Man In the middle

 A communication takes place between two people, one is sender and other is receiver.  Man in the middle attack happens when someone get data between two people without let them know that he is receiving his data that they transferring       from one to other and vise versa. 

Let’s understand this with an explaining

 

How this happens:

1.     A king send message to Army chief ( start war from tomorrow )

2.     But man in the middle receive this message and it edit the message and send new message ( start war after two days) to the Army chief

3.     Army chief send message to king ( we need more soldier and arms )

4.     Man in the middle change the message ( We are ready to fight any time )

5.     Kind send message (I want victory tomorrow only, fight and win the war tomorrow only) Attacker does not edit this message.  

Man in the middle attack can be very harmful, it may edit the data, it may only read the confidential message, we need privacy and confidentiality when we transfer the data, and man in the middle is one of the serious attack on which we need to focus.

Now we will discuss different Technics for Man in the middle attack. 

How they read and modify your message, and how we can protect our communication medium from such attack. 

ARP cache technic:

ARP stands for Address Resolution Protocol (address resolution refers to the process of finding an address of a computer in a network), this protocol is used for one address resolution request or response, and used in Ethernet environment, it uses protocol which contain hardware address (MAC Address). And the bad guy takes advantage of this protocol for man in the middle attack.

1. Bob broadcast hardware device request with IP address

2. This message is received by every machine because it is a broadcast request.

3. The machine with the same IP address response with its hardware address (MAC           address) it’s a unicast communication.

4. Now man in the middle send a request to device (Bob) and say that I am Alice with      IP 20.0.0.3 but at the place of MAC address it gives its own device’s MAC address        (MAC: cc:cc:cc:cc:cc:cc), like this attackers get connected with device Bob.

This is called ARP proxy this happens because ARP does not provide methods for authenticating.

How to protect from ARP cache technic:

In IPV6 we can use Neighbor Discovery Protocol responsible for gathering various information required for internet communication, including the configuration of local connections and the domain name servers and gateways used to communicate with more distant systems, so by using this protocol we can protect our device from man in the middle.

Man in the Browser:

This is another form of man in the middle attack in which attacker find a vulnerable website and attack that website by Trojan horse. When user like us uses that website we may become victim of a cyber-attack. The attacker may still data from our machine, may install Keylogger or spyware software.

So we don’t suppose to use unauthorized website to get any free service, avoid of download any file from such website and always use updated antivirus in your machine to protect your computer from such attacks.

DNS attack :

DNS stands for Domain Name Server, whenever we request server request from from a server, we need IP address to communicate with that server, but it’s difficult for humans to remember IP address because it is a set of  numbers, we use human readable names and that redirect to the IP address. Man in the middle attack can be performed by DNS attack, there are many types of DNS attacks, now for man in the middle attack point of view, I will explain mainly two types of DNS attack.

DNS spoofing and rogue access point:

DNS spoofing:

DNS spoofing is a method in which attacker try to inject malicious data (corrupt Domain Name System data is introduced) into your DNS cache memory, by using this, attacker redirect victims from legitimate servers to fake one.

 Rogue Access Point:

Man in the middle attack, can be performed by rogue access point*, it is a wireless attack in which a wireless access point (A rogue access point is a device) is installed in the network without any permission from the administrator these access points are also called soft access points. The main purpose is to gain unauthorized access to your network environment. Bad guy install such device in network so that they can monitor whole network activity and manipulate that also.

How we can protect our environment from rogue access point?

WEP and WPA

WEP: WEP (Wired Equivalent Privacy) is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b, that is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN

WPA: WPA (Wi-Fi Protected Access) and WPA2 ( WPA2 is Wi-Fi Protected Access 2) is security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer network, WPA2 use cryptography technique and different types of keys for authentication to make wireless network more secure.

But there are few tools used these days to hack wireless device and to perform man in the middle attack, hacker also uses Sniffer Program and tools like Wifite to hack encrypted network.

STP mangling:

The basic function of STP (Spanning-Tree Protocol) is to prevent bridge loops* and the broadcast radiation that results from them. Spanning tree also allows a network design to include backup links providing fault tolerance if an active link fails.

STP mangling (Spanning-Tree Protocol) refers to the technique used for the attacker host to be elected as the new root bridge* of the spanning tree.  By taking over the root bridge, the attacker will be able to intercept most of the traffic.

The attacker may start either by creating BPDUs (Bridge Protocol Data Units) with high priority assuming to be the new root, or by broadcasting STP Configuration/Topology Change Acknowledgement BPDUs to get his host elected as the new root bridge.

Port stealing:

Port stealing is a kind of attack where someone “steals” traffic that is directed to another port of an Ethernet switch. This attack allows someone to receive packets that were originally directed to another computer.

It does so by making the switch believe that the attacker’s port is the correct destination for the packet.

This is how the port stealing technique works:

1.     Steal the port,

2.     Receive some data,

3.     Give the port back,

4.     Forward the data to the real destination,

5.     Go back in step 1 by stealing the port again.

 mDNS Spoofing

In computer networking, the multicast DNS (mDNS) protocol resolves hostnames to IP addresses within small networks that do not include a local name server.

With the help of mDNS one machine broadcast and the authorized machine responds to it. But issue come when two machine has the same name and here the bad guy want take advantage because in such situation the machine who will receive broadcast message early  will response early.

Apart from above there are few more types of attacks that come under man in the middle attacks.

DHCP spoofing, Sniffing, Packet Injection, Session Hijacking, SSL Stripping

There is different kind of tools used for man in the middle attacks few of them are

1.   Evilgrade

2.   Cain tool

3.   Ettercap

Best Practices to Prevent Man-in-the-Middle Attacks

It’s very difficult to find such attack; I have explained few tools that can be used to protect from Man in the middle attack.

Like we can protect our environment from ARP cache technic by using to Neighbor Discovery Protocol and we can protect from wireless attack by using WEP and WPA.

Apart from this we can use few more precaution.

We can use antivirus, antivirus are very effective to protect us from man in the middle.

Update antivirus definition/dat on regular basis

Use DNSSEC - DNSSEC, or Domain Name System Security Extensions.

Disable JavaScript and WebRTC in the computer.

Use Strong Router Login Credentials.

We can use VPN (Virtual Private Network) to protect unauthorized person enter in our network.
  

Use authentic and genuine websites and always check the website must be secured and using HTTPS protocols.

Use Encryption technology for data transfer and Public Key Pair Based Authentication Certificates.

Use IDS/ IPS and WEP and WPA to protect your network from rogue access point.

*rogue access point

A rogue access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker.

*bridge loop occurs in computer networks when there is more than one Layer 2 (OSI model) path between two endpoints (e.g. multiple connections between two network switches or two ports on the same switch connected to each other)

*Root bridge The Root Bridge (switch) is a special bridge at the top of the Spanning Tree (inverted tree). The branches (Ethernet connections) are then branched out from the root switch, connecting to other switches in the Local Area Network (LAN).

Cryptography

The word Cryptography comes from the Greek word kryptos which means hidden, secret.

Kryptos + Graphy  = hidden +writing 

The earliest known use of cryptography is found in non-standard hieroglyphs carved into the wall of a tomb from the Old Kingdom of Egypt circa 1900 BC.

Later we saw the use of Cryptography in World War- 1 and World War -2, at this time Army were using Cryptography machines for Cryptography, Enigma machine is a good example of a machine used by German for Cryptography in Second World War.

Image of Enigma machine

Lets understand cryptography with an example. We will take a message and we will encrypt it.

 example 1:

My  name is Rahul

We will encrypt above line like this:

Rd sfrj nxwzq

By reading the above line(Rd sfrj nxwzq ) no one can understands what is written here, until he has the key to decrypt it into plain text, here we used key= 5, if anyone know that all text is change here by 5 latter ahead in English alphabet from its original latter, then that can change it again to the plane text,

Before moving ahead we need to understand few important terms like plain text and cipher text, key etc.

Plain Text:

Plain text are the text that can be read directly by human and can understand easily. This is the input data for Encryption process, here in the above example 1 plain text is:

My  name is Rahul.

Ciphertext:

Ciphertext are not human understandable text. In cryptography, cipher text is the result of some operation performed on plaintext using an algorithm.  

In example 1. Cipher text is  

Rd sfrj nxwzq

Cipher:

In cryptography, a cipher (or cypher) is an algorithm for performing encryption. Ex. ASE, DES

Key:

In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm. For encryption algorithms, a key specifies the transformation of plaintext into ciphertext, and vice versa for decryption algorithms.

In the above example 1 Key is 5

Before we move ahead we need to understand two more important terms.

Stream Cipher and Block Cipher

Stream Cipher:

Stream Cipher is a technique used to encrypt plain text to cipher text and vise versa. It encrypt or decrypt text bit by bit, means at each bit it take action. It performs operation by XOR and It uses substitution technique for it.

In Simple words we can understand it in such a ways that to decrypt a plain text, first we need  to convert plan text in binary form then we apply encryption technique on each bit. It is called Stream Cipher.

We will take another example to understand it in better way.

Take a Plain text 9

Key is 8

Convert both in Binary form:

Digit	Binary Number
9 (Plain Text)	1001
8 (Key)	1000

Now we will perform XOR operation and the result is: 0001

So 0001 is our cipher text. And if we will convert in decimal form it is 1. Now we have

 plain text is 9

Cipher text is 1

Key is 8

So like this be Encrypt the plan text into cipher text bit by bit.

Block Cipher

This is a method of encryption in which plain text is divided into small blocks and encryption algorithm is used on each block to get cipher text. We use same key on each block for encryption.  The size of block depends on the types of algorithm we use.

There are several modes of operations for a block cipher.

Electronic Code Book

Cipher Block Chaining

Cipher Feedback Mode

Output Feedback Mode

Counter Mode

Purpose of Encryption:

This is a very good technique to send text message securely. These days Cryptography is more popular and used everywhere. We use Cryptography for Confidentiality, Authentication, Integrity, Non-repudiation.

Confidentiality: Ensuring that no one can read the message except the receiver

Authentication: Authentication means  the process or action of proving or showing something to be true, genuine, or valid, so with the help of cryptography we ensure that message should be received by authenticate person. We ensure it with the help of keys used by sender and receiver.

 Integrity: the quality of being honest and having strong moral principles, with the help of encryption we ensure that the message that we are sending should not alter or change so that receiver should get the same messages that sender send for him.

Non-repudiation: Imagine a situation where a statement's author cannot successfully dispute its authorship or the validity of an associated contract, so cryptography is used to prove that the sender really sent this message.

Now a day’s Cryptography is very common and it is used at many place while communication. when we email, when we text message from application like whats app ( Whats app user End to End Encryption (Asymmetric Encryption) technology which secure you text as well as voice conversation over network).Encryption is used in storage media to store information.  There are few popular algorithm that is used  for it, few very command cryptography algorithm are “Pretty Good Privacy (PGP)”  Phil Zimmermann developed PGP in 1991, Data encryption standard (DES) designed by IBM in 1975, RC4 (Rivest Cipher 4) designed by Ron Rivest in 1994., Advanced Encryption Standard (AES)designed by Vincent Rijmen, Joan Daemen in 1998 and much more, I will explain few of it in my future blogs.

There are three  cryptographic techniques: 

1. Symmetric-key cryptography

2. Public-key cryptography
3. Hash functions.

1. Symmetric-key cryptography

Symmetric encryption is a type of encryption where only one key (a secret key) is used to both encrypt and decrypt electronic information. Ex. AES

2. Public-key cryptography

Public-key cryptography is a form of Encryption where keys come in pairs. one key is Public used to Encrypt the plan text and other private key is used to decrypt the cipher test. RSA Encryption.

3. Hash functions.:

 A hash function is any function that can be used to map data of arbitrary size to fixed-size values. This function convert data into a fix size code, and if we modify data the value of hash also get change. Few popular hash algorithms are: MD5, SHA1, SHA256.

Ex. String 1 : Your String: My name is rahul

MD5 hash of string 1: 1f34ce0cd2ee72cc2dfd91d51cb9a3ee

If we will modify string 1 like string 2.

String 2: my name is rahul

MD5 hash for string 2: 4c32f8e4531f049c04e92b4ce4d89ce7

Here we just changed M (Upper case) from My in string 1 into m (Lower case) in string 2, as a result value of MD5 hash for string 2 get changed.

Why we use hash algorithm ?

Suppose there are two files and you want to check both files are same or not, so to do that its really difficult to check each line of the file, so we can covert that into Hash value. If both file have same hash value it means both are same files.

Rootkit and Keyloggers

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software.

The highest management level of windows operating system is administrator, similarly in Linux OS, it is called root. Rootkit is a set of software that can modify the kernel of the OS,

 
Rootkit works at the lowest level and hence it’s very difficult to detect it. It is not visible in task bar and we cannot find it in task bar because it does not run as a part of operating system, so it becomes difficult for the antivirus to detect it.

 
The attacker always tries to send software and merge it with rootkit. So it’s impossible to remove it even after you detect it because it will not allow you to remove it.

 

                          

Types of Rootkit:

User mode rootkit:

User mode rootkit attacks at the user level or the upper level – OS model. Since it works on the upper level, it will target software and other softwares or files like word, notepad etc.

Kernel Mode Rootkit:

Such software is used to target core setting of kernel model. From such software, attacker can change the registry setting and more in your computer. It is difficult to identify and handle the software because it is not a part of the OS, and difficult to detect by the antivirus.

Boot loader Rootkit:

This software affects the boot sector of computer. It affects MBR (Master boot record) or VBR (volume boot record). MBR is at the very beginning of partitioned computer mass storage devices like fixed disks or removable drives.
 

Memory rootkit:

Memory rootkit affects the RAM of your machine. As a result, it slows down the machine, consumes more memory and due to this, the other memory gets very less memory for execution and ultimately, the machine gets very slow.

Firmware rootkit:

First we need to understand firmware, then only we can understand Firmware rootkit.
Firmware is a computer program that is "embedded" in a hardware device and is an essential part of the hardware. In computing, firmware is a specific class of computer software that provides the low-level control for a device's specific hardware. Firmware can either provide a standardized operating environment for more complex device software (allowing more hardware-independence), or, for less complex devices, act as the device's complete operating system, performing all control, monitoring and data manipulation functions. So if someone affects firmware, then whole system of a machine will get affected.

 Firmware rootkit affects router, network card, hard drive and bios (Basic Input output system) . It’s difficult to find it and remove it because firmware is not usually inspected for code integrity, and the rootkit takes advantage out of it.

Virtual Rootkit

The rootkit designed for virtual machine is called Virtual Rootkit

How to remove Rootkit:

It’s very difficult to remove rootkit. Sometimes we need separate software to remove it. Nowadays, advance antivirus or anti-malware tools are also capable to remove rootkit.

Keyloggers

Keyloggers is a computer program that records every keystroke made by a computer user, especially, in order to gain fraudulent access to passwords and other confidential information. When you type anything it records everything. No matter what happens, it even records the space bar or the back space.

A keylogger can be either software or hardware.

Software keylogger:

Software Keylogger works in background and is difficult to notice by a normal user. In the background, it records everything. Software-based keyloggers are computer programs designed to work on the target computer's software.

Keyloggers has its uses as well, as many software and operating systems use it for trouble shooting for computer and network. Even Windows 10 OS uses keyloggers to improve typing performance.

Hardware keylogger:

These are the hardware independent of any software; it can be added externally like a pen drive which will capture all the activity in the computer.

Hardware Keylogger has two main parts:

The Micro controller interprets the key inputs and processes it for storage.

Memory: It uses non-volatile memory like flash memory to store the data irrespective of availability of power.

How to protect your machine from these:

1. We can use anti-keylogger software to protect our machine. This software work on          Signature-based or heuristic analysis.

2.We can set firewall rules to track what files are transferred from the computer and accordingly, we can make rules for that.

3.These days we are using advance antivirus (EDR (Endpoint Detection and Response) and XDR (Extended Detection and Response), which work on machine learning. Such antivirus can be very useful to protect computer from Rootkit and Keyloggers.

Example of a few Keyloggers

Revealer Keylogger Free

Ardamax Keylogger