“Man-in-the-Middle Attack” (or MITM for short) is a common type of cyber security attack that allows attackers to eavesdrop on communications between two targets. The attack takes place somewhere between two communication hosts, and the hacker will be able to “hear” conversations on targets that he would not normally be able to hear. The name “middle man” has been chosen accordingly.
Let’s take a simple example: Alice and Bob are talking. Eve wants to eavesdrop on the conversation while being secretive. Eve can tell Alice that she is Bob and then tell Bob that she is Alice. In this way, Alice thinks she is talking to Bob, but in fact reveals parts of her conversation to Eve. Eve can now gather the information she needs, manipulate the answers, and get the message across to Bob (who she also thinks is talking to Alice). As a result, Eve secretly stole the conversation between the two.
Types of middle man attacks
Rogue Access Point
Devices equipped with wireless cards usually try to automatically connect to the access point that transmits the most powerful signal. Attackers can launch their own wireless access point and trick devices into joining the domain. In this way, all the traffic of the victim network is manipulated by the attacker. This is dangerous because the hacker does not even need a reliable network to do his job and only needs to be in physical proximity.
ARP stands for Address Resolution Protocol. This protocol is used to match the IP address to the physical MAC address on the local network. When a host needs to talk to a host that has a specific IP address, it uses cache ARP to match the IP address and MAC address. If the address is unknown, a request is made asking for the MAC address of the devices that have the IP address.
An attacker who wants to impersonate a host can respond to requests with his own MAC address. Using several precisely placed packets, an attacker can sniff out private traffic between two hosts. And from this traffic, valuable information will be obtained, such as exchanges of session tokens that give the attacker full access to the application accounts.
Multicast DNS is very similar to DNS, but runs on local area networks (LANs) that use ARP. This makes it a great target for counterfeit attacks. The Local Name Resolution system is supposed to greatly simplify the configuration of network devices. Users do not need to know exactly their system addresses to communicate, and the system itself does all the work.
Devices such as televisions, printers, and entertainment-based systems use this protocol because they typically connect to trusted networks. When an application needs to know the address of a particular device, like a TV, an attacker can respond to that request with false information and enter an address that he or she controls. Because the devices hold a local cache of addresses, the victim device now recognizes the attacking device as a trusted system.
Similar to what ARP does with IP addresses and MAC addresses, DNS matches domain names to IP addresses. When implementing a DNS spoofing attack, an attacker tries to tell the infected DNS cache to the host to access another host using the domain name. In this way, the victim sends sensitive information to a malicious host, but it is thought that the information is reaching a trusted source. A hacker who has successfully forged an IP address will be able to easily forge DNS by matching a DNS server with his address.
Middle man attack techniques
Attackers can use packet capture tools to inspect packets at low levels. Using special wireless devices that enter monitoring mode, an attacker will be able to see packets that should not be seen by anyone. Like packets that need to reach other hosts.
A hacker can also use his device monitoring mode to inject malicious packets into the data stream. These packets are hidden in the actual data stream but are inherently malicious. Packet injection usually involves sniffing first to determine how packets are made and shipped.
Most web applications use a login mechanism to create a temporary session key so that the user does not have to re-enter their password when opening each page. An attacker can monitor traffic and obtain a user’s session key to send a request to the network instead. Once the session key is reached, the attacker will no longer need to forge data.
How are middle man attacks diagnosed?
Without the right steps, it can be difficult to spot a middle-aged man. If you do not actively seek to interfere with network communication, the middle man’s attack will remain hidden until it is too late. Using the right authentication systems and embedding some sort of tamper detection system is usually the best method for identifying potential attacks.
The most important thing is to think of measures to prevent the middle man from attacking before they occur, and there is no need to try to identify them when they are taking place. Here are some approaches that will protect you and your conversations well from the attacks of the middle man.
Powerful WEP / WAP encryption on access points
Access to a powerful encryption mechanism on wireless access points makes it impossible for any user to join your network due to physical proximity. A weak encryption mechanism causes the attacker to use the “brute force” method to open the way to the network and start the attack of the middle man. The more powerful the encryption mechanism, the more secure you will be.
Better login information on the router
It is very important that you change the default router login information. We are not just talking about WiFi passwords and router login information is also important. If an attacker gets access to your router login information, it can change the DNS servers to its own malicious servers. Or worse, your router will be infected with his or her favorite software.
Virtual Private Network
Virtual Private Network (or VIP) creates a secure environment for your sensitive information within the local network. These networks create a key-based encryption system to make communications more secure. That way, if an attacker blocks access to a shared network, he or she will not be able to access VIP traffic.
HTTPS can be used for secure communication via HTTP using public-private key exchanges. This prevents the hacker from using the sniffed data. Websites should only use HTTPS and not go for HTTP alternatives. Users can also install plug-ins on their browser that force the use of HTTPS on requests.