In a web application, there are two actors usually: the client and the server. The third entity that remains unnoticed most of the time is the communication channel. This channel can be a wired connection or a wireless one. There can be one or more servers in the way forwarding your request to the destination server in the most efficient way possible. These are known as Proxy servers.
When there is an unwanted proxy in the network intercepting and modifying the requests/responses, this proxy is called a Man in the middle. The network then is said to be under a man-in-the-middle attack. The interesting point lies in the fact that this rogue proxy is often misunderstood as a legitimate endpoint in a communication by the other endpoint. (It works as a server for the client and as a client for the server).
For example, suppose you are connected to a Wi-Fi network and doing a transaction with your bank. An attacker is also connected to the same Wi-Fi. The attacker does the following:
- The attacker sends the rogue ARP packets in the network that map the IP address of the access point to the MAC address of the attacker’s device.
- Each device connected in the network caches the entry contained in the rogue packets.
- Your device uses ARP to send the packets destined for your bank’s web server to the access point (which is the default gateway for the network).
- The packets get sent to the attacker’s machine.
- Attackers can now read and modify the requests contained in the packets before forwarding them.
This way the attacker is suitably situated between you and your bank’s server. Every bit of sensitive data that you send to your server including your login password, is visible to the attacker. ARP cache poisoning is one of the ways to perform a MITM attack; other ways are –
- DNS spoofing.
- IP spoofing.
- Setting up a rogue Wi-Fi AP.
- SSL spoofing, etc.
The use of SSL can prevent these attacks from being successful. Since the data is encrypted and only legitimate endpoints have the key to decrypt it, the attacker can do very little from the data even if he gets access to it.
(SSL is only useful if it’s set up properly, there are ways to circumvent this protection mechanism too, but they are very hard to be carried out). Still, an attacker can do a lot of damage if the web application with which the user has been interacting does not utilize the use of something called the nonce. The attacker can capture the encrypted request, for the entire session and then carefully resend the requests used for logging in. This way the attacker will get access to your account without knowing your password. Using nonce prevents such “replay attacks”. A nonce is a unique number that is sent by the server to the client prior to login. It is submitted with the username and password and is invalidated after a single use.
Key concepts of Man in the Middle Attack
- The attackers intercept the conversation between the client and the server to steal confidential data.
- The data transfers that take place during this attack remain undetected.
- The attacker tries to perform this attack by using various tricks like sending attachments or links or duplicate websites
Difference between the Man in the Middle Attack and Remote Access Trojans
Man in the Middle Attack: It is a type of cyber-attack where the attacker performs its functions by staying between the two parties. The type of function it can do is to alter the communication between the two parties and make both of the parties feel that they are communicating in a secured network.
An example of a MITM attack is:- Listening to others and making them believe they are communicating with each other, without knowing that their entire conversation is currently controlled by someone who is performing the man in the middle attack.
Remote Access Trojans: The Remote Access Trojans get themselves downloaded on a device if the victims click on any attachment in an email or from a game. It enables the attacker to get control over the device and monitor the activities or gain remote access. This RAT makes itself undetected on the device, and they remain in the device for a longer period of time for getting data that may be confidential.
It is a common attack?
This Man in the Middle Attack is not common for a longer period of time. This type of attack is usually done when the attacker has a specific target. This attack is not a common attack like phishing or any kind of malware or ransomware.
Case study
- Case Study-1: The credit score company Equifax removed their apps from Google and apple due to the data leaking. It has been found that the app did not use HTTPS which allowed the attackers to get all those data when the user was accessing their account.
- Case Study-2: There was a registrar company that was breached and enabled the attacker to gain access to many certificates. These certificates allowed the attacker to pose as an authentic website to steal the data from the user, the authentic website in this case was duplicated.
- Case Study-3: There was a bank that was targeted by the attacker. The attacker sends an email to the customer that someone might have attempted to log in to their bank account, and they need the information from them to verify. The email that was sent to the customer was a phishing attack. So the victim will click on the link sent in the email, and they would be taken to a fake website. The fake website will seem to be original. When the victim will enter the details, it will be redirected to the original website. Now the attacker got access to the victim’s account.
Advantages
- If the user accesses any public Wi-Fi, the attacker may use Man in the Middle Attack.
- If the connection of the user has been intercepted by the attacker, the user may find some fake software updates as pop-ups.
Disadvantages
- This attack takes place when the victim clicks on the link or attachment or gets access to any public Wi-Fi. If the victim does not click on any of the anonymous links or gets access to any public Wi-Fi then the attack will not talk place. So, awareness can prevent this attack.
Users should be aware of
- Public Wi-Fi Network.
- Don’t access that Wi-Fi where the name of the Wi-Fi does not seem to be right.
Prevention
There are some things that can be done to avoid becoming a victim of the MITM and related attacks. One should:
- Always use trusted networks and devices to log in to sensitive websites.
- Avoid connecting to a Wi-Fi that is open(unencrypted).
- Keeping networks secure from unwanted external access.
- In case you have to use a public computer, check its browser for the presence of any rogue certificate and make sure that there aren’t any. Check the hosts’ file too.
- When connected to a public network or using a public computer, perform a traceroute to the website you want to access and see the route taken by the packets for anything suspicious. For example, packets going to an IP different from the IP whose last octet is 1 (the IP of your gateway).