Figure 1. Illustration of man-in-the-middle attack
Figure 2. Illustration of a HTTP Packet intercepted with Paros Proxy.
MITM is not only an attack technique, but is also usually used during the development step of a web application or is still used for Web Vulnerability assessments.
MITM Attack tools
There are several tools to realize a MITM attack. These tools are particularly efficient in LAN network environments, because they implement extra functionalities, like the arp spoof capabilities that permit the interception of communication between hosts.- PacketCreator
- Ettercap
- Dsniff
- Cain e Abel
MITM Proxy only tools
Proxy tools only permit interactiion with the parts of the HTTP protocol, like the header and the body of a transaction, but do not have the capability to intercept the TCP connection between client and server. To intercept the communication, it’s necessary to use other network attack tools or configure the browser.- OWASP WebScarab
- Paros Proxy
- Burp Proxy
- ProxyFuzz
- Odysseus Proxy
- Fiddler (by Microsoft)
Thanks WIKI...
Man-In-The-Middle attack is the type of attack where attackers intrude into an existing connection to intercept the exchanged data and inject false information. It involves eavesdropping on a connection, intruding into a connection, intercepting messages, and selectively modifying data.
[edit] DEFINITION
[edit] MEMO
- MITM attack is also known as:
- Bucket-brigade attack
- Fire brigade attack
- Monkey-in-the-middle attack
- Session hijacking
- TCP hijacking
- TCP session hijacking
- Name Origin: The name "Man-in-the-Middle" is derived from the basketball scenario where two players intend to pass a ball to each other while one player between them tries to seize it. MITM attacks are sometimes referred to as "bucket brigade attacks" or "fire brigade attacks." Those names are derived from the fire brigade operation of dousing off the fire by passing buckets from one person to another between the water source and the fire.[1]
[edit] Other Definitions
[edit] Wikipedia [2]
[edit] Javvin Technologies [3]
Man-in-the-Middle Attack (MITM) is a type of attack where a user gets between the sender and receiver of information and sniffs any information being sent.
[edit] Melani [4]
- Man-in-the-middle attacks (MITM)
- Attacks in which the attacker infiltrates unnoticed the communication channel between two partners and is thereby able to spy on or even modify their data exchanges.
[edit] OVERVIEW
|<<-Request-->>| |<<-Request-->>| Client |---Decrypt-->>|MITM attacker|---Recrypt-->>| Server |<<-Response->>| |<<-Response->>|
[edit] SCENARIOS
[edit] Public Key Exchanging
[edit] Command Injection
[edit] Malicious Code Injection
[edit] Downgrade Attacks - SSH V2 to V1
[edit] NOTE
- Downgrade Attacks - SSH V2 to V1: The term "Downgrade Attack" here refers to an attack that forces the victims to use the less secure features, functions or protocols which remain supported for backward-compatibility reasons. Downgrade attacks may cover SSH (Secure SHell), IPSEC (Internet Protocol SECurity), and PPTP (Point-to-Point Tunneling Protocol).
The SSH protocol is an encrypted network protocol with command-line access capabilities. SSH V1 (i.e., SSH Version 1, also known as "SSH-1" and "SSH1") has security flaws so that attackers may perceive the usually encrypted data exchanged between the client and the server. SSH V2 made some security improvements over SSH V1: e.g., the Diffie-Hellman key exchange and the integrity checking via message authentication codes. Although SSH V2 is preferred by most legal hosts, SSH V1 is still supported for the purpose of backward compatibility. In the above-mentioned downgrade attack scenario, a MITM attacker can force the client and the server to use the vulnerable SSH V1 protocol before the encryption starts. [16]
[edit] Downgrade Attacks - IPSEC Failure
[edit] Downgrade Attacks - PPTP
[edit] NOTE
- PPTP: PPTP (Point-to-Point Tunneling Protocol) is a protocol for VPN implementation. Microsoft MSCHAP-V2 or EAP-TLS is used to authenticate PPTP connections. The EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) is certificate based, and thus is a safer security option for PPTP than MSCHAP-V2. [17]
[edit] MITM TECHNIQUES [6]
- Local Area Network
- From Local To Remote (through a gateway)
- Remote
[edit] Local Area Network
- ARP spoofing
- Briefing: ARP (Address Resolution Protocol) spoofing is also known as "ARP poisoning" or ARP Poison Routing. The attacker may use ARP spoofing to sniff data frames on LAN and to modify the packets. The attacker may corrupt the ARP caches of directly connected hosts and finally take over the IP address of the victim host.
- Tools used:
- ARPoison is a UNIX Command-line tool that can be used to create spoofed ARP packets.
- Ettercap can be used for filtering, hijacking, poisoning, sniffing, including SSH v.1 sniffing (transparent attack).
- Dsniff can be used for poisoning, sniffing, including SSH v.1 sniffing (proxy attack)
- Parasite is a daemon used to watch a LAN for ARP requests and automatically send spoofed ARP replies.
- DNS spoofing
- Briefing: The attacker starts by sniffing the ID of any DNS request, and then replies to the target requests before the real DNS server.
- Tools used:
- ADM DNS spoofing tools can spoof DNS packets via various active and passive methods.
- Ettercap (Plugin needed: phantom plugin)
- Dsniff (dnsspoof)
- Zodiac can be used for DNS name server versioning, DNS local spoofing (answering DNS queries before the remote name server), DNS jizz spoofing, and DNS ID spoofing.
- IP address spoofing
- Briefing: The attacker creates IP packets with a forged source IP address in order to conceal the identity of the packet sender or to impersonate another computer system. (This method of attack on a remote system can be very difficult, because it involves modifying thousands of packets at a time. This type of attack is most effective where trust relationships exist between endpoints.)
- Tools used:
- Hping can be used to prepare spoofed IP datagrams with only a one-line command, and the attacker can send the prepared datagrams to almost any target victim.
- Spoofed IP
- Port stealing
- Briefing: The term "Port Stealing" refers to the MITM technique used to spoof the switch forwarding database (FDB) and usurp the switch port of the victim host for packet sniffing on Layer 2 switched networks. The attacker starts by flooding the switch with the forged ARP packets that contain the same source MAC address as that of the victim host and the same destination MAC address as that of the attacker host. Note that those packets are invisible to other host on the same network. Now that the victim host also sends packets to the switch at the same time, the switch will receive packets containing the same source MAC address with two different ports. Therefore, the switch will repeatedly alter the MAC address binding to either of the two ports by referencing the relevant information in the packets. If the attacker's packets are faster, the switch will send the attacker the packets intended for the victim host. Then the attacker sniffs the received packet, stops flooding and sends an ARP request for the victim’s IP address. After receiving the ARP reply from the victim host, the attacker will manage to forward the "stolen" packet to the victim host. Finally, the flooding is launched again for another attacking cycle. [18]
- Tools used:
- Ettercap (Plugin needed: Confusion plugin)
- STP mangling
- Briefing: STP (Spanning-Tree Protocol) mangling refers to the technique used for the attacker host to be elected as the new root bridge of the spanning tree. The attacker may start either by forging BPDUs (Bridge Protocol Data Units) with high priority assuming to be the new root, or by broadcasting STP Configuration/Topology Change Acknowledgement BPDUs to get his host elected as the new root bridge. By taking over the root bridge, the attacker will be able to intercept most of the traffic.
- Tools used:
- Ettercap (Plugin needed: Lamia plugin)
- Yersinia
[edit] From Local To Remote (through a gateway)
- ARP poisoning
- DNS spoofing
- DHCP spoofing (e.g., Spoofing the DHCP Server)* is a type of attack on DHCP server to obtain IP addresses using spoofed DHCP messages
- Gateway spoofing (usually, spoofing the default gateway)
- ICMP redirection
- IRDP spoofing - route mangling
[edit] Remote
- DNS poisoning
- Route mangling
- Traffic tunneling
[edit] TOOLS
[edit] Ettercap [7]
- Tool Name: Ettercap
- Current Version: NG-0.7.3 (Release Date: May 29, 2005)
- Developer: Alberto Ornaghi, Marco Valleri
- Platform/OS:
- FreeBSD 4.x 5.x;
- Linux 2.0.x, 2.2.x, 2.4.x, 2.6.x;
- Microsoft Windows 2000/XP/2003;
- NetBSD 1.5;
- OpenBSD 2.[789], 3.x;
- OS X (darwin 6.x, 7.x);
- Solaris 2.x.
- Commercial or Freeware: Freeware
- URL: ettercap.sourceforge.net
- Briefing: Ettercap is a multipurpose hacking suite for the switched LAN environment. As a LAN-based sniffer, interceptor and logger, it is chiefly featured by live-connection sniffing and content filtering on the fly. It supports the active and passive dissection of many protocols (even the ciphered ones) and includes some functionalities for network and host analysis. Ettercap can be used to launch an MITM attack via ARP poisoning or port stealing.
[edit] Dsniff [8]
- Tool Name: Dsniff
- Current Version: 2.3 (Release Date: December 19, 2000)
- Developer: Dug Song
- Platform/OS:
- OpenBSD (i386);
- Redhat Linux (i386);
- Solaris (sparc).
- Commercial or Freeware: Freeware
- URL: www.monkey.org/~dugsong/dsniff
- Briefing: Dsniff is claimed as a tool suite developed for network auditing and penetration testing, but the attacker can use it for SSL MITM attacks. Its components "dsniff", "filesnarf", "mailsnarf", "msgsnarf", "urlsnarf", and "webspy" can be used to passively monitor a network for sensitive data (e-mail, files and passwords). Its other components like "arpspoof", "dnsspoof", and "macof" allow the attacker to intercept network packets normally unavailable to the attacker. Its components "SSHMITM" and "WEBMITM" may help the attacker to launch active man-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.
[edit] Yersinia [19]
- Tool Name: Yersinia
- Current Version: 0.7.1 (Release Date: May 8, 2007)
- Developer: Alfredo Andrés Omella (Slay), David Barroso Berrueta (tomac)
- Platform/OS:
- Linux 2.4.x and 2.6.x;
- Mac OSX 10.4 Tiger (Intel);
- OpenBSD 3.4 (note: upgrade your pcap libraries to at least 0.7.2);
- Solaris 5.8 64bits SPARC.
- Commercial or Freeware: Freeware
- URL: www.yersinia.net
- Briefing: Yersinia takes its name from the bacteria "Yersinia pestis." It can be used to exploit the vulnerabilities of the following network protocols: STP, CDP, DTP, DHCP, HSRP, IEEE 802.1Q, IEEE 802.1X, ISL (Inter-Switch Link Protocol), and VTP (VLAN Trunking Protocol).
Yersinia supports multithreading: multiple users and multiple attacks per user. It has three main modes: command line, network client and ncurses GUI. The attacker can use it to listen to the network, sniff packets, edit protocol fields, intercept network data in pcap format, analyze captured packets and replay them with the attacker's modifications.
[edit] FOLLOW-UP: RISK SHEET
RISK SHEET | |
AUTHENTICATION SOLUTION | MITM RISKS |
1 EAP-MD5 | On public Ethernets or wireless LANs, station identities and password hashes can be easily sniffed. EAP-MD5 does not provide mutual authentication or EAP server authentication. Thus, MITM attackers may disguise as access points to deceive legal users into authenticating to the rouge AP. [9] [13] |
2 EAP-TTLS | The systems protected by EAP-TTLS are still vulnerable to MITM attacks because user passwords can be more easily guessed, shared, or disclosed via social engineering than client-side certificates. [9] |
3 LEAP | The systems protected by LEAP are still vulnerable to MITM attacks. [11] |
4 PEAP | The systems protected by PEAP are still vulnerable to MITM attacks. [9] |
5 Key Fobs and One Time Password (OTP) tokens | Token-based and smart-card-based OTP systems are vulnerable to MITM attacks. Attackers may hijack online sessions by deceiving legal users into providing one-time-PINs produced by tokens or smart cards. [10] [12] Risk Level: MEDIUM [12] |
6 SSL | Credentials can sometimes be stolen in a MITM attack using a proxy server. Risk Level: LOW [12] |
[edit] NOTE
- EAP: Extensible Authentication Protocol
- LEAP: Light Extensible Authentication Protocol
- PEAP: Protected Extensible Authentication Protocol
- TTLS: Tunneled Transport Layer Security