Sunday, October 18, 2009

Filled Under:

Man-In-The-Middle attack (MITM)

Many a times a question would arises in your mind,

What is MITM ?

ok you wouldn't be able to understand it so lets take an example,fig1-w100-h100

An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time.


Here is what the Wikipedia says about MITM :-

In cryptography, the man-in-the-middle attack (often abbreviated MITM), or bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle).

A Man-in-the-middle attack can only be successful when the attacker can impersonate each endpoint to the satisfaction of the other. Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, SSL authenticates the server using a mutually trusted certification authority.



MITM Techniques

Various defenses against MITM attacks use authentication techniques that are based on:

The integrity of public keys must generally be assured in some manner, but need not be secret. Passwords and shared secret keys have the additional secrecy requirement. Public keys can be verified by a Certificate Authority, whose public key is distributed through a secure channel (for example, with a web browser or OS installation). Public keys can also be verified by aweb of trust that distributes public keys through a secure channel (for example by face-to-face meetings).


See key agreement for a classification of protocols that use various forms of keys and passwords to prevent man-in-the-middle attacks.

MITM Tools For Hacking

  • dsniff - A tool for SSH and SSL MITM attacks monkey6.

  • Cain - A Windows GUI tool which can perform MITM attacks, along with sniffing and ARP poisoning
  • Ettercap - A tool for LAN based MITM attacks
  • Karma - A tool that uses 802.11 Evil Twin attacks to perform MITM attacks
  • AirJack - A tool that demonstrates 802.11 based MITM attacks
  • wsniff - A tool for 802.11 HTTP/HTTPS based MITM attacks
  • an additional card reader and a method to intercept key-presses on an Automated teller machine



The MITM attack could also be done over an https connection by using the same technique; the only difference consists in the establishment of two independent SSL sessions, one over each TCP connection. The browser sets a SSL connection with the attacker, and the attacker establishes another SSL connection with the web server. In general the browser warns the user that the digital certificate used is not valid, but the user may ignore the warning because he doesn’t understand the threat. In some specific contexts it’s possible that the warning doesn’t appear, as for example, when the Server certificate is compromised by the attacker or when the attacker certificate is signed by a trusted CA and the CN is the same of the original web site.

MITM is not only an attack technique, but is also usually used during the development step of a web application or is still used for Web Vulnerability assessments.

blog comments powered by Disqus