Man in the Middle: Difference between revisions

Man in the Middle attacks generally allow an attacker to get in the middle of other hosts communication. Any information in between these hosts can be read, blocked or even altered by the attacker. An attacker being in the middle does not necessarily mean he physicly interupted the other hosts connection to put himself in the middle. Other ways to get in the middle of other hosts communication are several Spoofing techniques, which let hosts in the network think, the attacker is someone else. Dangerous in this context is especially if the attacker lets a host believe he's the gateway.

Once in the middle of other hosts communication, the attacker can easily intercept encrypted connections, sniff passwords, or inject false data into connections. Tools like Ettercap automate this process, by supporting severel Man in the Middle attacks (ARP poisoning, Icmp redirect, Port stealing, DHCP spoofing), sniffing techniques and even mechanisms to intercept SSH and HTTPS connections by delivering almost identical copies of original the certificates.

ARP Poisoning

Applications on internet hosts and even most local area network hosts communicate with eachother knowing only the other hosts IP address or hostname. The underlaying network architecture only allows hosts to communicate using MAC adresses though. These 6 Byte addresses are resolved using the Address Resolution Protocol (ARP). To retrieve some other local hosts MAC address a host broadcasts an ARP-Request including the target IP address and receives the ARP reply containing the target MAC address, which it then adds to its local ARP cache. Since ARP is stateless, hosts also accept replys they never asked for, which is the starting point for ARP Poisoning.

An attacker simply as to send an ARP reply to the victim host, proclaiming he is another host the victim might want to communicate with, a gateway for example. Once done the victim host will freely send its future packets to the attacker, thinking he is the real target. The attacker can now analyse the data and forward it to the real target to not disturb the connection and attract attention. Using the same means the attacker can also poison the target hosts ARP cache to get in the middle of both directions of communication. The easiness and effectiveness of ARP Poisoning makes it a very dangerous and popular Man in the Middle attack.

This fake ARP replies of course are not completely hidden to the victim host, allowing it to notice weird changes to the local ARP cache. Tools like Arpwatch allow to permanently monitor incoming ARP packets and be notified if strange things happen (like changing MAC address to the same IP address). In Unix compatible operating systems the arp -s command allows to set static ARP entries within the ARP cache, which should be done for servers and gateways to not allow attackers to get in the middle of that communication. Windows operating systems also know the arp -s command with the fatal result that created static entries are only as static as Windows will never again ask for a new MAC address to the specified IP address. Incoming fake ARP replies will still overwrite the entry, which will never be questioned or updated by Windows again, unless the attacker is nice enough to reset it when leaving.

Port Stealing

Technique to outsmart switches, by sending ethernet frames including the victim MAC address as sender address. The switch will further send packets targeting to that MAC address to the port the attacker is connected to. Again its up to the attacker to forward these packets to the victim, which may be difficult since the switch is confused about what port the victim is located at. The original port mapping has to be retroceded to the switch in order to send packets to the victim. Afterwards the port hast to be stolen again. All this might lead to many lost packets and a notably lost of connection speed.