16 Feb, 2024

Insufficient protection against man-in-the-middle (MITM) attacks 

When it comes to web development and information technology, security is crucial. Vulnerabilities are still a major issue, though. endangering the integrity and confidentiality of data
There are countless vulnerabilities in the world, each of which is significant in its own right and has the potential to harm not just a single person but all of humanity.
We’re going to examine a particular kind of vulnerability today known as a “Man-in-the-Middle (MITM) attack”

Man-in-the-Middle (MITM) attack 

Type of attack in which an attacker intercepts network traffic between parties to collect and decrypt data in order to capture sensitive information and compromise security. An attacker intercepts network traffic between parties to collect and decrypt data in order to capture sensitive information and compromise security. By methodically covering all of the various aspects of MITM attack mechanics, this research aims to provide readers with a thorough understanding of the subject.

Mechanism of MITM Attacks:

The Interception: In the first step, the attacker inserts themselves into the channel of communication between the sender and the recipient.

Decryption: If the communication is encrypted, the intercepted data may be decrypted using advanced techniques.

Data manipulation: Before the information is sent to the intended recipient, the attacker may alter it, which could lead to fraudulent transactions or inaccurate information.

Delivery and Re-encryption: After the data has been altered, it is sent to the intended recipient and re-encrypted, keeping the original sender and recipient in the dark about the interception.

The best known and most widely used  MITM (Man-in-the-Middle) attacks

Each of the presented attack methods can cause enormous damage and compromise privacy.

We can mark the main types of attacks:

ARP Spoofing : Using forged ARP ( Address Resolution Protocol) messages sent over a local network, the attacker links their MAC address to the IP address of a different host in this attack. As a result, network traffic between the victim and other devices can be intercepted and altered by the attacker.

DNS Spoofing : Using DNS (Domain Name System)  record manipulation, the attacker can divert reputable domain name queries to rogue IP addresses. Without realizing it, victims establish a connection with the attacker’s server, which permits traffic manipulation and interception.

WiFi Pineapple Attacks: An attacker creates rogue APs (access points)  with shared SSIDs by using a gadget similar to the WiFi Pineapple. By connecting to these APs, unsuspecting users give the attacker the ability to intercept and modify traffic.

Session Hijacking: In this case the attacker stole an active session tokenTo assume the identity of the victim, , such as cookies. This might happen because of insufficient session management or over unsafe channels.

HTTP Session Hijacking: Targeting HTTP sessions specifically, identical to session hijacking. Session cookies or tokens are captured by the attacker in order to obtain illegal access.

SSL Stripping:The attacker try to downgrade HTTPS connection to HTTP, the victim is forced to communicate in plaintext by the attacker. Before sending the data to the intended server, the attacker intercepts it and modifies it.

Evil Twin Attacks:With an identical SSID to an original network, the attacker fabricates a fake wireless network. Unknowingly connecting to the evil twin enables the attacker to eavesdrop on user communications.

Examples of exploitation:

In this example, we’ll look at MITM attack using Wireshark packet capture we have captured traffic (packets)  transmitted from host A (10.1.1.1.254 ) to host B (10.1.2.1).

Analyzing this package We see that the protocol name SKINNY refers to VOIP (Voice-over-internet-protocol) –  is a technique and group of tools for voice calls that allow voice chat sessions to be delivered over the Internet.

Then we take a closer look at the intercepted packet, where we can see that the captured packet shows us the IP of the sender (10.1.2.1) as well as the duration of the conversation of 21 seconds with the status of completed.

After clicking “Play Streams” we can play the dialog between hosts A and B

Code Examples:

1. Java

The Java code that is provided creates a network connection by using HttpURLConnection The vulnerability lies in the absence of secure communication protocols (such as HTTPS) when connecting to the server.

Without encryption, data transmitted between the client and server can be intercepted, manipulated, or eavesdropped upon by an attacker.



2. Python

In this  example of IP spoofing,  hackers change their IP from 192.168.1.100 to 192.168.1.200  and can fool users into believing they are interacting with a different person or website.

3. HTML

In this example of  HTTPS Spoofing attackers fabricate false secure websites in order to deceive users into thinking they are on a trustworthy, encrypted website

Privilege escalation techniques:

Hijacking with SSL techniques through redirection

In this example we can see how  the attacker uses SSLStrip to convert HTTPS to HTTP, intercepting traffic destined for port 8080 using the command -A PREROUTING – p tcp — destination-port 8080 -j REDIRECT to 7071, and thereby redirecting it to a proprietary device with a port with port 7071

Top MITM attack scanners:

Automated Tools:

MITMf:  effective tool for penetration testing that automates different MITM attacks. It has capabilities such as session hijacking, ARP spoofing, and SSL stripping. Despite taking a more aggressive tack, it’s useful for identifying and assessing MITM vulnerabilities 

OWASP ZAP: starring instruments for detecting vulnerabilities and intercepting proxies

Bettercap:  Network penetration analysis and scanning tool. It equips  scanning and attacking various protocols and connections like: WiFi, IPv4 and IPv6, Bluetooth, Wireless device connections via other protocols 

PROXY.PY: open-source proxy server that manages traffic for HTTP, HTTPS, HTTP2, and WebSockets. It’s not just an MITM scanner, but it can also be helpful for examining network traffic and finding possible security holes.

Manual Tools:

Wireshark:  allows to inspect raw network traffic and analyze communication between web browsers and servers. It’s an essential tool for understanding network behavior

Burp Suite: have good functionality for detecting MITM attacks and  perfect Traffic Analysis.

Hetty: An open-source HTTP toolkit it is alternative to commercial tools like Burp Suite Pro, catering specifically to the needs of the infosec and bug bounty community it include: built-in Next.js interface, a lightweight MiTM proxy, full-text search capabilities, modules for sending manual HTTP requests, an attacker module for automated HTTP requests

Ettercap: common MITM tool that has been in use for a long time. It is compatible with a number of MITM attacks, such as packet injection, DNS spoofing, and ARP poisoning. It works especially well in LAN settings.

Checklist for MITM Attack:

1. Data flows are identified, network devices and services are mapped.

2. Verified encryption during transmission for all important messages.

3. SSL/TLS certificates are examined for authenticity and consistency.

4. MFA is used when it is feasible after user and device authentication techniques are reviewed.

5. Tests for DNS poisoning and ARP spoofing were done.

6. Protocols are checked for errors and vulnerabilities.

7. Standards for Wi-Fi encryption have been confirmed, and there is defense against Evil Twin attacks.

8. PKI and trust chains are examined for unapproved certificates and integrity.

9. The ability of endpoint protection mechanisms to detect MITM attacks was tested.

10. For efficient isolation and security, network segmentation and ACLs/firewalls are reviewed. controlled MITM attack simulations carried out to evaluate the robustness of the network.

CVES and CVSS score –  what is and  why we should keep that in mind ?

A framework called the Common Vulnerability Scoring System (CVSS) is used to rank the seriousness of security flaws. Ten is the most severe score, which goes from 0 to 10

If we talk about “Man in the Middle (MITM) Attacks” CVES differ based on the particular vulnerability and how it affects the target system. Some factors to consider are how simple it is to exploit, whether mitigation measures are available, how it affects data integrity and system availability, and whether or not attackers have the ability to launch widespread attacks. It is crucial to remember that CVSS scores are only one aspect to be taken into account when determining how serious a vulnerability is; other factors to be taken into account include the target system’s potential impact and the particular context.

And here are the most famous ones:

CVSS Base Score: 7.4 (HIGH)

CVE-2021-44273 The SSL MITM engine’s lack of SSL certificate validation affected e2guardian versions 5.4.x through 5.4.3r. If e2guardian (if built with OpenSSL v1.1.x) was used as a proxy or transparent proxy with SSL MITM enabled, it was susceptible to MITM attacks because it failed to verify the hostnames in the certificates of the web servers it connected to.

CVSS Base Score: 5.9 (MEDIUM)

CVE-2021-23846 – The user password was sent over the HTTP protocol in clear text, which allowed an attacker to obtain it through a Man-in-the-Middle attack. Firmware version 3.11.5 was the first to have this vulnerability fixed.

CVSS Base Score: 5.9 (MEDIUM)

CVE-2020-14093 – Unauthorized access was made possible by an SSH Terrapin Prefix Truncation vulnerability.

Resources and books to learn more about Man-in-the-Middle attacks:

1. Infosec Institute’s Real-Life Example and Video Walkthrough

Author of Infosec Skills Keatron Evans offers a video walkthrough and real-world example of an MITM attack. In this demonstration, Keatron uses MITM attack tools to compromise the victim’s machine after the innocent victim connects to the same Wi-Fi network as the malicious attacker.

2. Udemy Course: Ethical Hacking – Man in the Middle Attacks Basic to Advance

Many MITM attack techniques are covered in this course, such as DNS spoofing, ARP poisoning, and session hijacking. Gain knowledge on identifying and managing Man-in-the-Middle attacks.

3. EC-Council Learning Course: Learn Man in the Middle Attacks from Scratch:

You will learn how to launch MITM attacks against connected clients and defend them against such attacks in this extensive course.

Books:

1. Learn Man in the Middle Attacks from Scratch

This book teaches how to set up your Kali Linux 2.0 lab environment properly. In addition to that, you will learn how devices communicate with each other. Lastly, you will learn the best out of this course, which is the Man in the Middle attacks

2. Kerberos: The Definitive Guide

The article on MITM attacks in this book focuses on how these attacks impact protocols that try to authenticate connection endpoints.

3. A Guide to Securing Networks for Wi-Fi pdf (IEEE 802.11 Family) 

This guide  discusses MITM attacks within the context of Wi-Fi security

4. Man-in-the-middle attacks: An insider’s guide (free PDF)

This free ebook offers protective measures and an explanation of how MITM attacks operate.

Conclusion:

In the field of network security and penetration testing, Man-in-the-Middle (MITM) attacks pose an important risk. These attacks undercover intercept, modify, or reroute data by exploiting flaws in communication channels. These attacks exploit weaknesses in protocols, encryption schemes, and authentication processes to gain unauthorized access to sensitive data. Financial fraud, identity theft, and data breaches frequently follow from this.

A multi-layered defense strategy is required due to the intricacy and diversity of MITM techniques. The key to protecting data in transit is to use strong encryption with current protocols, enforce strict authentication measures like multi-factor authentication (MFA), and keep a safe Public Key Infrastructure (PKI). Additionally, in order to recognize suspicious activity suggestive of Man-in-the-Middle (MITM) attempts, network monitoring and anomaly detection are crucial.

The attack surface is being increased by emerging technologies and the growing use of IoT devices, so it is more crucial than ever to take thorough security precautions and maintain constant watch. In order to lessen the threat posed by MITM attacks, users must be educated and made aware of the risks connected to unsecured networks, especially public Wi-Fi.

In conclusion, even though MITM attacks are a serious risk to the integrity of digital communication, they can be greatly reduced and their effects are avoidable by a combination of modern technological defenses, regular monitoring, and knowledgeable user practices. Our strategies to counter cyber threats must also adapt and strengthen over time, forcing regular enhancement of our digital defenses.

Other Services

Ready to secure?

Let's get in touch