Saturday 16 May 2020


Man In the middle



 A communication takes place between two people, one is sender and other is receiver.  Man in the middle attack happens when someone get data between two people without let them know that he is receiving his data that they transferring       from one to other and vise versa. 
Let’s understand this with an explaining

 




How this happens:

1.     A king send message to Army chief ( start war from tomorrow )

2.     But man in the middle receive this message and it edit the message and send new message ( start war after two days) to the Army chief

3.     Army chief send message to king ( we need more soldier and arms )

4.     Man in the middle change the message ( We are ready to fight any time )

5.     Kind send message (I want victory tomorrow only, fight and win the war tomorrow only) Attacker does not edit this message.  

Man in the middle attack can be very harmful, it may edit the data, it may only read the confidential message, we need privacy and confidentiality when we transfer the data, and man in the middle is one of the serious attack on which we need to focus.
Now we will discuss different Technics for Man in the middle attack. 

How they read and modify your message, and how we can protect our communication medium from such attack. 

ARP cache technic:


ARP stands for Address Resolution Protocol (address resolution refers to the process of finding an address of a computer in a network), this protocol is used for one address resolution request or response, and used in Ethernet environment, it uses protocol which contain hardware address (MAC Address). And the bad guy takes advantage of this protocol for man in the middle attack.





1. Bob broadcast hardware device request with IP address

2. This message is received by every machine because it is a broadcast request.

3. The machine with the same IP address response with its hardware address (MAC           address) it’s a unicast communication.

4. Now man in the middle send a request to device (Bob) and say that I am Alice with      IP 20.0.0.3 but at the place of MAC address it gives its own device’s MAC address        (MAC: cc:cc:cc:cc:cc:cc), like this attackers get connected with device Bob.

This is called ARP proxy this happens because ARP does not provide methods for authenticating.

How to protect from ARP cache technic:

In IPV6 we can use Neighbor Discovery Protocol responsible for gathering various information required for internet communication, including the configuration of local connections and the domain name servers and gateways used to communicate with more distant systems, so by using this protocol we can protect our device from man in the middle.

Man in the Browser:

This is another form of man in the middle attack in which attacker find a vulnerable website and attack that website by Trojan horse. When user like us uses that website we may become victim of a cyber-attack. The attacker may still data from our machine, may install Keylogger or spyware software.
So we don’t suppose to use unauthorized website to get any free service, avoid of download any file from such website and always use updated antivirus in your machine to protect your computer from such attacks.

DNS attack :

DNS stands for Domain Name Server, whenever we request server request from from a server, we need IP address to communicate with that server, but it’s difficult for humans to remember IP address because it is a set of  numbers, we use human readable names and that redirect to the IP address. Man in the middle attack can be performed by DNS attack, there are many types of DNS attacks, now for man in the middle attack point of view, I will explain mainly two types of DNS attack.
DNS spoofing and rogue access point:

DNS spoofing:

DNS spoofing is a method in which attacker try to inject malicious data (corrupt Domain Name System data is introduced) into your DNS cache memory, by using this, attacker redirect victims from legitimate servers to fake one.

 Rogue Access Point:

Man in the middle attack, can be performed by rogue access point*, it is a wireless attack in which a wireless access point (A rogue access point is a device) is installed in the network without any permission from the administrator these access points are also called soft access points. The main purpose is to gain unauthorized access to your network environment. Bad guy install such device in network so that they can monitor whole network activity and manipulate that also.

How we can protect our environment from rogue access point?

WEP and WPA

WEP: WEP (Wired Equivalent Privacy) is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b, that is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN

WPA: WPA (Wi-Fi Protected Access) and WPA2 ( WPA2 is Wi-Fi Protected Access 2) is security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer network, WPA2 use cryptography technique and different types of keys for authentication to make wireless network more secure.
But there are few tools used these days to hack wireless device and to perform man in the middle attack, hacker also uses Sniffer Program and tools like Wifite to hack encrypted network.

STP mangling:

The basic function of STP (Spanning-Tree Protocol) is to prevent bridge loops* and the broadcast radiation that results from them. Spanning tree also allows a network design to include backup links providing fault tolerance if an active link fails.
STP mangling (Spanning-Tree Protocol) refers to the technique used for the attacker host to be elected as the new root bridge* of the spanning tree.  By taking over the root bridge, the attacker will be able to intercept most of the traffic.
The attacker may start either by creating BPDUs (Bridge Protocol Data Units) with high priority assuming to be the new root, or by broadcasting STP Configuration/Topology Change Acknowledgement BPDUs to get his host elected as the new root bridge.

Port stealing:

Port stealing is a kind of attack where someone “steals” traffic that is directed to another port of an Ethernet switch. This attack allows someone to receive packets that were originally directed to another computer.
It does so by making the switch believe that the attacker’s port is the correct destination for the packet.
This is how the port stealing technique works:
1.     Steal the port,
2.     Receive some data,
3.     Give the port back,
4.     Forward the data to the real destination,
5.     Go back in step 1 by stealing the port again.

 mDNS Spoofing

In computer networking, the multicast DNS (mDNS) protocol resolves hostnames to IP addresses within small networks that do not include a local name server.
With the help of mDNS one machine broadcast and the authorized machine responds to it. But issue come when two machine has the same name and here the bad guy want take advantage because in such situation the machine who will receive broadcast message early  will response early.


Apart from above there are few more types of attacks that come under man in the middle attacks.
DHCP spoofing, Sniffing, Packet Injection, Session Hijacking, SSL Stripping

There is different kind of tools used for man in the middle attacks few of them are

 1.   Evilgrade
2.   Cain tool
3.   Ettercap

Best Practices to Prevent Man-in-the-Middle Attacks

It’s very difficult to find such attack; I have explained few tools that can be used to protect from Man in the middle attack.

Like we can protect our environment from ARP cache technic by using to Neighbor Discovery Protocol and we can protect from wireless attack by using WEP and WPA.
Apart from this we can use few more precaution.

We can use antivirus, antivirus are very effective to protect us from man in the middle.
Update antivirus definition/dat on regular basis

Use DNSSEC - DNSSEC, or Domain Name System Security Extensions.

Disable JavaScript and WebRTC in the computer.

Use Strong Router Login Credentials.

We can use VPN (Virtual Private Network) to protect unauthorized person enter in our network.
  
Use authentic and genuine websites and always check the website must be secured and using HTTPS protocols.

Use Encryption technology for data transfer and Public Key Pair Based Authentication Certificates.

Use IDS/ IPS and WEP and WPA to protect your network from rogue access point.


*rogue access point
A rogue access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker.


*bridge loop occurs in computer networks when there is more than one Layer 2 (OSI model) path between two endpoints (e.g. multiple connections between two network switches or two ports on the same switch connected to each other)

*Root bridge The Root Bridge (switch) is a special bridge at the top of the Spanning Tree (inverted tree). The branches (Ethernet connections) are then branched out from the root switch, connecting to other switches in the Local Area Network (LAN).


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)