mode, there is an Ettercap plugin called search_promisc.

Plugin launch example:

sudo ettercap -TQP search_promisc ///

Plugin operation is not completely reliable, there may be errors in determining the network interface mode.

Conclusion

Some man-in-the-middle attack methods leave a lot of traces, and some (such as passively looking for credentials on a proxy) are impossible or almost impossible to detect.

You can almost always achieve the desired result in several ways. This also applies to the field of information security. Sometimes, to achieve the goal, you can brute, independently look for holes and develop sploits, or listen to what is transmitted over the network. The latter option is often the best one. That is why today we will talk about tools that will help to catch valuable information for us from network traffic, using MITM attacks for this.

MITMf

Let's start with one of the more interesting candidates. This is a whole framework for man-in-the-middle attacks, built on top of sergio-proxy. Recently included in Kali Linux. To install it yourself, just clone the repository and run a couple of commands:

# setup.sh # pip install -r requirements.txt

It has an architecture that can be extended by plug-ins. Among the main ones are the following:

  • Spoof - allows you to redirect traffic using ARP / DHCP spoofing, ICMP redirects and modify DNS queries;
  • Sniffer - this plugin monitors login attempts for various protocols;
  • BeEFAutorun - allows you to automatically run BeEF modules based on the type of OS and client browser;
  • AppCachePoison - performs a cache poisoning attack;
  • SessionHijacking - hijacks sessions and saves the received cookies in the firelis profile;
  • BrowserProfiler - tries to get a list of plugins used by the browser;
  • FilePwn - allows you to replace files sent over HTTP using Backdoor Factory and BDFProxy;
  • Inject - injects arbitrary content into an HTML page;
  • jskeylogger - Injects a JavaScript keylogger into client pages.

If this functionality is not enough for you, then you can always add your own by implementing the appropriate extension.

putty rider

Another noteworthy utility. True, unlike all the other tools considered today, it is very narrowly specialized. As the author of the project himself says, he was inspired to create such a utility by the fact that during penetration tests the most important data was located on Linux / UNIX servers, to which admins connected via SSH / Telnet / rlogin. And in most cases, accessing the administrators' machine was much easier than accessing the target server. Having penetrated the system administrator's machine, all that remains is to make sure that PuTTY is running and use this tool to build a reverse bridge to the attacker.


The utility allows not only sniffing "communication" between the admin and a remote server (including passwords), but also executing arbitrary shell commands within a given session. And all this will happen absolutely transparently for the user (administrator). If you are interested in technical details, for example, how the implementation of the PuTTY process is implemented, I recommend that you read the author's presentation.


A rather old utility that was born more than eight years ago. Designed to clone sessions by stealing cookies. For session hijacking, he has basic skills in detecting hosts (in case of connecting to an open wireless network or hub) and performing ARP poisoning. The only problem is that today, unlike eight years ago, almost all large companies like Yahoo or Facebook use SSL encryption, which makes this tool completely useless. Despite this, there are still enough resources on the Web that do not use SSL, so it's too early to write off the utility. Its advantages include the fact that it automatically integrates into Firefox and creates a separate profile for each intercepted session. The source code is available in the repository, and you can build it yourself using the following sequence of commands:

# apt-get install build-essential libwxgtk2.8-dev libgtk2.0-dev libpcap-dev # g++ $(wx-config --cppflags --libs) -lpcap -o sessionthief *.cpp # setcap cap_net_raw,cap_net_admin=eip sessionthief

Proxy Fuzz

ProzyFuzz has nothing to do directly with MITM attacks. As you can guess from the name, the tool is designed for fuzzing. This is a small non-deterministic network fuzzer implemented in python that randomly changes the contents of network traffic packets. Supports TCP and UDP protocols. Can be configured to fuzz only one side. Useful when you need to quickly test some network application (or protocol) and develop a PoC. Usage example:

Python proxyfuzz -l -r -p

The list of options includes:

  • w - sets the number of requests sent before fuzzing starts;
  • c - fuzz only the client (otherwise both sides);
  • s - fuzz only the server (otherwise both sides);
  • u - UDP protocol (otherwise TCP is used).

The Middler

Presented at the DEF CON conference, a utility for carrying out MITM attacks on various protocols. The alpha version supported the HTTP protocol and had three cool plugins in its arsenal:

  • plugin-beef.py - injects the Browser Exploitation Framework (BeEF) into any HTTP request coming from the local network;
  • plugin-metasploit.py - injects into unencrypted (HTTP) requests an IFRAME that loads browser exploits from Metasploit;
  • plugin-keylogger.py - Injects a JavaScript onKeyPress event handler for all text fields that will be sent over HTTPS, causing the browser to send the user's password character-by-character to the attacker's server before the entire form is submitted.

The Middler not only automatically analyzes network traffic and finds cookies in it, but also independently requests them from the client, that is, the process is automated to the maximum. The program guarantees the collection of all unprotected accounts in the computer network (or public hotspot), to the traffic of which it has access. For the program to work correctly, the following packages must be installed on the system: Scapy, libpcap, readline, libdnet, python-netfilter. Unfortunately, the repository has not been updated for a long time, so you will have to add new functionality yourself.

A console utility that allows you to interactively examine and modify HTTP traffic. Thanks to such skills, the utility is used not only by penetration testers / hackers, but also by ordinary developers who use it, for example, to debug web applications. It can be used to get detailed information about what requests the application makes and what responses it receives. Also, mitmproxy can help you learn how some REST APIs work, especially poorly documented ones.

Installation is extremely simple:

$ sudo aptitude install mitmproxy

$ pip install mitmproxy

$ easy_install mitmproxy

It is worth noting that mitmproxy also allows you to intercept HTTPS traffic by issuing a self-signed certificate to the client. A good example of how to set up traffic interception and modification can be found.


Intercepter-NG

It would be strange if this legendary instrument was not included in our review. Even if you've never used it, you've probably heard of it (and you just have to get to know it better) - it's quite common on the pages of the magazine. I will not fully describe its functionality - firstly, we are interested in MITM, and secondly, such a description will take up the entire article.

Continued available to members only

Option 1. Join the "site" community to read all the materials on the site

Membership in the community during the specified period will give you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score rating!

You can almost always achieve the desired result in several ways. This also applies to the field of information security. Sometimes, to achieve the goal, you can brute, independently look for holes and develop sploits, or listen to what is transmitted over the network. The latter option is often the best one. That is why today we will talk about tools that will help to catch valuable information for us from network traffic, using MITM attacks for this.

MITMf

Let's start with one of the more interesting candidates. This is a whole framework for man-in-the-middle attacks, built on top of sergio-proxy. Recently included in Kali Linux. To install it yourself, just clone the repository and run a couple of commands:

# setup.sh # pip install -r requirements.txt

# pip install -r requirements.txt

It has an architecture that can be extended by plug-ins. Among the main ones are the following:

  • Spoof - allows you to redirect traffic using ARP / DHCP spoofing, ICMP redirects and modify DNS queries;
  • Sniffer - this plugin monitors login attempts for various protocols;
  • BeEFAutorun - allows you to automatically run BeEF modules based on the type of OS and client browser;
  • AppCachePoison - performs a cache poisoning attack;
  • SessionHijacking - hijacks sessions and saves the received cookies in the firelis profile;
  • BrowserProfiler - tries to get a list of plugins used by the browser;
  • FilePwn - allows you to replace files sent over HTTP using Backdoor Factory and BDFProxy;
  • Inject - injects arbitrary content into an HTML page;
  • jskeylogger - Injects a JavaScript keylogger into client pages.

If this functionality is not enough for you, then you can always add your own by implementing the appropriate extension.

putty rider

Another noteworthy utility. True, unlike all the other tools considered today, it is very narrowly specialized. As the author of the project himself says, he was inspired to create such a utility by the fact that during penetration tests the most important data was located on Linux / UNIX servers, to which admins connected via SSH / Telnet / rlogin. And in most cases, accessing the administrators' machine was much easier than accessing the target server. Having penetrated the system administrator's machine, all that remains is to make sure that PuTTY is running and use this tool to build a reverse bridge to the attacker.

The utility allows not only sniffing "communication" between the admin and a remote server (including passwords), but also executing arbitrary shell commands within a given session. And all this will happen absolutely transparently for the user (administrator). If you are interested in technical details, for example, how the implementation of the PuTTY process is implemented, I recommend that you read the author's presentation.

A rather old utility that was born more than eight years ago. Designed to clone sessions by stealing cookies. For session hijacking, he has basic skills in detecting hosts (in case of connecting to an open wireless network or hub) and performing ARP poisoning. The only problem is that today, unlike eight years ago, almost all large companies like Yahoo or Facebook use SSL encryption, which makes this tool completely useless. Despite this, there are still enough resources on the Web that do not use SSL, so it's too early to write off the utility. Its advantages include the fact that it automatically integrates into Firefox and creates a separate profile for each intercepted session. The source code is available in the repository, and you can build it yourself using the following sequence of commands:

# apt-get install build-essential libwxgtk2.8-dev libgtk2.0-dev libpcap-dev # g++ $(wx-config --cppflags --libs) -lpcap -o sessionthief *.cpp # setcap cap_net_raw,cap_net_admin=eip sessionthief

# apt-get install build-essential libwxgtk2.8-dev libgtk2.0-dev libpcap-dev

# g++ $(wx-config --cppflags --libs) -lpcap -o sessionthief *.cpp

# setcap cap_net_raw,cap_net_admin=eip sessionthief

Proxy Fuzz

ProzyFuzz has nothing to do directly with MITM attacks. As you can guess from the name, the tool is designed for fuzzing. This is a small non-deterministic network fuzzer implemented in python that randomly changes the contents of network traffic packets. Supports TCP and UDP protocols. Can be configured to fuzz only one side. Useful when you need to quickly test some network application (or protocol) and develop a PoC. Usage example:

Python proxyfuzz -l -r -p

python proxyfuzz -l -r -p

The list of options includes:

  • w - sets the number of requests sent before fuzzing starts;
  • c - fuzz only the client (otherwise both sides);
  • s - fuzz only the server (otherwise both sides);
  • u - UDP protocol (otherwise TCP is used).

The Middler

Presented at the DEF CON conference, a utility for carrying out MITM attacks on various protocols. The alpha version supported the HTTP protocol and had three cool plugins in its arsenal:

  • plugin-beef.py - injects the Browser Exploitation Framework (BeEF) into any HTTP request coming from the local network;
  • plugin-metasploit.py - injects into unencrypted (HTTP) requests an IFRAME that loads browser exploits from Metasploit;
  • plugin-keylogger.py - Injects a JavaScript onKeyPress event handler for all text fields that will be sent over HTTPS, causing the browser to send the user's password character-by-character to the attacker's server before the entire form is submitted.

The Middler not only automatically analyzes network traffic and finds cookies in it, but also independently requests them from the client, that is, the process is automated to the maximum. The program guarantees the collection of all unprotected accounts in the computer network (or public hotspot), to the traffic of which it has access. For the program to work correctly, the following packages must be installed on the system: Scapy, libpcap, readline, libdnet, python-netfilter. Unfortunately, the repository has not been updated for a long time, so you will have to add new functionality yourself.

A console utility that allows you to interactively examine and modify HTTP traffic. Thanks to such skills, the utility is used not only by penetration testers / hackers, but also by ordinary developers who use it, for example, to debug web applications. It can be used to get detailed information about what requests the application makes and what responses it receives. Also, mitmproxy can help you learn how some REST APIs work, especially poorly documented ones.

Installation is extremely simple:

$ sudo aptitude install mitmproxy

It is worth noting that mitmproxy also allows you to intercept HTTPS traffic by issuing a self-signed certificate to the client. A good example of how to set up traffic interception and modification can be found.

Dsniff

Well, this utility is generally one of the first things that should come to mind as soon as you hear
"MITM attack". The tool is quite old, but continues to be actively updated, which is good news. It makes no sense to talk in detail about its capabilities; over the fourteen years of its existence, it has been covered on the network more than once. For example, in a guide like this:

or instructions from our website:

Lastly..

As usual, we have not considered all the utilities, but only the most popular ones, there are still many little-known projects that we might talk about someday. As you can see, there is no shortage of tools for carrying out MITM attacks, and, which happens not so often, one of the cool tools is implemented under Windows. There is nothing to say about nix systems - a whole variety. So I guess you can always find the right hijacking tool.
someone else's credentials. Oops, that is, for testing purposes.

The process of starting a TCP session, which consists of three steps. The client sends a packet with the SYN flag to the server. Having received a packet with the SYN flag from the client, the server sends a packet with the SYN+ACK flags in response and switches to the ESTABLISHED state. After receiving a correct response from the server, the client sends a packet with the ACK flag and goes into the ESTABLISHED state.

Ban list

List of clients that do not have rights to certain actions. With the help of a ban list, the capabilities of bots are usually limited when a DDoS attack is detected. Also, in the realities of game servers, this list includes players with a bad reputation, using cheat codes, or committing illegal actions.

Bot

The computer used to conduct a DDoS attack with "real" traffic. In most cases, this is an ordinary user's computer infected with a virus. Often the user cannot notice that his computer is infected and is being used for illegal purposes.

Web server

A computer on a network that accepts HTTP requests from clients, usually web browsers, and provides them with HTTP responses. Typically, along with an HTTP response, the web server responds with an HTML page, image, media stream, or other data.

web service

Web services are services provided on the Internet. When this term is used, it can refer to searching, web mail, storing documents, files, bookmarks, and so on. Usually, web services can be used regardless of the computer, browser, or Internet access location.

Domain

The concept of "Domain" can be used in different contexts when it comes to network technologies. Most often, under the domain they mean the domain name of the site. Domains are divided into different levels, for example, in the example.com domain, com is the first level domain and example is the second level domain. For ease of communication, people also use the term "Subdomain" to mean a domain that is greater than two levels. For example, in the mail.example.com domain, mail is a subdomain.

Search robot

Search engine service for discovering new pages on the Internet and changing existing ones. The principle of operation is similar to the browser. It analyzes the content of the page, stores it in some special form on the server of the search engine it belongs to, and sends it to links to the following pages.

Bandwidth

The maximum possible amount of transmitted data per unit of time. Often Internet providers, promising a high speed of access to the Internet, do not fulfill their promises. In most cases, this is due to full bandwidth usage.

In this article, we will try to figure out the theory of man-in-the-middle attacks and some practical points that will help prevent these types of attacks. This will help us understand the risk that such intrusions pose to our privacy, as MitM attacks allow us to intrude on communications and listen in on our conversations.

Understanding how the internet works

To understand the man-in-the-middle attack, you must first understand how the Internet itself works. The main points of interaction: clients, routers, servers. The most common communication protocol between a client and a server is the Hypertext Transfer Protocol (HTTP). Web surfing with a browser, e-mail, instant messaging - all done through HTTP.

When you type in your browser's address bar, the client (you) sends a request to display a web page to the server. The packet (HTTP GET request) is sent through multiple routers to the server. The server then responds with a web page that is sent to the client and displayed on its monitor. HTTP messages must be transmitted in secure mode to ensure confidentiality and anonymity.

Figure 1. Client-server interaction

Securing the communication protocol

A secure communication protocol must have each of the following properties:

  1. privacy- Only the intended recipient can read the message.
  2. Authenticity- the identity of the interacting parties is proven.
  3. Integrity- confirmation that the message has not been modified in transit.

If at least one of these rules is not followed, the entire protocol is compromised.

Man-in-the-middle attack over HTTP protocol

An attacker can easily carry out a man-in-the-middle attack using a technique called ARP spoofing. Anyone on your Wi-Fi network can send you a fake ARP packet, causing you to unknowingly send all your traffic through an attacker instead of a router.

After that, the attacker takes full control over the traffic and can monitor requests sent in both directions.

Figure 2. Man-in-the-middle attack scheme


To prevent such attacks, a secure version of the HTTP protocol was created. Transport Layer Security (TLS) and its predecessor, Secure Socket Layer (SSL), are cryptographic protocols that provide secure communication over a network. Hence, the secure protocol will be called HTTPS. You can see how the secure protocol works by typing in the address bar of your browser (note the S in https).

Man-in-the-middle attack on poorly implemented SSL

Modern SSL uses a good encryption algorithm, but it doesn't matter if it's not implemented correctly. If a hacker can intercept the request, they can change it by removing the "S" from the requested URL, thereby bypassing SSL.

Such interception and modification of the request can be noticed. For example, if you request https://login.yahoo.com/ and the response is http://login.yahoo.com/ , this should raise suspicion. At the time of writing, such an attack actually works on the Yahoo email service.

Figure 3. Intercepting and modifying a request


To prevent such an attack, servers can implement HTTP Strict Transport Security (HSTS), a mechanism that enforces a forced secure connection over the HTTPS protocol. In this case, if an attacker modifies the request by removing the “S” from the URL, the server will still redirect the user with a 302 redirect to a page with a secure protocol.

Figure 4. Scheme of HSTS operation


This way of implementing SSL is vulnerable to another type of attack - the attacker creates an SSL connection to the server, but tricks the user into using HTTP.

Figure 5. Attack scheme for HSTS


To prevent such attacks, modern browsers like Chrome, Firefox, and Tor monitor sites that use HSTS and enforce a client-side SSL connection with them. In this case, an attacker conducting a man-in-the-middle attack will have to create an SSL connection with the victim.

Figure 6. Scheme of the attack, where the attacker establishes an SSL connection with the victim


In order to secure an SLL connection to a user, an attacker must know how to act as a server. Let's understand the technical aspects of SSL.

Understanding SSL

From a hacker's point of view, compromising any communication protocol comes down to finding a weak link among the components listed above (privacy, authenticity, and integrity).

SSL uses an asymmetric encryption algorithm. In symmetric encryption, the problem is that the same key is used to encrypt and decrypt data, this approach is unacceptable for Internet protocols, since an attacker can trace this key.

Asymmetric encryption, on the other hand, involves 2 keys for each side: the public key used to encrypt and the private key used to decrypt the data.

Figure 7. Work of public and private keys

How does SSL provide the three properties required for secure communications?

  1. Because asymmetric cryptography is used to encrypt data, SSL provides a private connection. This encryption is not so easy to crack and go unnoticed.
  2. The server proves its legitimacy by sending the client an SSL certificate issued by a certificate authority, a trusted third party.

If an attacker somehow manages to get hold of the certificate, he can create the conditions for a man-in-the-middle attack. Thus, it will create 2 connections - with the server and with the victim. The server in this case thinks that the attacker is a normal client, and the victim has no way to identify the attacker, since he provided a certificate proving that he is a server.

Your messages reach and arrive in encrypted form, but they pass along the chain through the computer of the cybercriminal, where he has complete control.

Figure 8. Scheme of the attack if the attacker has a certificate


The certificate need not be forged if the attacker has the ability to compromise the victim's browser. In this case, it can insert a self-signed certificate that will be trusted by default. This is how most man-in-the-middle attacks are implemented. In more complex cases, the hacker must go the other way - forge the certificate.

Problems of certificate authorities

The certificate sent by the server is issued and signed by a certificate authority. Each browser has a list of trusted CAs and you can add or remove them. The problem here is that if you decide to remove the large authorities, you will not be able to visit sites that use certificates signed by these authorities.

Certificates and CAs have always been the weakest link in an HTTPS connection. Even if everything was implemented correctly and each certificate authority has a solid authority, it is still difficult to come to terms with the fact that you have to trust many third parties.

Today there are more than 650 organizations capable of issuing certificates. If an attacker hacks any of them, he will get any certificates he wants.

Even when there was only one certificate authority, VeriSign, there was a problem - the people who were supposed to prevent man-in-the-middle attacks were selling interception services.

Also, many certificates were created by hacking certificate authorities. Various techniques and tricks have been used to force the attacked user to trust fraudulent certificates.

Criminalistics

Because the attacker sends fake ARP packets, you can't see his IP address. Instead, you need to pay attention to the MAC address, which is specific to each device on the network. If you know your router's MAC address, you can compare it to the default gateway's MAC address to find out if it's really your router or an intruder.

For example, on Windows, you can use the ipconfig command in the command line (CMD) to see the IP address of your default gateway (last line):

Figure 9 Using the ipconfig Command


Then use the arp -a command to find out the MAC address of this gateway:

Figure 10. Using the arp –a command


But there is another way to notice an attack - if you were monitoring the network activity at the time it started and watching the ARP packets. For example, you can use Wireshark for this purpose, this program will notify you if the MAC address of the default gateway has changed.

Note: If an attacker correctly spoofs MAC addresses, it will become a big problem to trace him.

Conclusion

SSL is a protocol that forces an attacker to do a lot of work to carry out an attack. But it won't protect you from government-sponsored attacks or qualified hacker organizations.

The task of the user is to protect their browser and computer in order to prevent the insertion of a fake certificate (a very common technique). You should also pay attention to the list of trusted certificates and remove those you do not trust.