Man in the Middle Attack

A man-in-the-middle attack (MITM) is an attack where the attacker secretly positions himself between a user and an application and possibly alters the communications between the two believing they are directly communicating with each other.

The attack usually tries to steal personal information, such as login credentials, account details and credit card information etc. and could be used for many purposes, including identity theft, unapproved fund transfers or password change.

Interactions Susceptible to MITM Attacks

• Financial sites — between login and authentication
• Connections meant to be secured by public or private keys
• Other sites that require logins — where there is something to be gained by having access

How MITM works?

It works in two phases, Interception and decryption.

The attacker intercepts the user traffic through IP Spoofing, ARP Spoofing or DNS spoofing and then he decrypts the SSL traffic without any alterations through various methods like HTTPS Spoofing, SSL Beast, SSL Hijacking, SSL Stripping.

Let us now understand it in detail.

INTERCEPTION

The first step intercepts user traffic through the attacker’s network before it reaches its intended destination.

• IP spoofing involves an attacker disguising himself as an application by altering packet headers in an IP address. As a result, users attempting to access a URL connected to the application are sent to the attacker’s website.
• ARP spoofing is the process of linking an attacker’s MAC address with the IP address of a legitimate user on a local area network using fake ARP messages. As a result, data sent by the user to the host IP address is instead transmitted to the attacker.
• DNS spoofing involves infiltrating a DNS server and altering a website’s address record. As a result, users attempting to access the site are sent by the altered DNS record to the attacker’s site.

DECRYPTION

After interception, any two-way SSL traffic needs to be decrypted without alerting the user or application.

• HTTPS spoofing sends a phony certificate to the victim’s browser once the initial connection request to a secure site is made. It holds a digital thumbprint associated with the compromised application, which the browser verifies according to an existing list of trusted sites. The attacker is then able to access any data entered by the victim before it’s passed to the application.
• SSL BEAST (browser exploit against SSL/TLS) targets a TLS version 1.0 vulnerability in SSL. Here, the victim’s computer is infected with malicious JavaScript that intercepts encrypted cookies sent by a web application. Then the app’s cipher block chaining (CBC) is compromised so as to decrypt its cookies and authentication tokens.
• SSL hijacking occurs when an attacker passes forged authentication keys to both the user and application during a TCP handshake. This sets up what appears to be a secure connection when, in fact, the man in the middle controls the entire session.
• SSL stripping downgrades a HTTPS connection to HTTP by intercepting the TLS authentication sent from the application to the user. The attacker sends an unencrypted version of the application’s site to the user while maintaining the secured session with the application. Meanwhile, the user’s entire session is visible to the attacker.

How to prevent MITM attack?

• Always use a VPN
• Get a good antivirus
• Strong WEP/WAP encryption on access points
• Refrain from connecting to public wi-fi that are not password protected
• If connected to any public network, it is advisable not to perform any financial transaction
• Pay close attention to any alerts or warning messages that website is insecure
• Log out of any application when not in use
• Make sure URL of application you visit start with HTTPS
• Two factor authentication