You are here >  theory >  security

Man-in-the-Middle

Man-in-the-Middle[MITM] attacks have become more common in the past decade. This is because, attackers try and gain access to complicated systems through simple means of intercepting traffic. In PasswordAnalytics, we wanted to discuss about MITM because it is one of the ways where attackers intercept passwords sent over the wire. There are several ways to achieve the same MITM attack. Some of them include [and is not limited to]:

  • Session Hijacking
  • TCP (session) hijacking
  • ARP Spoofing
  • ARP Cache Poisoning
  • IP Spoofing

MITM has several other names, based on the situation and scenario of the attack. Some of them include, fire-brigade attack, monkey-in-the-middle attack, and more. MITM could be achieved by attacking in various layers of the OSI model. One way is to poison the ARP table. ARP is Address Resolution Protocol, which is a Network Layer protocol (in a TCP/IP stack) and Data-link layer protocol in a OSI stack, used to map IP address with the corresponding Physical (Ethernet) Address. Once the ARP is poisoned, attacker could then insert his entries to divert all packets to his system, by mapping all IP addresses to his Ethernet address.

MITM is also possible in the Transport layer protocol of the OSI stack. The attacker would to intercept right from the TCP 3-way handshake by pretending to be someone else. If you [Alice] are communicating with Bob, and if I[4tt4ck3r] want to intercept your conversations/session, I would pretend to you[Alice] that I am Bob and I would pretend to Bob that I am you. Attackers would also do this by doing a session hijacking for which they need to guess the session ID and the sequence number of the packet. There are other ways to do the same, depending on the attacker's mentality and skill level.

On all these occasions once the attacker has intercepted a conversation between two people, who assume that they are talking to each other and no one else is listening to their conversation. This is where MITM has an effect over passwords too, since some of these conversations are not people who are sitting in the network and doing it, it is the protocols or the software's implementing the various protocols that talk to each other and the attacker intercepting it. Once the attacker gets hold of the password, he doesn't have to sit and listen or intercept. The attacker could then initiate his own session by authenticating himself as the other person, which is generally user name[sent in clear text in most cases] and password [intercepted value]. Think of the various things that an attacker can do, once he has your FTP account to your web server or passwords to your bank accounts. The severity in general depends on what an attacker could do, when he gets the access. You might wonder that if you keep a strong password [as discussed in the Good Passwords section], then you are good to go. The answer is, No! No matter what your passwords are, if the protocol of the system or the implementation of this protocol are weak, then you are prone to loose your credentials to the skillful attacker who has figured out the weaknesses in the protocol or its implementation.

Countermeasure can only be provided by the people who are creating and testing the services, which is most often the service providers. The service providers should ensure that their session ID is not so easily guessable. The Operating System [OS] vendors should ensure that the sequence number is not so easily guessable. Various other vendors and service providers who creates tools [based on RFC's] to work on specific protocol, should ensure the safety and security of the users who might be using it for accessing their critical data. There are several standards, compliance and controls in place by several certifying authorities. You as an individual, should take precautionary measures by reading the paperwork and determining if your service provider or vendor is following these rules and regulations listed by these compliance and standards, and ensure that they are certified by the certifying authorities for following such regulations. There is one more thing that you as a user should definitely do, in order to question these vendors or service providers. You need to keep yourself educated and up to date with the security issues and aspects of all the products and services you are using. We are here to help you in the self-education and knowledge sharing aspects of information security.

EvilFingers Arsenal






























Socialize with RootkitAnalytics

Twitter Feed Blogspot

Socialize with EvilFingers

Twitter Feed Blogspot LinkedIn Delicious Google

Tweets