Thursday, April 5, 2018

Man-in-the-middle attack



Often, we have conversations where there's confidential information flow between two parties. A man-in-the-middle attack allows a malicious actor to intercept, send and receive data meant for someone else, or not meant to be sent at all, without either outside party knowing until it is too late.

In other words, man-in-the-middle attacks are a common type of cybersecurity attack that allows attackers to eavesdrop on the communication between two targets.
A MITM attack exploits the real-time processing of transactions, conversations or transfer of other data.

In a man-in-the-middle-attack, the attacker becomes an intermediary between all communications happening between victim systems and the gateway. He can easily sniff and modify information at will. A man in the middle attack happens in both wired and wireless networks.

How does it work?

Here is an example of how it goes:

Jane and Peter are having a conversation; Eve wants to eavesdrop on the conversation but also remain transparent. Eve could tell Jane that she was Peter and tell Peter that she was Jane. This would lead Jane to believe she’s speaking to Peter, while revealing her part of the conversation to Jane. Jane could then gather information from this, alter the response, and pass the message along to Peter (who thinks he’s talking to Alice). As a result, Eve can transparently hijack their conversation.


Different Types of man-in-the-middle-attack

There is not just simply one type of man-in-the-middle-attack. Rather, there are several types of MITM attacks:

  •          ARP poisoning
  •          WiFi WEP/ WPA/2 Hacking
  •          DNS spoofing
  •          STP mangling
  •          Port stealing


ARP poisoning

A successful ARP spoofing (poisoning) attack allows an attacker to alter routing on a network, effectively enabling a man-in-the-middle attack.

In computer networking, ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network.

Generally, the aim is to associate the attacker's MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.


WiFi WEP/ WPA/2 Hacking

Once the WEP or WPA encryption process starts, the attacker can commence his own operation by using a sniffer program to find wireless gadgets running in peer mode. This should enable him to gain root access to a system in the long run - he has already bypassed the main defenses of your mobile or wireless connection).

After that, he can deploy a key logger or a precisely placed Trojan horse that will allow him to gain complete control over your network system, exploiting every weakness that's been outlined thus far. 

The WiFi client hacking attack described above can be done even if the victim is traveling and only using his laptop at an airport or hotel lobby. It will have to expose itself to hackers as well; that's the true price of using a complimentary WiFi service.


DNS spoofing

DNS Spoofing is a type of computer attack wherein a user is forced to visit a fake website disguised to look like a real one, with the intention of diverting traffic or stealing credentials of the users. Spoofing attacks can go on for an extended period without being detected and can cause serious security issues.

DNS spoofing is done by replacing the IP addresses stored in the DNS server with the ones under control of the attacker.

Therefore, every time users try to go to a certain website, they get directed to the false websites placed by the attacker in the spoofed DNS server. This way your computer is convinced that the attacker’s site is to be trusted and that it is the site you requested.


STP mangling

STP (Spanning-Tree Protocol) mangling refers to the technique used by the attacker host to be elected as the new root bridge of the spanning tree. The attacker may start either by creating BPDUs (Bridge Protocol Data Units) with high priority assuming to be the new root, or by broadcasting STP Configuration/Topology Change Acknowledgement BPDUs to get his host elected as the new root bridge. By taking over the root bridge, the attacker will be able to intercept most of the traffic.


Port stealing

Port stealing is a kind of attack where someone "steals" traffic that is directed to another port of an Ethernet switch. This attack allows someone to receive packets that were originally directed to another computer. It does so by making the switch believe that the attacker's port is the correct destination for the packet.

This is how the port stealing technique works:

1. Steal the port,
2. Receive some data,
3. Give the port back,
4. Forward the data to the real destination,
5. Go back in step 1 by stealing the port again.


Man-in-the-middle attack prevention

Your best defense against man-in-the-middle attack is to be very cautious when connecting to free or unsecured Wi-Fi networks. When visiting a website, make sure “HTTPS” is always in the URL bar of the websites you visit.

Be aware of the potential phishing emails from attackers asking you to update your password or any other log in credentials. Instead of clicking in the link provided in the email, you can manually type the website in questions address into the URL bar of your browser and proceed from there.

The best way to protect your PC from any type of malware on time is installing an antivirus solution, as a basic protection tool and an anti-malware solution as a necessary additional layer of protection. Be sure to keep the programs up to date.

To protect against man-in-the-middle attacks, you can consider using an anti-keylogger or rootkit detection software as well.

You can try our Zemana AntiLogger, a pioneer in anti-keylogging software or our Zemana AntiMalware, which proved to be the best anti-ransomware tool and the best rootkit and bootkit remediator according to MRG Effitas.


The most famous man-in-the-middle attack

It was in the summer of 2012 that the anomalies were initially detected by employees at Belgium’s largest telecommunications provider, Belgacom.

The computer systems of Belgacom had been infected with a highly sophisticated malware, and it was disguising itself as legitimate Microsoft software while quietly stealing data. The malware found on Belgacom’s systems was one of the most advanced spy tools ever identified by security researchers.

Documents from National Security Agency whistleblower Edward Snowden confirmed that British surveillance agency Government Communications Headquarters was behind the attack, codenamed Operation Socialist.










No comments:

Post a Comment