Defend Yourself against different techniques of MiTM attacks

In the digital realm, obtaining sensitive information and impersonating someone else are common goals of attackers. These goals can be the focus of numerous attacks, including DDoS and specific malware. Naturally, Internet protocols have developed over time to prevent issues of this nature, employing, for instance, cryptography to safeguard communications.

 

However, as prevention and mitigation techniques improved, so did the attacks. In this setting, the man-in-the-middle (MITM) attack has become a pertinent attack. Man-in-the-middle attacks include pretending to be the target of communication while actually being the attacker. This allows the attacker to intercept messages and access their content.

 

In this blog, we'll examine the actual operation of man-in-the-middle attacks.

 

 

Man-in-the-Middle attacks: What are they?

 

Attacks called "man in the middle" occur when someone eavesdrops on a conversation between two people and frequently modifies it by adding their own information. Although the communications appear to be coming from the two participants, they are actually being created by the attacker. 

 

A cyberattack known as a "man-in-the-middle" occurs when an attacker listens in on the communication between two targets. A discussion between two persons, two systems, or a person and a system might be "listened" to by the attacker.

 

A MITM attack aims to gather personal information, banking information, or passwords from the victim while also persuading them to take certain actions, such as updating their login information, finishing a transaction, or starting a money transfer.

 

Although MITM attackers frequently target people, it is also a major threat to companies and other large organizations. Software-as-a-service (SaaS) programs, such as messaging services, file storage systems, or remote work apps, are one typical entry point for hackers. 

 

Attackers could potentially expose any variety of assets, including client data, intellectual property (IP), or confidential information about the company and its workers by using these applications as a gateway to the larger network of the firm.

 

The infiltration phase of an advanced persistent threat (APT) attack can also employ to obtain access to a guarded perimeter. A MITM attack is much the same as having your mailman open your bank statement, note your account information, then reseal the package before bringing it to your house.

 

Also Read | Difference between Phishing and Spoofing

 

 

Types of Man-in-the-Middle Attacks:

 

• Rogue Access Point: 

 

Wireless-enabled devices frequently attempt to automatically connect to the access point with the strongest signal. Attackers are able to create their own Rogue wireless access points and persuade neighboring devices to join their domain. 

 

The attacker can now control all network traffic coming from the victim. This is risky because all an attacker needs to do is be physically close enough to the target. They don't even need to be on a trusted network.

 

 

• ARP Spoofing: 

 

The Address Resolution Protocol is known as ARP. In a local area network, it is used to translate IP addresses into actual MAC (media access control) addresses. 

 

A host uses the ARP cache to convert an IP address to a MAC address when it needs to communicate with another host with a specific IP address. A request is sent for the MAC address of the device with the IP address if the address is unknown.

 

An attacker that wants to pass for another host may use its own MAC address to reply to requests it shouldn't be handling. An attacker can sniff the private traffic between two hosts with some carefully crafted packets. An attacker shouldn't be able to access application accounts, but valuable information from the traffic, like the exchange of session tokens, can be collected, giving the attacker full access.

 

 

• mDNS Spoofing: 

 

Similar to DNS, multicast DNS uses broadcast techniques like ARP on a local area network (LAN). As a result, spoofing attacks are a perfect fit for it. The setting of network devices is designed to be incredibly straightforward using the local name resolution method. 

 

Users can let the system resolve it so they don't need to know precisely which addresses their devices should be interacting with. This protocol is used by devices like TVs, printers, and entertainment systems since they frequently connect to secure networks.

 

An attacker can easily send fictitious data in response to a request from an app that needs to know the address of a certain device, like a local tv, telling it to resolve to a different address that is under its control. Devices maintain local caches of addresses, thus the victim will first perceive the attacker's device as trustworthy.

 

 

• DNS Spoofing: 

 

DNS converts domain names to IP addresses in a manner akin to how ARP converts IP addresses to MAC addresses on a LAN. In a DNS spoofing attack, the attacker tries to reach another host by utilizing the host's domain name, such as www.onlinebanking.com, by introducing faulty DNS cache information to the site. 

 

As a result, the victim sends private information to a malicious host under the impression that it is going to a reliable source. If a DNS server's address is resolved to the attacker's address, an attacker who has already spouted an IP address may find it much simpler to spoof DNS.

 

Also Read | Proxy Firewall: An Enhanced Level of Security

---

How Man in the Middle attack actually takes place?

---

                      

What happens during a Man-in-the-Middle Attack?

 

The two phases of a MITM attack are typically interception and decryption.

 

1. First phase: Interception

 

Cybercriminals can enter a network during the interception phase by using an unprotected or inadequately secured Wi-Fi router or by tricking domain name system (DNS) servers. Then, attackers search the router for flaws and potential avenues of entry. 

 

Cybercriminals may use more sophisticated techniques like IP spoofing or cache poisoning, but the most common way to achieve this is by using a weak password.

 

Once a target has been found, the attacker often uses data collection tools to access and collect the victim's sent data, purposefully reroute traffic, or otherwise influence the user's web experience.

 

 

2. Second phase: Decryption 

 

Decryption is the second stage of a MITM attack. At this point, attackers can decode and understand the stolen data. Data that has been decrypted can be used for a variety of illicit activities, such as identity theft, unlawful purchases, and fraudulent financial transactions. 

 

Man-in-the-middle attacks can occasionally be carried out for no apparent reason other than to sabotage business processes and cause havoc for victims.

Any two-way SSL traffic must be encrypted after being intercepted without notifying the user or application. There are numerous ways to accomplish this:

 

• HTTPS Spoofing:

 

As soon as a connection request to a secure site is initiated, HTTPS spoofing delivers a fake certificate to the victim's browser. The compromised application's digital thumbprint is stored in it, and the browser can verify it by comparing it to a list of recognized websites. Any information submitted by the victim before it is delivered to the program is then accessible to the attacker.

 

• SSL BEAST:

 

A TLS version 1.0 vulnerability in SSL is the focus of SSL BEAST (a browser hack against SSL/TLS). Here, malicious JavaScript has infected the victim's PC and is intercepting cookies sent by a web application that is encrypted. After that, the cipher block chaining (CBC) of the app is hacked, allowing its cookies and login tokens to be decrypted.

 

• SSL Hijacking:

 

When an attacker gives the user and application fake authentication keys during a TCP handshake, SSL hijacking happens. As a result, what seems to be a secure connection is actually controlled by the guy in the middle.

 

• SSL Stripping:

 

By intercepting the TLS authentication transmitted from the program to the user, SSL stripping degrades an HTTPS connection to HTTP. While the user is still connected to the application's secured session, the attacker sends them an unencrypted version of the site. The attacker can see the user's complete session in the meantime.

 

 

Techniques for man-in-the-middle attacks:

 

1. Sniffing: 

 

Tools for packet capture are used by attackers to do low-level packet inspection. An attacker can view packets that were not meant for it to see, such as packets addressed to other hosts, by using specified wireless devices that are authorized to be set into monitoring or promiscuous mode.

 

 

2. Packet Injection: 

 

The monitoring mode of a device can potentially be used by an attacker to insert malicious packets into data communication streams. The packets can mix in with legitimate data communication streams, making them appear to be a normal component of the transmission while actually being harmful. Typically, packet injection starts with sniffing to decide how and when to create and deliver packets.

 

 

3. Session Hijacking: 

 

In order to avoid needing the user to enter their password on each page, the majority of online apps utilize a login method that creates a temporary session token to be used for subsequent requests. 

 

An attacker can utilize sensitive traffic sniffing to find a user's session token and use it to send requests on the victim's behalf. Once the attacker obtains a session token, spoofing is not necessary.

 

 

4. Stripping SSL: 

 

Attackers use SSL stripping to intercept packets and change HTTPS-based address queries to go to their corresponding HTTP endpoint, forcing the host to make requests to the server unprotected because employing HTTPS is a standard defense against ARP or DNS spoofing. Text leaks of sensitive information are possible.

 

Also Read | What is a Firewall? Types of Firewall

 

 

How to detect a man-in-the-middle attack?

 

Without taking the right precautions, it may be challenging to identify a Man-in-the-Middle assault. A Man-in-the-Middle assault may go undetected until it is too late if you aren't actively looking to see if your communications have been intercepted. 

 

The most effective ways to spot a potential attack are normally to check for correct page authentication and implement some form of tamper detection, however, these steps may also need additional post-attack forensic investigation.

 

Instead of attempting to identify MITM attacks as they are happening, it is crucial to take preventative measures before they happen. The maintenance of a secure network may depend on your ability to monitor your browsing habits and identify potentially dangerous sites.

 

Also Read | What is Malware? What are the signs of Malware Infection?

 

 

Defending against Man in the Middle attacks:

 

While it may be difficult to stop an attacker from accessing your network and intercepting your connection, you may make sure that it is strongly encrypted.

 

Here are some general pointers that you can use:

 

• Virtual Private Network (VPN): VPNs encrypt your web traffic to prevent reading or modification of communication by attackers.

• Network traffic to and from all connected devices is monitored by network intrusion detection systems (NIDS), which are strategically positioned within a network. It analyses the traffic that is being sent throughout the entire subnet and compares it to a database of known attacks. An alert can be issued to a cybersecurity expert as soon as an attack is discovered or unusual behavior is discovered.

• Strong firewalls are able to block illegal access.

• Antivirus and antimalware: To stop man-in-the-middle attacks that rely on malware, install an antivirus and antimalware software package that includes a scanner that runs as soon as your machine boots.

• Using two-factor authentication, which demands a second form of identification in addition to your password, is an excellent technique to stop email spoofing.

• Recognize typical phishing scams: Download email attachments only if you are certain they are from the sender you think they are; if in doubt, call and ask. Phishing emails are a prevalent attack vector.

• Signing off: Signing out of any unused accounts will invalidate session cookies, preventing session hijacking.

• Consider the installation you make: Install applications and browser add-ons only if you are certain of their origin.

• Avoid sharing any critical information on websites without HTTPS by forcing encryption.

• Use a password manager to prevent passwords from automatically filling in on malicious websites.

• Avoid using public WiFi networks; if you must, set your device so that a manual connection is required.

• Update your tools to prevent man-in-the-middle attacks that make use of known vulnerabilities by patching software and hardware.

• Make sure the DNS servers (DNS cache) you use are secure by using secure DNS servers.

• Application security: Regularly check for vulnerabilities in your website or application and fix problems.

 

Also Read | Cyber Security Awareness: Ways to Protect Cyber Attack Vulnerability

 

 

Final Note:

 

Man-in-the-middle attacks can seriously compromise data security and have legal ramifications. You must mount a strong defense against such assaults and keep yourself informed of the current threat landscape.

 

Even if you have a strong defense in place, you should still keep an incident response strategy in place to deal with man-in-the-middle attacks.