home » Android » Like man in the middle. All about the Man in the Middle (MitM) attack. Injection of malicious code

Like man in the middle. All about the Man in the Middle (MitM) attack. Injection of malicious code

Man-in-the-middle attack is a generic name for various techniques aimed at gaining access to traffic as an intermediary. Due to the wide variety of these techniques, it is problematic to implement a single tool for detecting these attacks that would work for all possible situations. For example, in a man-in-the-middle attack on a local network, ARP spoofing is commonly used. And many man-in-the-middle attack detection tools watch for changes in Ethernet / address pairs or report suspicious ARP activity by passively monitoring ARP requests / responses. But if this attack is used on a maliciously configured proxy server, VPN, or in other cases where ARP poisoning is not used, then such tools are helpless.

The purpose of this section is to look at some of the techniques for detecting man-in-the-middle attacks, as well as some tools designed to determine if a MitM attack is taking place against you. Due to the variety of methodologies and implementation scenarios, 100% detection cannot be guaranteed.

1. Traffic modification detection

As already mentioned, ARP spoofing is not always used in man-in-the-middle attacks. Therefore, although ARP-level activity detection is the most popular detection method, more in a universal way is traffic modification detection. The mitmcanary program can help us with this.

The principle of the program is that it makes "control" requests and saves the received responses. After that, she repeats the same requests at certain intervals and compares the responses received. The program is intelligent enough and to avoid false positives it detects dynamic elements in responses and processes them correctly. As soon as the program detects traces of the activity of tools for MitM attacks, it reports this.

Examples of how some tools can "inherit":

MITMf, by default, changes all HTTPS URLs in HTML code to HTTP. Revealed by comparing HTTP content.
Zarp + MITMProxy, MITMProxy has functionality that allows you to clear HTTP compression, this is used for the transparency of transmitted traffic, this bundle is detected by the disappearance of previously present compression
Responder, detected by sudden changes in the conversion of mDNS responses: unexpected response; the answer is internal but external is expected; response is different from expected IP

MITMCanary vs MITMf:

MITMCanary vs Responder:

MITMCanary vs Zarp + MITMProxy:

Sudo pip install Cython sudo apt-get install python-kivy python-dbus sudo pip install plyer uuid urlopen analysis request simplejson datetime git clone https://github.com/CylanceSPEAR/mitmcanary.git cd mitmcanary /

As already mentioned, mitmcanary should start with control requests. To do this, go to the directory

Cd service /

And run the file setup_test_persistence.py:

Python2 setup_test_persistence.py

This will take some time - wait until the end. No error messages should be displayed (if so, then you are missing some dependencies).

It will output something like this:

[email protected]: ~ / bin / mitmcanary / service $ python2 setup_test_persistence.py Older configuration version detected (0 instead of 14) Upgrading configuration in progress. Purge log fired. Analysing ... Purge finished! Record log in /home/mial/.kivy/logs/kivy_16-11-01_0.txt v1.9.1 v2.7.12 + (default, Sep 1 2016, 20:27:38)

After finishing this process, in the same directory execute (this will start the background process):

Python2 main.py

After that open a new terminal window and change to the horse directory with mitmcanary. I have this directory bin / mitmcanary /, so I enter

Cd bin / mitmcanary /

and execute there:

Python2 main.py

The first window displays something like:

[email protected]: ~ / bin / mitmcanary / service $ python2 main.py Record log in /home/mial/.kivy/logs/kivy_16-11-01_1.txt v1.9.1 v2.7.12 + (default, Sep 1 2016, 20:27 : 38) using for socket listening for Tuio on 127.0.0.1:3000 Sleeping for 60 seconds Sleeping for 60 seconds Sleeping for 60 seconds Sleeping for 60 seconds Sleeping for 60 seconds Sleeping for 60 seconds

Those. the program makes control requests once a minute and looks for signs of a man-in-the-middle attack in them.

The second window also contains output + a dark window opens, the authors of the program call this window a "graphical interface":

You can wait a while, surf the Internet to make sure that the program does not give any false warnings.

Let's try the classic Ettercap program.

I am running a regular MitM attack with ARP spoofing. The mitmcanary does not react to etching itself. The mitmcanary tool generates traffic itself, that is, no user action is required. After some time, one single warning appears, which is not confirmed during subsequent next checks. But a similar warning appears after a few minutes. Without additional analysis, I find it difficult to say whether this is an example of a false positive - it is very similar to that. It is possible that this warning is caused by a communication disruption caused by the need for traffic to pass additional routes, or by the peculiarities of my poor-quality Internet connection.

Since the result is not obvious (more "no" than "yes"), let's try the Bettercap program, which has various modules. I have no doubt that when using various Ettercap plugins and / or additional programs to expand functionality, we would also be "lit up" for mitmcanary.

For the purity of the experiment, I restart the equipment, run mitmcanary on the attacked machine and Bettercap on the attacking one. At the same time, it is not necessary to make control requests again on the attacked machine - they are saved in a file inside the program directory. Those. just start the service and the GUI.

And in the attacking machine, we will run Bettercap with the parsers enabled:

Sudo bettercap -X

Appear separate warningswhich also look more like false positives.

But running this command:

Sudo bettercap -X --proxy

On the attacked machine, it generates a large number of warnings about a possible man-in-the-middle attack:

So, the more functional a man-in-the-middle attack tool, the more traces it leaves in traffic. For practical use mitmcanary the following conditions must be met:

make initial requests to a trusted network when you are sure that there is no intermediary in the transmission of traffic;
edit the resources to which verification requests are made, since a professional attacker can add default resources to exceptions, which will make him invisible to this tool.

2. Revealing ARP spoofing (ARP cache poisoning)

Very often, a man-in-the-middle attack on a LAN begins with ARP poisoning. That is why many tools designed to detect MitM attacks are based on a mechanism for tracking changes in the ARP cache, in which correspondences between Ethernet (MAC addresses) and IP addresses are assigned.

Examples of such programs include arpwatch, arpalert, and a large number of new programs. ArpON not only monitors ARP cache changes, but also protects it from them.

As an example, let's start arpwatch in debug mode, without creating background forks and sending messages by mail. Instead, messages are sent to stderr (standard error output).

Sudo / usr / sbin / arpwatch -d

Let's launch Ettercap on the attacking machine and start ARP spoofing. On the attacked machine, we observe:

Arpwatch program will help you quickly find out about new connected devices in your local area networkand also about ARP cache changes.

Another tool for detecting ARP spoofing in real time is a plugin from Ettercap itself called arp_cop... Launch Ettercap on the attacked machine as follows:

Sudo ettercap -TQP arp_cop ///

And on the attacker, let's start ARP etching. The attacked machine immediately starts displaying warnings:

3. DNS spoofing detection

DNS spoofing indicates that there is an intermediary between you and your destination that can modify your traffic. How can you find that DNS records have been replaced? The easiest way to do this is to compare with the responses from a nameserver you trust. But the records in the response sent to your request can also be spoofed ...

Those. you need to check either through an encrypted channel (for example, through Tor), or use non-standard settings (another port, TCP instead of UDP). This is roughly what XiaoxiaoPu's sans program is for (at least that's what I understand). Using this program, I managed to redirect DNS requests through Tor and through non-standard settings to my DNS server... But I still couldn't get her to show me messages about spoofing DNS responses. And without this, the meaning of the program is lost.

I could not find more worthy alternatives.

In principle, given that DNS spoofers usually monitor only port 53, and only the UDP protocol, then even manually it is enough just to check the fact of DNS spoofing, although this requires your own DNS server with a non-standard configuration. For example, on the attacking machine, I created the file dns.conf with the following content:

Local mi-al.ru

Those. when requesting a DNS record for the mi-al.ru site, instead of the real IP, the IP of the attacker's machine will be sent.

I run it on the attacking machine:

Sudo bettercap --dns dns.conf

And on the attacked one I do two checks:

Dig mi-al.ru # and dig mi-al.ru -p 4560 @ 185.117.153.79

Results:

[email protected]: ~ $ dig mi-al.ru;<<>\u003e DiG 9.10.3-P4-Debian<<>\u003e mi-al.ru ;; global options: + cmd ;; Got answer: ;; - \u003e\u003e HEADER<<- opcode: QUERY, status: NOERROR, id: 51993 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mi-al.ru. IN A ;; ANSWER SECTION: mi-al.ru. 86400 IN A 192.168.1.48 ;; Query time: 2 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Nov 02 09:25:20 MSK 2016 ;; MSG SIZE rcvd: 42 [email protected]: ~ $ dig mi-al.ru -p 4560 @ 185.117.153.79;<<>\u003e DiG 9.10.3-P4-Debian<<>\u003e mi-al.ru -p 4560 @ 185.117.153.79 ;; global options: + cmd ;; Got answer: ;; - \u003e\u003e HEADER<<- opcode: QUERY, status: NOERROR, id: 401 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;mi-al.ru. IN A ;; ANSWER SECTION: mi-al.ru. 3799 IN A 185.26.122.50 ;; Query time: 304 msec ;; SERVER: 185.117.153.79#4560(185.117.153.79) ;; WHEN: Wed Nov 02 09:25:27 MSK 2016 ;; MSG SIZE rcvd: 53

It can be seen that the local IP 192.168.1.48 was sent for a "regular" DNS query, and the correct server IP is sent when querying the DNS on an atypical port.

If the server were configured to work with TCP (not UDP), then the command would look like this:

Dig mi-al.ru -p 4560 + tcp @ 185.117.153.79

There is clearly a lack of a tool that itself would track DNS responses in traffic, recheck them against an alternative source and raise an alarm in case of spoofing.

To do without setting up your own remote DNS, you can query the nameserver over Tor. Since all Tor traffic is encrypted, the DNS responses obtained in this way are too tough for an intermediary. If Tor is not already installed, then install it.

Sudo apt-get install tor

Sudo pacman -S tor

Start the service:

Sudo systemctl start tor

If you need it, add this service to startup:

Sudo systemctl enable tor

Open the file / etc / tor / torrc and add the following lines there:

DNSPort 530 AutomapHostsOnResolve 1 AutomapHostsSuffixes .exit, .onion

Pay attention to the number 530. This is the port number, instead of 530 you can specify any other (unoccupied) port. The main thing is to remember it.

We do checks again:

Dig mi-al.ru # and dig mi-al.ru -p 530 @localhost

Now we specify as the server localhost, and write the port number that you specified in the / etc / tor / torrc settings.

As you can see from the following screenshot, a DNS spoofing attack is being carried out against the machine on which the check was made:

4. Search for network interfaces in promiscuous mode

If your local network has (and especially if it suddenly appeared) equipment in an illegible mode, this is very suspicious, although it does not unequivocally indicate a man-in-the-middle attack.

In this mode, the network card allows all packets to be received regardless of who they are addressed to.

In the normal state, the Ethernet interface uses link layer packet filtering, and if the MAC address in the destination header of the received packet does not match the MAC address of the current network interface and is not broadcast, then the packet is dropped. In "promiscuous" mode, filtering on the network interface is disabled and all packets, including those not intended for the current host, are allowed into the system.

Most operating systems require administrator rights to enable promiscuous mode. Those. Promoting a NIC is a deliberate action that can serve the purpose of sniffing.

For searching network interfaces in promiscuous mode, there is an Ettercap plugin called search_promisc.

Plugin launch example:

Sudo ettercap -TQP search_promisc ///

The plug-in is not completely reliable, there may be errors in determining the mode of the network interface.

Conclusion

Some man-in-the-middle attacks leave many traces, while others (such as passive proxy lookups for credentials) are impossible or nearly impossible to detect.

Attack principle

The attack usually begins with listening to the communication channel and ends with the cryptanalyst trying to replace the intercepted message, extract useful information from it, and redirect it to some external resource.

Suppose object A plans to convey some information to object B. Object C has knowledge about the structure and properties of the used data transfer method, as well as about the fact of the planned transfer of the actual information that C plans to intercept. To carry out an attack, C "appears" to object A as B, and to object B as A. Object A, mistakenly believing that it sends information to B, sends it to object C. Object C, having received information, and having performed some actions with it (for example having copied or modified for their own purposes) sends the data to the recipient proper - B; subject B, in turn, believes that the information was received directly from A.

Example attack

Injection of malicious code

A man-in-the-middle attack allows a cryptanalyst to inject his code into emails, SQL statements, and web pages (that is, allows SQL injection, HTML / script injection, or XSS attacks), and even modifies user-uploaded binaries to to access a user account or change the behavior of a program downloaded by a user from the Internet.

Downgrade Attack

The term "Downgrade Attack" refers to an attack in which a cryptanalyst forces the user to use less secure functions, protocols that are still supported for compatibility reasons. This type of attack can be carried out against SSH, IPsec and PPTP.

SSH V1 instead of SSH V2

An attacker can try to change the connection parameters between the server and the client when establishing a connection between them. According to a talk given at Blackhat Conference Europe 2003, a cryptanalyst can "force" a client to start an SSH1 session instead of SSH2 by changing the version number "1.99" for the SSH session to "1.51", which means using SSH V1. The SSH-1 protocol has vulnerabilities that a cryptanalyst can exploit.

IPsec

In this scenario, the cryptanalyst misleads his victim into thinking that the IPsec session cannot start at the other end (server). This leads to the fact that messages will be forwarded explicitly, if the host machine is running in rollback mode.

PPTP

At the stage of negotiating PPTP session parameters, the attacker can force the victim to use the less secure PAP authentication, MSCHAP V1 (that is, "roll back" from MSCHAP V2 to version 1), or not use encryption at all.

An attacker can force his victim to repeat the stage of negotiating the PPTP session parameters (send a Terminate-Ack packet), steal the password from the existing tunnel and repeat the attack.

Will encryption save you?

Consider the case of a standard HTTP transaction. In this case, the attacker can quite easily split the original TCP connection into two new ones: one between himself and the client, the other between himself and the server. It is quite easy to do this, as it is very rare that the connection between the client and the server is direct, and in most cases they are connected through a number of intermediate servers. An MITM attack can be carried out on any of these servers.

However, if the client and server communicate over HTTPS, a protocol that supports encryption, a man-in-the-middle attack can also be carried out. With this type of connection, TLS or SSL is used to encrypt requests, which, it would seem, makes the channel protected from sniffing and MITM attacks. An attacker can create two independent SSL sessions for each TCP connection. The client establishes an SSL connection with the attacker, who in turn creates a connection to the server. In such cases, the browser usually warns that the certificate is not signed by a trusted certification authority, but an ordinary user can easily ignore this warning. In addition, an attacker may have a certificate signed by a certification authority. Thus, the HTTPS protocol cannot be considered secure against MITM attacks.

MITM attack detection

To detect a man-in-the-middle attack, you need to analyze your network traffic. For example, to detect an SSL attack, you should pay attention to the following parameters:

Server IP
DNS server
X.509 - server certificate
- Is the certificate self-signed?
- Is the certificate signed?
- Has the certificate been revoked?
- Has the certificate changed recently?
- Have other customers on the Internet received the same certificate?

MITM attack implementations

The listed programs can be used to carry out man-in-the-middle attacks, as well as to detect them and test the system for vulnerabilities.

Example in the literature

A vivid literary example can be seen in "The Tale of Tsar Saltan" by Alexander Pushkin, where three "people in the middle" appear: a weaver, a cook and Babarikha. They are the ones who replace the letters addressed to the tsar and his return correspondence.

Literature

Links

Wikimedia Foundation. 2010.

See what "Man in the Middle" is in other dictionaries:

Attack "man in the middle" (English Man in the middle, MitM attack) is a term in cryptography, denoting a situation when an attacker is able to read and modify at will the messages exchanged by correspondents, and none of ... ... Wikipedia

When an attacker, having connected to a channel between counterparties, interferes with the transmission protocol, deleting or distorting information.

Attack principle

Example attack

Injection of malicious code

Downgrade Attack

To protect against Downgrade Attack, insecure protocols must be disabled on at least one side; just supporting and using secure protocols by default is not enough!

SSH V1 instead of SSH V2

An attacker can try to change the connection parameters between the server and the client when establishing a connection between them. According to a talk at Blackhat Conference Europe 2003, a cryptanalyst can "force" a client to start an SSH1 session instead of SSH2 by changing the version number "1.99" for the SSH session to "1.51", which means using SSH V1. The SSH-1 protocol has vulnerabilities that a cryptanalyst can exploit.

IPsec

PPTP

An attacker can force his victim to repeat the stage of negotiating the PPTP session parameters (send a Terminate-Ack packet), steal the password from the existing tunnel, and repeat the attack.

Public means of communication without protecting the reliability, confidentiality, availability and integrity of information

The most common means of communication for this group are social networking, public e-mail and instant messaging. The owner of the resource that provides the communications service has full control over the information exchanged by the correspondents and, at his discretion, can carry out an attack at any time without hindrance.

In contrast to the previous scenarios based on technical and technological aspects of communications, in this case the attack is based on mental aspects, namely, on the ingraining of the concept of ignoring information security requirements in the minds of users.

Will encryption save you?

However, if the client and server communicate over HTTPS, a protocol that supports encryption, a man-in-the-middle attack can also be carried out. This type of connection uses TLS or SSL to encrypt requests, which would seem to make the channel secure from sniffing and MITM attacks. An attacker can create two independent SSL sessions for each TCP connection. The client establishes an SSL connection with the attacker, who in turn creates a connection to the server. In such cases, the browser usually warns that the certificate is not signed by a trusted certification authority, but ordinary users of outdated browsers can easily bypass this warning. In addition, an attacker may have a certificate signed by a root CA (for example, such certificates are sometimes used for DLP) and not generating alerts. In addition, there are a number of attacks against HTTPS. Thus, the HTTPS protocol cannot be considered secure against MITM attacks among ordinary users. [ ] There are a number of measures that prevent some of the MITM attacks on https sites, in particular, HSTS, which prohibits the use of http connections from sites, Certificate pinning and HTTP Public Key Pinning, which prohibit certificate spoofing.

MITM attack detection

To detect a man-in-the-middle attack, you need to analyze your network traffic. For example, to detect an SSL attack, you should pay attention to the following parameters:

Server IP
DNS server
X.509 - server certificate
- Is the certificate self-signed?
- Is the certificate signed by a certification authority?
- Has the certificate been revoked?
- Has the certificate changed recently?
- Have other customers on the Internet received the same certificate?

MITM attack implementations

The listed programs can be used to carry out man-in-the-middle attacks, as well as to detect them and test the system for vulnerabilities.

Write a review on "Middleman Attack"

Literature

Excerpt from Mediator Attack

“Quartire, quartire, logement,” said the officer, looking down at the little man with a condescending and good-natured smile. - Les Francais sont de bons enfants. Que diable! Voyons! Ne nous fachons pas, mon vieux, [Apartments, flats ... The French are good guys. Damn it, let's not quarrel, grandfather.] - he added, patting the frightened and silent Gerasim on the shoulder.
- A ca! Dites donc, on ne parle donc pas francais dans cette boutique? [Well, really, no one here speaks French either?] He added, looking around and meeting Pierre's eyes. Pierre stepped back from the door.
The officer again turned to Gerasim. He demanded that Gerasim show him the rooms in the house.
“There’s no master — don’t understand… my yours…” Gerasim said, trying to make his words clearer by the fact that he spoke them in reverse.
The French officer, smiling, spread his hands in front of Gerasim's nose, letting him feel that he did not understand him, and limping, he walked to the door at which Pierre was standing. Pierre wanted to move away in order to hide from him, but at that very time he saw Makar Alekseich leaning out from the opening door of the kitchen with a pistol in his hands. With the cunning of a madman, Makar Alekseich looked at the Frenchman and, raising his pistol, took aim.
- Aboard!!! The drunk shouted, pressing the trigger of the pistol. The French officer turned to shout, and at the same instant Pierre threw himself at the drunk. While Pierre grabbed and raised the pistol, Makar Alekseich finally hit the trigger with his finger, and a shot rang out, deafening and covering everyone with powder smoke. The Frenchman turned pale and rushed back to the door.
Having forgotten his intention not to reveal his knowledge of the French language, Pierre, having pulled out the pistol and thrown it, ran up to the officer and spoke to him in French.
"Vous n" etes pas blesse? [Are you hurt?] He said.
"Je crois que non," the officer replied, feeling himself, "mais je l" ai manque belle cette fois ci, "he added, pointing to the beating plaster in the wall." Quel est cet homme? [It seems not ... but this once it was close. Who is this man?] - the officer said with a stern glance at Pierre.
- Ah, je suis vraiment au desespoir de ce qui vient d "arriver, [Ah, I really am in despair of what happened,]" Pierre said quickly, completely forgetting his role. - C "est un fou, un malheureux qui ne savait pas ce qu "il faisait. [This is an unfortunate madman who did not know what he was doing.]
The officer went up to Makar Alekseich and grabbed him by the collar.
Makar Alekseich, letting his lips down, as if falling asleep, swayed, leaning against the wall.
“Brigand, tu me la payeras,” said the Frenchman, removing his hand.
- Nous autres nous sommes clements apres la victoire: mais nous ne pardonnons pas aux traitres, [Rogue, you will pay me for this. Our brother is merciful after the victory, but we do not forgive the traitors,] - he added with gloomy solemnity on his face and with a beautiful energetic gesture.
Pierre continued in French to persuade the officer not to exact from this drunken, insane man. The Frenchman listened in silence, without changing his gloomy look, and suddenly turned to Pierre with a smile. He looked at him in silence for a few seconds. His handsome face assumed a tragically gentle expression, and he held out his hand.
- Vous m "avez sauve la vie! Vous etes Francais, [You saved my life. You are French,] - he said. For a Frenchman, this conclusion was beyond doubt. Only a Frenchman could accomplish a great deed, and saving his life, mr Ramball" I capitaine du 13 me leger [Monsieur Rambal, captain of the 13th light regiment] - was without doubt the greatest deed.
But no matter how undoubted this conclusion and the officer's conviction based on it, Pierre considered it necessary to disappoint him.
- Je suis Russe, [I am Russian,] - Pierre said quickly.
- Ti tee tee, a d "autres, [tell this to others,] - said the Frenchman, waving his finger in front of his nose and smiling. - Tout a l" heure vous allez me conter tout ca, "he said. - Charme de rencontrer un compatriote. Eh bien! qu "allons nous faire de cet homme? [Now you’ll tell me all this. It’s very nice to meet a compatriot. Well, what are we to do with this man?" he added, addressing Pierre, already as his brother. If only Pierre was not a Frenchman, having received this highest name in the world, he could not renounce it, the expression on the face and tone of the French officer spoke. To the last question, Pierre once again explained who Makar Alekseich was, explained that before their arrival this a drunken, insane man stole a loaded pistol, which they did not manage to take from him, and asked him to leave his act unpunished.
The Frenchman put out his chest and made a royal hand gesture.
- Vous m "avez sauve la vie. Vous etes Francais. Vous me demandez sa grace? Je vous l" accorde. Qu "on emmene cet homme, [You saved my life. You are French. Do you want me to forgive him? I forgive him. Take this man away," the French officer said quickly and energetically, taking by the arm what he had done to save his life into the French Pierre, and went with him to the house.
The soldiers who were in the yard, hearing the shot, entered the entrance, asking what had happened and expressing their readiness to punish those responsible; but the officer severely stopped them.
- On vous demandera quand on aura besoin de vous, [When necessary, you will be called,] - he said. The soldiers left. The orderly, who had in the meantime been in the kitchen, went up to the officer.
“Capitaine, ils ont de la soupe et du gigot de mouton dans la cuisine,” he said. - Faut il vous l "apporter? [The captain has soup and roast lamb in the kitchen. Would you like me to bring it?]
- Oui, et le vin, [Yes, and wine,] said the captain.

The French officer entered the house with Pierre. Pierre considered it his duty to reassure the captain that he was not a Frenchman, and wanted to leave, but the French officer did not want to hear about it. He was so courteous, kind, good-natured and truly grateful for saving his life that Pierre did not have the heart to refuse him and sat down with him in the hall, in the first room into which they entered. In response to Pierre's assertion that he was not French, the captain, obviously not understanding how it was possible to refuse such a flattering title, shrugged his shoulders and said that if he certainly wanted to be known as a Russian, then let it be so, but that he, despite then, all the same forever connected with him a feeling of gratitude for saving a life.
If this man had been gifted at least to some extent with the ability to understand the feelings of others and had guessed about Pierre's feelings, Pierre would probably have left him; but this man's animated impermeability to everything that was not himself won Pierre.
- Francais ou prince russe incognito, [French or Russian incognito prince,] - said the Frenchman, looking at Pierre's dirty, but thin linen and the ring on his hand. - Je vous dois la vie je vous offre mon amitie. Un Francais n "oublie jamais ni une insulte ni un service. Je vous offre mon amitie. Je ne vous dis que ca. [I owe you my life, and I offer you friendship. The Frenchman never forgets an insult or a favor. I offer you my friendship. I say nothing more.]
There was so much good nature and nobility (in the French sense) in the sounds of the voice, in the expression on the face, in the gestures of this officer, that Pierre, responding with an unconscious smile to the smile of the Frenchman, shook his outstretched hand.
- Capitaine Ramball du treizieme leger, decore pour l "affaire du Sept, [Captain Rambal, Thirteenth Light Regiment, Knight of the Legion of Honor for the Seventh September cause,]" he introduced himself with a smug, irrepressible smile that curled his lips under his mustache. - Voudrez vous bien me dire a present, a qui "j" ai l "honneur de parler aussi agreablement au lieu de rester al" ambulance avec la balle de ce fou dans le corps. [Would you be so kind to tell me now who I am with I have the honor to talk so nicely, instead of being at the dressing station with this madman's bullet in the body?]
Pierre replied that he could not say his name, and, blushing, began, trying to invent a name, to talk about the reasons why he could not say this, but the Frenchman hastily interrupted him.
“De grace,” he said. - Je comprends vos raisons, vous etes officier ... officier superieur, peut etre. Vous avez porte les armes contre nous. Ce n "est pas mon affaire. Je vous dois la vie. Cela me suffit. Je suis tout a vous. Vous etes gentilhomme? [Complete, please. I understand you, you are an officer ... headquarters officer, maybe. You served against us It's none of my business. I owe you my life. That's enough for me, and I'm all yours. Are you a nobleman?] "He added with a tinge of question. Pierre bowed his head." Votre nom de bapteme, s "il vous plait? Je ne demande pas davantage. Monsieur Pierre, dites vous ... Parfait. C "est tout ce que je desire savoir. [Your name? I don't ask anything else. Mister Pierre, did you say? Great. That's all I need.]
When the fried lamb, scrambled eggs, samovar, vodka and wine from the Russian cellar were brought, which the French brought with them, Rambal asked Pierre to take part in this dinner and immediately, greedily and quickly, like a healthy and hungry man, began to eat, quickly chewing with her strong teeth, incessantly smacking his lips and saying excellent, exquis! [wonderful, excellent!] His face was flushed and covered with sweat. Pierre was hungry and took part in the dinner with pleasure. Morel, the orderly, brought a pot of warm water and put a bottle of red wine in it. In addition, he brought a bottle of kvass, which he took in the kitchen for testing. This drink was already known to the French and got its name. They called the kvass limonade de cochon (pork lemonade), and Morel praised this limonade de cochon he found in the kitchen. But since the captain had wine obtained during the passage through Moscow, he provided kvass to Morel and took up a bottle of Bordeaux. He wrapped the bottle up to the neck in a napkin and poured himself and Pierre some wine. Satisfied hunger and wine revived the captain even more, and he talked incessantly during dinner.
- Oui, mon cher monsieur Pierre, je vous dois une fiere chandelle de m "avoir sauve ... de cet enrage ... J" en ai assez, voyez vous, de balles dans le corps. En voila une (on pointed to the side) a Wagram et de deux a Smolensk, - he showed the scar that was on his cheek. - Et cette jambe, comme vous voyez, qui ne veut pas marcher. C "est a la grande bataille du 7 a la Moskowa que j" ai recu ca. Sacre dieu, c "etait beau. Il fallait voir ca, c" etait un deluge de feu. Vous nous avez taille une rude besogne; vous pouvez vous en vanter, nom d "un petit bonhomme. Et, ma parole, malgre l" atoux que j "y ai gagne, je serais pret a recommencer. Je plains ceux qui n" ont pas vu ca. [Yes, my dear Master Pierre, I am obliged to light a good candle for you for saving me from this madman. You see, I've had enough of those bullets that I have in my body. Here is one near Vagram, another near Smolensk. And this leg, you see, does not want to move. This is at the big battle of the 7th near Moscow. ABOUT! it was wonderful! You should have seen it was a deluge of fire. You have given us a difficult job, you can boast. And by God, despite this trump card (he pointed to the cross), I would be ready to start all over again. I pity those who did not see it.]
- J "y ai ete, [I was there,] - said Pierre.
- Bah, vraiment! Eh bien, tant mieux, said the Frenchman. - Vous etes de fiers ennemis, tout de meme. La grande redoute a ete tenace, nom d "une pipe. Et vous nous l" avez fait cranement payer. J "y suis alle trois fois, tel que vous me voyez. Trois fois nous etions sur les canons et trois fois on nous a culbute et comme des capucins de cartes. Oh !! c" etait beau, monsieur Pierre. Vos grenadiers ont ete superbes, tonnerre de Dieu. Je les ai vu six fois de suite serrer les rangs, et marcher comme a une revue. Les beaux hommes! Notre roi de Naples, qui s "y connait a crie: bravo! Ah, ah! Soldat comme nous autres!" He said, smiling, eating a moment's silence. "Tant mieux, tant mieux, monsieur Pierre. Terribles en bataille ... galants ... - he winked with a smile, - avec les belles, voila les Francais, monsieur Pierre, n "est ce pas? [Bah, really? All the better. You are dashing enemies, I must confess. The big redoubt held up well, damn it. And you made us pay dearly. I was there three times, as you can see. Three times we were on cannons, three times we were overturned like card soldiers. Your grenadiers were great, by God. I saw how their ranks closed up six times and how they went exactly to the parade. Wonderful people! Our Neapolitan king, who ate the dog in these matters, shouted to them: bravo! - Ha, ha, so you are our brother soldier! “So much the better, so much the better, Monsieur Pierre. Terrible in battles, kind with beauties, here are the French, Monsieur Pierre. Is not it?]
To such an extent the captain was naively and good-naturedly cheerful, and wholehearted, and pleased with himself that Pierre almost winked himself, looking at him merrily. Probably the word "galant" made the captain think about the situation in Moscow.

In this article, we will try to figure out the theory of middleman attacks and some practical points to help prevent these types of attacks. This will help us understand the risks that such intrusions pose to our personal lives, since MitM attacks allow us to invade communications and eavesdrop on our conversations.

Understanding how the internet works

To understand the principle of an intermediary attack, you must first understand how the Internet itself works. Main points of interaction: clients, routers, servers. The most common client-server communication protocol is Hypertext Transfer Protocol (HTTP). Browsing the internet with a browser, email, instant messaging are all done over HTTP.

When you type in the address bar of your browser, the client (you) sends a request to display the web page to the server. The packet (HTTP GET request) is transmitted through several routers to the server. The server then responds with a web page that is sent to the client and displayed on its monitor. HTTP messages must be transmitted in a secure manner to ensure confidentiality and anonymity.

Figure 1. Client-server interaction

Securing the communication protocol

A secure communication protocol must have each of the following properties:

Privacy - only the intended recipient can read the message.
Authenticity - the identity of the interacting parties is proven.
Integrity - confirmation that the message has not been changed along the way.

If any of these rules are not followed, the entire protocol is compromised.

Middleman attack over HTTP

An attacker can easily carry out a middleman attack using a technique called ARP spoofing. Anyone on your Wi-Fi network can send you a spoofed ARP packet that will unknowingly send all your traffic through an attacker instead of a router.

The attacker then gains full control over the traffic and can monitor requests sent in both directions.

Figure 2. Mediator attack scheme

To prevent such attacks, a secure version of the HTTP protocol was created. Transport Layer Security (TLS) and its predecessor, Secure Socket Layer (SSL), are cryptographic protocols that ensure the security of data transmission over a network. Hence, the secure protocol will be called HTTPS. You can see how the secure protocol works by typing in the address bar of your browser (note the presence of S in https).

Brokerage attack on poorly implemented SSL

Modern SSL uses a good encryption algorithm, but it doesn't matter if it's not implemented correctly. If a hacker can intercept the request, he can modify it by removing the "S" from the requested URL, thereby bypassing SSL.

Such interception and modification of the request can be seen. For example, if you request https://login.yahoo.com/ and the response comes back http://login.yahoo.com/, it should raise suspicion. As of this writing, such an attack does indeed work on Yahoo's email service.

Figure 3. Interception and modification of the request

To prevent such an attack, servers can implement HTTP Strict Transport Security (HSTS), a mechanism that enables a forced secure connection over HTTPS. In this case, if an attacker modifies the request by removing "S" from the URL, the server will still redirect the user with a 302 redirect to a page with a secure protocol.

Figure 4. Scheme of HSTS operation

This way of implementing SSL is vulnerable to another type of attack - the attacker creates an SSL connection to the server, but uses various tricks to force the user to use HTTP.

Figure 5. Schematic of an attack with HSTS

To prevent such attacks, modern browsers like Chrome, Firefox, and Tor monitor sites that use HSTS and enforce a client-side SSL connection with them. In this case, the middleman attacker would have to create an SSL connection with the victim.

Figure 6. Schematic diagram of an attack where the attacker establishes an SSL connection with the victim

In order to secure an SLL connection to a user, an attacker must know how to act as a server. Let's take a look at the technical aspects of SSL.

Understanding SSL

From a hacker's point of view, compromising any communication protocol boils down to finding the weak link among the above components (privacy, authenticity, and integrity).

SSL uses an asymmetric encryption algorithm. In symmetric encryption, the problem is that the same key is used to encrypt and decrypt data, this approach is unacceptable for Internet protocols, since an attacker can trace this key.

Asymmetric encryption includes 2 keys for each side: a public key used for encryption and a private key used to decrypt data.

Figure 7. Operation of public and private keys

How does SSL provide the three properties required for secure communication?

Because it uses asymmetric cryptography to encrypt data, SSL provides a private connection. This encryption is not so easy to break and go unnoticed.
The server confirms its legitimacy by sending the client an SSL certificate issued by a certification authority - a trusted third party.

If an attacker somehow manages to obtain the certificate, he can create the conditions for a middleman attack. Thus, he will create 2 connections - with the server and with the victim. In this case, the server thinks that the attacker is a regular client, and the victim has no way to identify the attacker, since the attacker provided a certificate proving that he is the server.

Your messages arrive and arrive in encrypted form, but pass through the chain through the cybercriminal's computer, where he has full control.

Figure 8. Scheme of an attack when an attacker has a certificate

The certificate does not have to be forged if an attacker has the ability to compromise the victim's browser. In this case, he can insert a self-signed certificate that will be trusted by default. This is how most middleman attacks are implemented. In more complicated cases, the hacker must go the other way - forge the certificate.

Certification Authority Issues

The certificate sent by the server is issued and signed by a certification authority. Each browser has a list of trusted CAs and you can add or remove them. The problem here is that if you decide to remove large authorities, you will not be able to visit sites that use certificates signed by these authorities.

Certificates and CAs have always been the weakest link in an HTTPS connection. Even if everything was done correctly and each CA has a solid authority, it is still difficult to come to terms with the fact that there are many third parties to trust.

Today, there are over 650 organizations capable of issuing certificates. If an attacker breaks into any of them, he will get hold of any certificates he wants.

Even when there was only one CA, VeriSign, there was a problem - the people who were supposed to prevent the middleman attacks were selling interception services.

Also, many certificates were created due to hacking of certification authorities. Various tricks and tricks were used to force the attacked user to trust fraudulent certificates.

Forensics

Since the attacker is sending bogus ARP packets, his IP address cannot be seen. Instead, you need to pay attention to the MAC address, which is specific to each device on the network. If you know the MAC address of your router, you can compare it with the MAC address of the default gateway to find out if it is really your router or an attacker.

For example, on Windows, you can use the ipconfig command on the command line (CMD) to see the IP address of your default gateway (last line):

Figure 9. Using the ipconfig command

Then use the arp –a command to find out the MAC address of this gateway:

Figure 10. Using the arp –a command

But there is another way to spot an attack - if you were monitoring network activity at the time it started and watching for ARP packets. For example, you can use Wireshark for these purposes, this program will notify you if the MAC address of the default gateway has changed.

Note: If the attacker spoofs the MAC addresses correctly, it will become a big problem to trace them.

Output

SSL is a protocol that forces an attacker to do a huge amount of work to carry out an attack. But it won't protect you from government-sponsored attacks or skilled hacker organizations.

The user's task is to protect his browser and computer to prevent the insertion of a fake certificate (a very common technique). You should also pay attention to the list of trusted certificates and remove those you do not trust.

There are almost always several ways to achieve the desired result. This also applies to the information security area. Sometimes, to achieve a goal, you can brutalize, search for holes and develop exploits on your own, or listen to what is transmitted over the network. Moreover, the latter option is often optimal. That is why today we will talk about tools that will help to extract valuable information from network traffic, attracting MITM attacks for this.

MITMf

Let's start with one of the more interesting candidates. This is a whole framework for man-in-the-middle attacks, built on the basis of sergio-proxy. Recently included in Kali Linux. For self-installation, just clone the repository and run a couple of commands:

# setup.sh # pip install -r requirements.txt

# pip install -r requirements.txt

Has a plugin-extensible architecture. Among the main ones are the following:

Spoof - allows you to redirect traffic using ARP / DHCP spoofing, ICMP redirects and modify DNS requests;
Sniffer - This plugin monitors login attempts for various protocols;
BeEFAutorun - allows you to automatically launch BeEF modules based on the type of OS and client browser;
AppCachePoison - Performs a cache poisoning attack;
SessionHijacking - hijacking sessions and saves received cookies in the firelis profile;
BrowserProfiler - tries to get a list of plugins used by the browser;
FilePwn - allows you to replace files sent via HTTP using Backdoor Factory and BDFProxy;
Inject - Injects arbitrary content into an HTML page;
jskeylogger - Injects a JavaScript keylogger into client pages.

If this functionality does not seem enough for you, then you can always add your own by implementing the appropriate extension.

PuttyRider

Another noteworthy utility. True, unlike all other tools considered today, it is very narrowly specialized. As the author of the project himself says, the idea to create such a utility was prompted by the fact that during the penetration tests, the most important data was located on Linux / UNIX servers, to which the admins connected via SSH / Telnet / rlogin. Moreover, in most cases it was much easier to gain access to the administrator's machine than to the target server. Having penetrated the system administrator's machine, it remains only to make sure that PuTTY is running and, using this tool, build a bridge back to the attacker.

The utility allows you not only to sniff the "communication" between the administrator and the remote server (including passwords), but also to execute arbitrary shell commands within a given session. And all this will happen absolutely transparently for the user (administrator). If you are interested in technical details, for example, how the implementation in the PuTTY process is implemented, I recommend that you familiarize yourself with the author's presentation.

A fairly old utility that appeared over eight years ago. Designed to clone sessions by stealing cookies. For session hijacking, he has basic skills in detecting hosts (in the case of connecting to an open wireless network or hub) and performing ARP poisoning. The only problem is that today, unlike eight years ago, almost all large companies like Yahoo or Facebook use SSL encryption, which makes this tool completely useless. Despite this, there are still enough resources on the Web that do not use SSL, so it's too early to write off the utility. Its advantages include the fact that it automatically integrates into Firefox and creates a separate profile for each intercepted session. The source code is available in the repository, and you can build it yourself using the following sequence of commands:

# apt-get install build-essential libwxgtk2.8-dev libgtk2.0-dev libpcap-dev # g ++ $ (wx-config --cppflags --libs) -lpcap -o sessionthief * .cpp # setcap cap_net_raw, cap_net_admin \u003d eip sessionthief

# apt-get install build-essential libwxgtk2.8-dev libgtk2.0-dev libpcap-dev

# g ++ $ (wx-config --cppflags --libs) -lpcap -o sessionthief * .cpp

# setcap cap_net_raw, cap_net_admin \u003d eip sessionthief

ProxyFuzz

ProzyFuzz has nothing to do with MITM attacks. As the name suggests, tools are designed for fuzzing. It is a small non-deterministic network fuzzer implemented in python that arbitrarily changes the contents of network traffic packets. Supports TCP and UDP protocols. Can be configured to fuzz only one side. Useful when you need to quickly test some network application (or protocol) and develop PoC. Usage example:

Python proxyfuzz -l -r -p

python proxyfuzz -l -r -p

The list of options includes:

w - sets the number of requests sent before starting fuzzing;
c - fuzz only the client (otherwise both sides);
s - fuzz only the server (otherwise both sides);
u - UDP protocol (otherwise TCP is used).

The middler

A utility for carrying out MITM attacks on various protocols presented at the DEF CON conference. The alpha version supported the HTTP protocol and had three cool plugins in its arsenal:

plugin-beef.py - Injects the Browser Exploitation Framework (BeEF) into any HTTP request coming from the local network.
plugin-metasploit.py - injects an IFRAME into unencrypted (HTTP) requests, which downloads exploits for browsers from Metasploit;
plugin-keylogger.py - Inlines a JavaScript onKeyPress event handler for all text fields that will be sent over HTTPS, causing the browser to send the user-entered password character by character to the attacker's server before the entire form is submitted.

The Middler not only automatically analyzes network traffic and finds cookies in it, but also independently requests them from the client, that is, the process is automated to the maximum. The program guarantees collection of all unprotected accounts on the computer network (or public hotspot), to the traffic of which it has access. For the program to work correctly, the following packages must be installed on the system: Scapy, libpcap, readline, libdnet, python-netfilter. Unfortunately, the repository has not been updated for a long time, so you will have to add new functionality yourself.

A console utility that interactively allows you to examine and modify HTTP traffic. Thanks to such skills, the utility is used not only by pentesters / hackers, but also by ordinary developers who use it, for example, to debug web applications. With its help, you can get detailed information about what requests the application is making and what responses it receives. Mitmproxy can also help you understand how some REST APIs work, especially those that are poorly documented.

Installation is extremely simple:

$ sudo aptitude install mitmproxy

It is worth noting that mitmproxy also allows you to intercept HTTPS traffic by issuing a self-signed certificate to the client. A good example of how to set up traffic interception and modification is possible.

Dsniff

Well, this utility is generally one of the first that should come to mind as soon as you hear
"MITM attack". The tool is quite old, but it continues to be actively updated, which is good news. It makes no sense to talk in detail about its capabilities, over the fourteen years of its existence, it has been covered more than once on the network. Here's an example in a tutorial like this:

well, or instructions from our website:

Lastly ..

As usual, we have not considered all the utilities, but only the most popular ones; there are still many little-known projects that we will probably talk about sometime. As you can see, there is no shortage of tools for conducting MITM attacks, and, which happens not so often, one of the coolest tools is implemented for Windows. There is nothing to say about nix systems - a whole variety. So I think you can always find the right tool to hijack
alien credentials. Oops, that is, for testing.

Type