Man-in-the-middle attack: modalities and defense measures

A man-in-the-middle attack describes an attack pattern on the Internet in which an attacker infiltrates, between the victim’s system and an Internet resource used by the victim, a system that he physically or logically controls. The attacker’s goal is to intercept, read or manipulate the communication between the victim and the Internet resource without anyone being aware of it.

What is a man-in-the-middle attack?

Man-in-the-middle attack (also MitM attack) or man-in-the-middle attack is understood as the method by which a hacker intervenes in the data traffic of two participants in communication by posing as one or the other, in such a way that it makes them believe that they are communicating with each other when in reality they are communicating with the intermediary. In the past, this type of attack took place through the manipulation of the physical communication channel. Today, with the sharing of public communication networks, the unauthorized third party intrudes between two or more communication participants. MitM attacks are carried out, above all, on computer networks in order to bypass SSL/TLS encryption and thus gain access to sensitive information such as user data, passwords and bank accounts.

Graphic scheme of a MitM attack: system C intervenes without being noticed in the communication between system A and system B.

System A attempts to create an encrypted connection to System B, but instead a malicious third party diverts the data stream to establish System A’s encrypted connection to System C and from there to System A. B. This has the consequence that whoever has control over system C (generally the attacker) can examine, record or manipulate the data traffic, often even without the communication participants being aware of it. Once broadcast to the World Wide Web, System C will present itself as a web server to System A and as a web browser to System B.

Man-in-the-middle attack modes

To infiltrate data traffic between two or more systems, hackers use various techniques that target weaknesses in Internet communication. The DHCP(Dynamic Host Configuration Protocol) service, responsible for ip address , or the address resolution protocol known ARP and which servesto determine hardware (Media Access Control, MAC) addresses, they are vulnerable, for example, to man-in-the-middle attacks on internal local area networks. In general terms, these attacks can be carried out by manipulating DNS servers, which are responsible for resolving Internet addresses into public IPs. In addition, hackers make use of security holes in outdated browser software or make corrupted access to wireless local area networks available to unsuspecting users.

In general, these types of man-in-the-middle attacks can be automated by software. If real-time monitoring is done through human intervention, then we can talk about human assisted attacks .

Attacks based on DHCP servers

In the case of DHCP server-based attacks, a hacker places their own computer (or one under their control) on a local area network (LAN) as a DHCP server . This is an essential component of a local network and is responsible for mapping network settings to other computers on the local network. This usually takes place automatically: as soon as a computer establishes a connection to a local area network, the operating system’s DHCP client requests data such as the local IP address , netmask, port address default login , or the DNS server addresscompetent. Also, it sends a broadcast message to all devices connected to the local area network, waits for a response from a DHCP server and accepts the first one that comes in.

This gives hackers the opportunity to control the allocation of local IP addresses by the spoofed DHCP server, to register desired gateways and the DNS server on the tricked-out computers, and thereby to divert outgoing data traffic to any computer to intercept and manipulate content.

Because this type of attack is based on manipulating the DHCP system, the terminology adopted in this case is DHCP spoofing (in Spanish, manipulation). However, the condition for performing the man-in-the-middle attack is that the attacker uses the same local area network as his victim. In the case of hotel LANs or public wireless networks, there is a danger of becoming the target of an attack based on a DHCP server. If an attacker wants to infiltrate a wired corporate network, the attacker will first have to gain physical access to the LAN in order to introduce a fake DHCP server.

The measures Internet users can take to prevent DHCP spoofing attacks generally boil down to being cautious about using unknown networks. Grosso modo , it is recommended to use web applications of online banks and purchase platforms that endanger security only in known and reliable local networks, such as the private home network or corporate networks.

ARP cache poisoning

ARP (Address Resolution Protocol) is the network protocol used to resolve IP addresses of LAN networks into hardware addresses (MAC addresses). In order for a computer to send data packets over a network, it has to know the hardware addresses of the recipient’s system. To do this, an ARP request is sent as a MAC address broadcast to all systems in the local area network. Said request contains both the MAC and IP addresses of the computer requesting the information, as well as the IP address of the requested system. If a computer on the network receives such an ARP request, the next step is for it to check whether the packet contains its own IP address as the recipient’s IP address. If so,

This mapping of local MAC addresses to IP addresses is saved as a table in the ARP cache of the requesting computer. This is where the so-called ARP cache poisoning works. The objective of this type of attack is to manipulate the ARP tables of the various computers on the network by means of false ARP replies so that, for example, a computer that is under the attacker’s control acts as a wireless access point or gateway. internet entrance.

If an ARP spoofing attack is successful, the attackers have the possibility to read all of the outgoing data from the tricked-out computers, but also to record or manipulate it before transmitting it to the real gateway. Like DHCP spoofing, ARP cache poisoning can only be possible when the attacker is on the same local area network as the system that has been attacked. A MitM attack can be carried out using simple programs such as the free Cain & Abel tool , originally developed for password recovery, or using the Ettercap software.

Similar to DHCP server-based attacks, which are performed on a corrupted local area network, in this case users have very little chance to deal with the ARP spoofing attack. One of the preventive measures is to avoid unknown networks or use them wisely.

DNS server-based attacks

While ARP cache poisoning draws attention to address resolution weaknesses in Ethernet, DNS server-based cache poisoning’s priority is the Internet ‘s domain name system , which is responsible for URL resolution in public IP addresses. In this type of attack, hackers manipulate entries in a DNS server’s cache in order to persuade them to respond to requests with bogus destination addresses. If the man-in-the-middle attack is successful, hackers can unknowingly direct other Internet users to a web page on the network. For this, in most cases the known vulnerabilities of older DNS servers are used..

In principle, the data of the domain name system is not deposited in a single DNS server, but is distributed over different computers in the network. When a user wants to access a web page, he usually uses a domain name. To be able to go to the corresponding server, you need an IP address. This is determined by the user’s router, which will send a domain name system request to the standard DNS server indicated in the configuration. Typically, this is the Internet Service Provider’s (ISP’s) DNS server. In case of finding entries, the so-called resource records or resource records, for the requested URLs, the DNS server issues the response to the request with the corresponding IP address. If not, the DNS server will determine the IP sought with the help of other servers with tasks related to the domain name system. To do this, it will send a query to another DNS server and temporarily cache the response.

One of the starting points for hacker attacks is on servers using a very old version of the DNS software, which generally accept and store data that is explicitly requested, but also data that is supplied. additionally. If hackers gain access to a single DNS server, it is easy to serve up bogus records with each correct IP address, thereby “poisoning” the cache of the requesting DNS server.

The effectiveness of man-in-the-middle-attacks is shown in some events that took place in the past, where full name ranges were diverted. It is virtually impossible for users to protect themselves against such an attack, as it takes place directly on the Internet infrastructure. It follows that the main task of administrators is to ensure that the DNS servers they provide use current software and that it is adequately protected. This is how various Internet standards were developed under the name of DNSSEC .(Domain Name System Security Extensions), which extends the domain name system so that the different security mechanisms guarantee the authenticity and integrity of the data. Diffusion of these standards is still a slow process.

Simulation of a wireless access point

An attack model aimed primarily at mobile device users is based on the simulation of a wireless access pointon a public wireless network, such as those in coffee shops or airports. In this, an attacker configures your computer in such a way that it becomes an additional way to access the Internet (probably one with a better signal quality than the access point itself). In this way, if the attacker manages to deceive the most naive users, he can access and manipulate all the data on your system before it is transmitted to the real access point or access point. If it requires authentication, the hacker receives the usernames and passwords that are used in the registry.

To protect themselves from this type of attack, it is recommended that Internet users connect mainly with wireless networks that are known to them and that they make sure that they are using the official access point of the connection provider.

Man-in-the-browser attack

The man-in-the-browser attackis a variant of the MitM attack. In it, the attacker installs malware in the browser of Internet users with the aim of intercepting their data. Computers that are not properly updated are the ones that, above all, offer security holes that allow attackers to infiltrate the system. If programs are secretly inserted into a user’s browser, they record in the background all the data that is exchanged between the system of the person who has been the victim of the attack and the different web pages. In this way, this type of attack allows hackers to intervene in a large number of systems with relatively little effort. In it, data espionage usually takes place, usually,

The most effective way to prevent man in the browser attacks is to ensure that all system software components in use are up to date and that vulnerabilities are reduced through security updates.

Human assisted attack

We can speak of a human assisted attack when one of the above attack modalities is not carried out automatically, but by one or more attackers in real time. In practice, one of these man-in-the-middle attacks would take place as follows: as soon as an Internet user logs into their bank’s website, the hacker, who has placed himself between the user’s browser and the bank server receives a signal. This gives it the ability to steal session cookies and real-time authentication information, thereby obtaining usernames, passwords, and TAN codes.