Man in the Middle - Revision history

Kermit at 12:50, 4 January 2005

2005-01-04T12:50:36Z

← Older revision		Revision as of 12:50, 4 January 2005
Line 1:		Line 1:
	'''Man in the Middle''' attacks generally allow an attacker to get in the middle of other hosts communication. Any information in between these hosts can be read, blocked or even altered by the attacker. An attacker being in the middle does not necessarily mean he physicly interupted the other hosts connection to put himself in the middle. Other ways to get in the middle of other hosts communication are several [[Spoofing]] techniques, which let hosts in the network ''think'', the attacker is someone else. Dangerous in this context is especially if the attacker lets a host believe he's the gateway.		'''Man in the Middle''' attacks generally allow an attacker to get in the middle of other hosts communication. Any information in between these hosts can be read, blocked or even altered by the attacker. An attacker being in the middle does not necessarily mean he physicly interupted the other hosts connection to put himself in the middle. Other ways to get in the middle of other hosts communication are several [[Spoofing]] techniques, which let hosts in the network ''think'', the attacker is someone else. Dangerous in this context is especially if the attacker lets a host believe he's the gateway.

	Once in the middle of other hosts communication, the attacker can easily intercept encrypted connections, sniff passwords, or inject false data into connections. Tools like [http://ettercap.sourceforge.net/ Ettercap] automate this process, by supporting severel '''Man in the Middle''' attacks (ARP poisoning, Icmp redirect, Port stealing, DHCP spoofing), sniffing techniques and even mechanisms to intercept SSH and HTTPS connections by delivering almost identical copies of ~~original~~ the certificates.		Once in the middle of other hosts communication, the attacker can easily intercept encrypted connections, sniff passwords, or inject false data into connections. Tools like [http://ettercap.sourceforge.net/ Ettercap] automate this process, by supporting severel '''Man in the Middle''' attacks (ARP poisoning, Icmp redirect, Port stealing, DHCP spoofing), sniffing techniques and even mechanisms to intercept SSH and HTTPS connections by delivering almost identical copies of the original certificates.

			The Man in the Middle attack is a very powerful yet common attack pattern, it has therefore attracted the attention of cryptologists. There have been found some defenses but they apply to very specific situations like

			*Chess Grandmaster Attack
			*Syncronized Clocks

			The only really succesful defenses against Man in the Middle Attacks are implemented by defeating the used "technique" like ARP poisoning, Port Stealing etc.

Kermit: /* Port Stealing */

2004-12-06T13:40:16Z

Port Stealing

← Older revision		Revision as of 13:40, 6 December 2004
Line 2:		Line 2:

	Once in the middle of other hosts communication, the attacker can easily intercept encrypted connections, sniff passwords, or inject false data into connections. Tools like [http://ettercap.sourceforge.net/ Ettercap] automate this process, by supporting severel '''Man in the Middle''' attacks (ARP poisoning, Icmp redirect, Port stealing, DHCP spoofing), sniffing techniques and even mechanisms to intercept SSH and HTTPS connections by delivering almost identical copies of original the certificates.		Once in the middle of other hosts communication, the attacker can easily intercept encrypted connections, sniff passwords, or inject false data into connections. Tools like [http://ettercap.sourceforge.net/ Ettercap] automate this process, by supporting severel '''Man in the Middle''' attacks (ARP poisoning, Icmp redirect, Port stealing, DHCP spoofing), sniffing techniques and even mechanisms to intercept SSH and HTTPS connections by delivering almost identical copies of original the certificates.



	== Port Stealing ==
	Technique to outsmart switches, by sending ethernet frames including the victim MAC address as sender address. The switch will further send packets targeting to that MAC address to the port the attacker is connected to. Again its up to the attacker to forward these packets to the victim, which may be difficult since the switch is confused about what port the victim is located at. The original port mapping has to be retroceded to the switch in order to send packets to the victim. Afterwards the port hast to be stolen again. All this might lead to many lost packets and a notably lost of connection speed.

Kermit: /* ARP Poisoning */

2004-12-06T13:39:56Z

ARP Poisoning

← Older revision		Revision as of 13:39, 6 December 2004
Line 3:		Line 3:
	Once in the middle of other hosts communication, the attacker can easily intercept encrypted connections, sniff passwords, or inject false data into connections. Tools like [http://ettercap.sourceforge.net/ Ettercap] automate this process, by supporting severel '''Man in the Middle''' attacks (ARP poisoning, Icmp redirect, Port stealing, DHCP spoofing), sniffing techniques and even mechanisms to intercept SSH and HTTPS connections by delivering almost identical copies of original the certificates.		Once in the middle of other hosts communication, the attacker can easily intercept encrypted connections, sniff passwords, or inject false data into connections. Tools like [http://ettercap.sourceforge.net/ Ettercap] automate this process, by supporting severel '''Man in the Middle''' attacks (ARP poisoning, Icmp redirect, Port stealing, DHCP spoofing), sniffing techniques and even mechanisms to intercept SSH and HTTPS connections by delivering almost identical copies of original the certificates.

	== ARP Poisoning ==
	Applications on internet hosts and even most local area network hosts communicate with eachother knowing only the other hosts IP address or hostname. The underlaying network architecture only allows hosts to communicate using MAC adresses though. These 6 Byte addresses are resolved using the ''Address Resolution Protocol'' (ARP). To retrieve some other local hosts MAC address a host broadcasts an ARP-Request including the target IP address and receives the ARP reply containing the target MAC address, which it then adds to its local ARP cache. Since ARP is stateless, hosts also accept replys they never asked for, which is the starting point for '''ARP Poisoning'''.

	An attacker simply as to send an ARP reply to the victim host, proclaiming he is another host the victim might want to communicate with, a gateway for example. Once done the victim host will freely send its future packets to the attacker, thinking he is the real target. The attacker can now analyse the data and forward it to the real target to not disturb the connection and attract attention. Using the same means the attacker can also poison the target hosts ARP cache to get in the middle of both directions of communication. The easiness and effectiveness of '''ARP Poisoning''' makes it a very dangerous and popular '''Man in the Middle''' attack.

	This fake ARP replies of course are not completely hidden to the victim host, allowing it to notice weird changes to the local ARP cache. Tools like ''Arpwatch'' allow to permanently monitor incoming ARP packets and be notified if strange things happen (like changing MAC address to the same IP address). In Unix compatible operating systems the ''arp -s'' command allows to set static ARP entries within the ARP cache, which should be done for servers and gateways to not allow attackers to get in the middle of that communication. Windows operating systems also know the ''arp -s'' command with the fatal result that created static entries are only as static as Windows will never again ask for a new MAC address to the specified IP address. Incoming fake ARP replies will still overwrite the entry, which will never be questioned or updated by Windows again, unless the attacker is nice enough to reset it when leaving.

	== Port Stealing ==		== Port Stealing ==

Jon at 17:41, 19 November 2004

2004-11-19T17:41:05Z

← Older revision		Revision as of 17:41, 19 November 2004
Line 1:		Line 1:
	'''Man in the Middle''' attacks generally allow an attacker to get in the middle of other hosts communication. Any information in between these hosts can be read, blocked or even altered by the attacker. An attacker being in the middle does not necessarily mean he physicly interupted the other hosts connection to ~~plug~~ himself in the middle. Other ways to get in the middle of other hosts communication are several [[Spoofing]] techniques, which let hosts in the network ''think'', the attacker is someone else. Dangerous in this context is especially if the attacker lets a host believe he's the gateway.		'''Man in the Middle''' attacks generally allow an attacker to get in the middle of other hosts communication. Any information in between these hosts can be read, blocked or even altered by the attacker. An attacker being in the middle does not necessarily mean he physicly interupted the other hosts connection to put himself in the middle. Other ways to get in the middle of other hosts communication are several [[Spoofing]] techniques, which let hosts in the network ''think'', the attacker is someone else. Dangerous in this context is especially if the attacker lets a host believe he's the gateway.

	Once in the middle of other hosts communication, the attacker can easily intercept encrypted connections, sniff passwords, or inject false data into connections. Tools like [http://ettercap.sourceforge.net/ Ettercap] automate this process, by supporting severel '''Man in the Middle''' attacks (ARP poisoning, Icmp redirect, Port stealing, DHCP spoofing), sniffing techniques and even mechanisms to intercept SSH and HTTPS connections by delivering almost identical copies of original the certificates.		Once in the middle of other hosts communication, the attacker can easily intercept encrypted connections, sniff passwords, or inject false data into connections. Tools like [http://ettercap.sourceforge.net/ Ettercap] automate this process, by supporting severel '''Man in the Middle''' attacks (ARP poisoning, Icmp redirect, Port stealing, DHCP spoofing), sniffing techniques and even mechanisms to intercept SSH and HTTPS connections by delivering almost identical copies of original the certificates.

Jon at 17:39, 19 November 2004

2004-11-19T17:39:46Z

New page

'''Man in the Middle''' attacks generally allow an attacker to get in the middle of other hosts communication. Any information in between these hosts can be read, blocked or even altered by the attacker. An attacker being in the middle does not necessarily mean he physicly interupted the other hosts connection to plug himself in the middle. Other ways to get in the middle of other hosts communication are several [[Spoofing]] techniques, which let hosts in the network ''think'', the attacker is someone else. Dangerous in this context is especially if the attacker lets a host believe he's the gateway.

Once in the middle of other hosts communication, the attacker can easily intercept encrypted connections, sniff passwords, or inject false data into connections. Tools like [http://ettercap.sourceforge.net/ Ettercap] automate this process, by supporting severel '''Man in the Middle''' attacks (ARP poisoning, Icmp redirect, Port stealing, DHCP spoofing), sniffing techniques and even mechanisms to intercept SSH and HTTPS connections by delivering almost identical copies of original the certificates.

== ARP Poisoning ==
Applications on internet hosts and even most local area network hosts communicate with eachother knowing only the other hosts IP address or hostname. The underlaying network architecture only allows hosts to communicate using MAC adresses though. These 6 Byte addresses are resolved using the ''Address Resolution Protocol'' (ARP). To retrieve some other local hosts MAC address a host broadcasts an ARP-Request including the target IP address and receives the ARP reply containing the target MAC address, which it then adds to its local ARP cache. Since ARP is stateless, hosts also accept replys they never asked for, which is the starting point for '''ARP Poisoning'''.

An attacker simply as to send an ARP reply to the victim host, proclaiming he is another host the victim might want to communicate with, a gateway for example. Once done the victim host will freely send its future packets to the attacker, thinking he is the real target. The attacker can now analyse the data and forward it to the real target to not disturb the connection and attract attention. Using the same means the attacker can also poison the target hosts ARP cache to get in the middle of both directions of communication. The easiness and effectiveness of '''ARP Poisoning''' makes it a very dangerous and popular '''Man in the Middle''' attack.

This fake ARP replies of course are not completely hidden to the victim host, allowing it to notice weird changes to the local ARP cache. Tools like ''Arpwatch'' allow to permanently monitor incoming ARP packets and be notified if strange things happen (like changing MAC address to the same IP address). In Unix compatible operating systems the ''arp -s'' command allows to set static ARP entries within the ARP cache, which should be done for servers and gateways to not allow attackers to get in the middle of that communication. Windows operating systems also know the ''arp -s'' command with the fatal result that created static entries are only as static as Windows will never again ask for a new MAC address to the specified IP address. Incoming fake ARP replies will still overwrite the entry, which will never be questioned or updated by Windows again, unless the attacker is nice enough to reset it when leaving.

== Port Stealing ==
Technique to outsmart switches, by sending ethernet frames including the victim MAC address as sender address. The switch will further send packets targeting to that MAC address to the port the attacker is connected to. Again its up to the attacker to forward these packets to the victim, which may be difficult since the switch is confused about what port the victim is located at. The original port mapping has to be retroceded to the switch in order to send packets to the victim. Afterwards the port hast to be stolen again. All this might lead to many lost packets and a notably lost of connection speed.