December 18, 2013

3.2.1 Man-in-the-middle


A man-in-the-middle or MITM attack takes place when an attacker intercepts traffic and then tricks the parties on both ends into believing they are communicating directly with each other.

In the man-in-the-middle attack, the attacker interjects itself into the conversation between two parties and acting like a proxy it receives and transmits information from party A to party B and vice versa.

This is a fairly sophisticated attack and in general, it involves placing malicious software or malware between the source and the destination. The software intercepts data from the source and then passes it on to the destination. Once intercepted, the data can either be monitored, logged and/or modified.

A successful man-in-the-middle attack depends on the ability to:
  • compromise the routing and name server system in the network in order to position the malware between two communicating parties
  • coerce the two parties to see the attacker as a valid source and destination of their conversation
  • view an unencrypted data stream or decrypt the communication channel
For a MITM attack to work, the attack must create dual TCP/IP sockets and trick the target to unwittingly connect to a false server. Techniques used to deploy a MITM attack include, among others:
  • ARP Poisoning
  • DNS Spoofing
  • Port Stealing
  • DHCP Spoofing
ARP (Address Resolution Protocol) enables “converting protocol Addresses (e.g., IP addresses) to local network addresses (e.g., Ethernet addresses)”.

Addresses used on the Internet include hostnames, IP addresses, MAC addresses, port numbers, etc. A network device can respond to one or more of these addresses; however each network protocol uses only one of these protocols.

In order for a network protocol, e.g. Ethernet to communicate with another protocol, e.g. Internet Protocol (IP), it must resolve its native MAC address to the address used by the Internet Protocol, the IP address. And it uses another protocol, ARP to resolve the IP address of a host into the MAC address of the same host. The ARP address resolution is a core function for communication on the Internet. Its importance to Internet communication also makes it an enticing target for exploitation.

One MITM attack technique that exploits vulnerabilities in ARP is ARP Poisoning. This is where an attack creates a packet with an incorrect IP address to MAC address mapping and sends it to the victim system. If the victim system accepts this information into its database (ARP cache), the attacker would have effectively poisoned the victim’s ARP cache, allowing it to hijack specific conversations from the victim.

Since ARP poisoning or ARP cache poisoning is possible only within a local area network, countermeasures you can deploy include physically securing your local network to prevent an unauthorized user from inserting an untrusted device. Additionally since part of the vulnerability of ARP is that address mapping can be changed dynamically, you should consider statically setting the address mappings, at least for your important servers. It may not be possible to monitor all hosts in your network, however monitoring is a good final option for your critical servers.

Countermeasures to a man-in-the middle attack include physical security for your local network and internal servers, deployment of intrusion detection systems (IDS) and intrusion prevention systems (IPS), encryption protocols such as using IPSec and VPN on open networks, strong authentication such as Kerberos, certifications and digital signatures and using digitally signed DNS records (DNSSEC) among others.

Note that encryption and certificates can be sidestepped by MITM attacks. MITM attack can happen over an HTTPS connection. The sequence would include the establishment of two independent SSL sessions by the attacker: one from the attacker to the client (source) and on from the attacker to the server (destination). Most modern browsers will recognize when this happens and will issue a warning to the user for example of an invalid certificate, however the user might ignore the warning and proceed with the connection.

No comments:

Post a Comment