Man in the Middle (MitM) attacks exploit network configuration flaws and the absence of robust security mechanisms to guarantee the integrity and confidentiality of exchanged data.
These attacks consist of intercepting and manipulating communications between two parties, generally a client and a server, without their knowledge.
In this article, we take a detailed look at the principle of MitM attacks and the different techniques used. We will also review the security measures and protections to implement to counter these attacks.
Comprehensive Guide to Man in the Middle Attacks
What is a Man in the Middle (MitM) Attack?
A Man in the Middle (MitM) attack occurs when an attacker infiltrates a communication between two parties without them being aware of it.
Once positioned as a Man in the Middle, generally between a client and a server, the attacker can:
- Intercept data in transit: The attacker becomes a transit point for all data exchanged, and can potentially intercept sensitive information such as connection identifiers, private communications, files, etc.
- Alter data in transit: He can alter the messages exchanged and manipulate the content of the communication, opening the door to numerous malicious exploits.
- Inject malicious code: From his position, the attacker can insert malicious content into the data stream. For example, he could inject malware, scripts or falsified web pages into the communication. This technique can be used in a variety of contexts, including phishing attacks.
What are the Main Types of Man in the Middle Attacks and How to Protect Yourself?
There are several techniques for carrying out MitM attacks, and in this section we’ll look at the main types of attack and the associated security best practices.
ARP Poisoning
ARP Poisoning, also known as ARP Spoofing, is a method commonly used in MitM attacks to intercept communications on local area networks (LANs).
This technique exploits how the Address Resolution Protocol (ARP) works.
What is ARP and how does it work?
The ARP protocol is essential in local networks, as it enables IP addresses to be resolved into MAC (Media Access Control) addresses, which are essential if data packets are to be routed correctly.
The role of ARP is to dynamically associate an IP address (network level) with a MAC address (hardware level) so that machines can communicate directly with each other on the network.
The basic process of the ARP protocol is as follows:
- When a machine wants to send data to a specific IP address, it broadcasts an ARP request to find the MAC address corresponding to that IP address.
- The machine holding this IP address responds with its MAC address.
- The two devices store this information in an ARP table, or ARP cache, so that they do not have to repeat the request each time data is transmitted.
What is ARP Poisoning?
ARP Poisoning involves exploiting this process to mislead network devices.
In an ARP Spoofing attack, the attacker sends false ARP responses to machines on the network, linking its MAC address to the IP address of another device (usually a router or gateway).
This causes the other machines to redirect their traffic to the attacker, believing him to be the legitimate recipient.
This is because ARP Poisoning exploits the main vulnerability of the ARP protocol, namely its stateless characteristic, which means that all machines connected to the network will receive an ARP response even if they have not sent a request. This means that they will update their ARP caches every time there is an ARP response.
It works as follows, step by step:
- The attacker starts by sending falsified ARP packets on the local network. These packets contain false information, indicating that its MAC address corresponds to the IP address of another device on the network.
- This information is then cached by other devices on the network.
- Once the falsified ARP information is cached on other devices, traffic destined for the legitimate IP address is redirected to the attacker’s MAC address. This allows the attacker to intercept, alter or simply observe traffic between the two legitimate parties without their consent.
- The attacker can then act as an intermediary between the two parties, facilitating the capture of sensitive data, the injection of malicious packets or other attacks.
The consequences of ARP Poisoning can be serious, as it compromises the integrity and confidentiality of network communications. Attacks of this type can be used to steal sensitive information such as credentials, financial data, or even to carry out other more advanced attacks.
How to prevent ARP Poisoning?
There are several measures to protect against or limit the impact of ARP Poisoning:
- Use static ARP tables to manually configure IP and MAC addresses, especially for critical devices such as routers and servers. This makes it more difficult to inject false ARP responses.
- Implement Intrusion Detection Systems (IDS) to monitor for abnormal ARP requests or suspicious changes to the ARP cache and alert network administrators of any suspicious activity.
- Encrypt data to protect the content of communications from being read by an attacker, even if the attacker intercepts the data.
- Segment the network into VLANs (Virtual Local Area Networks) to reduce the scope of ARP Spoofing attacks.
DNS Spoofing
DNS Spoofing is a technique that allows an attacker to redirect network traffic to malicious sites by compromising the Domain Name Resolution (DNS) system.
This method is widely used in Man in the Middle attacks to intercept communications between a user and a legitimate site.
How does the DNS protocol work?
The DNS (Domain Name System) protocol is essential for Internet browsing.
It acts as a directory that associates domain names with IP addresses, which are necessary for devices to be able to connect to the servers hosting websites.
DNS works as follows:
- When a user tries to access a site, his machine sends a DNS request to obtain the IP address of the domain.
- The request is routed to a DNS server, which resolves the domain name into an IP address and sends it back to the user’s device.
- This DNS response is then stored temporarily in a DNS cache on the device to speed up future accesses to the same site.
What is DNS Spoofing?
DNS Spoofing aims to insert false information into the DNS cache of servers in order to redirect users to fraudulent sites.
To do this, an attacker modifies the IP address associated with a domain name in a server’s DNS cache. Users who then access this domain are redirected to a site controlled by the attacker, even though the URL entered in the browser appears to be correct.
A typical example of DNS Spoofing occurs when an attacker associates the IP address of a legitimate site with the IP address of a fake site.
Users think they are connecting to the official site, but in reality they are passing their credentials and other sensitive information to the attacker.
How to prevent DNS Spoofing?
Several measures can be taken to prevent DNS Spoofing attacks:
- Implement DNSSEC (Domain Name System Security Extensions) to add cryptographic signings to DNS responses, in order to guarantee their authenticity. This enables DNS servers to check that DNS responses have not been modified and to reject those that appear corrupt or malicious.
- Implement network detection and analysis tools to monitor suspicious DNS activity and alert administrators of poisoning attempts.
DHCP Spoofing
DHCP Spoofing is an attack technique that allows an attacker to gain a privileged position within a local network by hijacking the IP address distribution process.
What is DHCP and how does it work?
Dynamic Host Configuration Protocol (DHCP) is used to automatically assign IP addresses and other network parameters to devices connected to a network.
This greatly simplifies IP address management, as devices do not need to be manually configured to access the network.
The basic operation of DHCP is as follows:
- When a device connects to the network, it sends a DHCP request to obtain an IP address.
- A legitimate DHCP server responds with an available IP address and other necessary configurations for the connection.
- The device accepts the DHCP server’s offer, allowing it to connect to the network using the parameters provided.
What is DHCP Spoofing?
In a DHCP Spoofing attack, an attacker configures a malicious device to impersonate a legitimate DHCP server.
When devices on the network send DHCP requests, the attacker quickly responds by providing information configured to intercept the traffic.
Using DHCP Spoofing, the attacker can:
- Hijack the default gateway: By specifying its own device as the default gateway, the attacker redirects all network traffic through it, thus intercepting all communications.
- Modify DNS servers: By replacing the IP address of legitimate DNS servers with an address of their choice, the attacker can redirect users to malicious sites by executing a DNS Spoofing attack in parallel.
- Control device IP configuration: By providing incorrect IP addresses and subnet mask configurations, the attacker can also disable network connectivity, creating a temporary disruption.
Preventing DHCP Spoofing
Several measures can be taken to prevent DHCP Spoofing attacks:
- Enable DHCP port protections on switches (DHCP Snooping): Network equipment, such as managed switches, often have security features, such as DHCP Snooping. This feature limits DHCP responses to authorised ports only (usually those connected to the legitimate DHCP server) and blocks responses from unapproved devices.
- Use VLANs (Virtual Local Area Networks) to segment the network: By using VLANs, administrators can isolate devices according to their role or security level, thus limiting the scope of the attack. The attacker is confined to his VLAN without being able to influence other segments of the network.
- Monitor DHCP activity: Network monitoring systems can detect suspicious activity, such as the presence of multiple DHCP responses from different devices. Early detection allows administrators to take action before an attack is successful.
- Configure firewall rules and ACLs (Access Control Lists): Firewall rules and ACLs can be configured to restrict DHCP responses from unauthorised sources. By controlling which devices can respond to DHCP requests, the risk of attack is reduced.
Encrypting Communications with TLS to Prevent Man in the Middle Attacks
Encrypting communications is one of the most effective measures for protecting data exchanges against Man in the Middle (MitM) attacks.
The Transport Layer Security (TLS) protocol is now the standard for ensuring the confidentiality, integrity and authenticity of communications.
TLS creates a secure channel between a client and a server, protecting information against interception and manipulation. This encryption is based on the use of digital certificates that authenticate the server and guarantee the identity of the data source.
Although TLS considerably enhances security, certain configurations are essential to maximise its reliability:
- TLS certificates must be issued by recognised certification authorities (CAs) and renewed regularly. Expired or self-signed certificates can expose you to security risks.
- Enable HTTP Strict Transport Security (HSTS) to force browsers to use only secure connections with the server.
Carry out a Network Penetration Test to Assess the Risk of Man in the Middle Attacks.
An internal penetration test is a security assessment designed to identify and correct vulnerabilities in a network.
In the context of Man in the Middle attacks, an internal penetration test simulates attempts to intercept sensitive communications using the attacks we have detailed.
Author: Amin TRAORÉ – CMO – @Vaadata