Online Support

What is a “Man in the Middle” Attack? | Storm Internet

What is a “Man in the Middle” Attack? | Storm Internet

Here we explain one of the hacker’s most common tools, which is the man-in-the-middle (MITM) attack. We also explain what network equipment makers have done to reduce the incidence of that.

As the name suggests, in the MITM attack the hacker positions him or herself between the victim and the intended target to read the traffic passing by. In this attack a hacker connects to your network and tricks other devices on the network into sending traffic to the hacker instead of where it is supposed to go. The hacker reads that traffic and then sends it onto its destination without you knowing anything about that.

The hacker can just pass the traffic along or rewrite it. The hacker usually only rewrites it when they are trying to read encrypted traffic, which they usually cannot do.

One problem for the hacker is that the man in the middle attack will only work if they can get inside the network. To do that they would have to plant malware, which they can obviously do by exploiting different security weaknesses, especially the human kind, i.e., phishing.

There are several different ways to execute the MITM attack. We will mention a couple.

  • The MITM Attack and Encryption
    First, know that a MITM attack will not work in most cases against encrypted data. This is because encryption involves some kind of authentication, meaning verifying the identity of the two parties who are sending encrypted data to each other. For strong encryption, like that used to encrypt a disk drive, SSL, or VPN, this uses a certificate issued from a third party. The hacker would have to make a fake certificate. But if they did that and tried to spy on someone’s HTTP traffic the browser would throw up a message saying that the certificate is invalid. Users should be trained to not proceed when that message pops up. Next, if the attack is against traffic where no person is involved, like disk encryption, then that would just generate an error and the traffic would stop.
  • ARP Spoofing
    A device connected to a network has two ways to identify itself: an IP address and a MAC address. The MAC address is like a serial number: it is a number that is unique to a network adaptor. Every computer, tablet, cellphone, etc. has a unique MAC address. Manufacturers draw those from a range of numbers assigned to the manufacturer to prevent overlap.ARP (address resolution protocol) tells computer what IP address belongs to which MAC address. In an ARP attack, the hacker sends an ARP request to all the devices on the network, planting false information. The request fakes or spoofs the MAC address. Then the devices have stored the wrong MAC address for a particular IP address thus causing the traffic to go to the wrong place.Cisco and other business-grade routers block this type of attack by comparing the IP address and the MAC address in the data packets and making sure they correspond and have not been changed.ARP also does not work in a network that has static IP addresses. It only works in a DHCP network where the MAC-IP address combination is variable.
  • ICMP Redirection
    When you connect a device to a network it is assigned to a gateway. The gateway is the router that lets the device connect to the adjacent network. In a home or small office the adjacent network is usually the internet. In a large office it could be another part of the office network (subnet).ICMP (Internet Control Message Protocol) is the protocol used to broadcast messages to devices about traffic congestion or errors reaching gateways. In the ICMP man-in-the-middle attack the hacker sends a fake ICMP message directing devices connected to the network to send their traffic to a hacker who is pretending to be a gateway.
  • DHCP Spoofing
    A network can have either pre-assigned, static IP addresses or dynamic ones. For example your cell phone provider has a dynamic network. Just like your home or business network they use a DHCP (Dynamic Host Configuration Protocol) server to assign you an IP address. In DHCP spoofing the hacker pretends to be the DHCP server. They can issue you an IP address instead of the real DHCP server. As part of doing that they will assign their own IP address as your network gateway.DHCP spoofing is controlled by adding ACL (access control lists) on routers. Those look for DHCP packets that are not issued from an authorized DHCP server and deletes them.
  • Do it yourself MITM
    If you want to experiment with MITM yourself you could download and install ettercap. That was written by the hackers who founded The Italian Team, who turned that first bit of code into an espionage-for-hire business hired by governments. But you will probably not understand much about ettercap unless you have a lot of knowledge of networks. But you can read articles explaining how it works to get a deeper understanding of the issue.

At Storm Internet we use high-end hardware firewalls to monitor and protect our customers against MITM and other attack vectors. To keep up to date with the latest news on internet security and to gain valuable tips, be sure to follow us on Twitter at https://twitter.com/storminternet.

0800 817 4727