Man in the Middle Attack - Revision history

Heifetj at 03:46, 13 April 2009

2009-04-13T03:46:55Z

← Older revision		Revision as of 03:46, 13 April 2009
Line 96:		Line 96:

	----		----
-	--[[User:Heifetj\|Heifetj]] 10:24, 12 April 2009 (EDT)	+	--[[User:Heifetj\|Heifetj]] 23:46, 12 April 2009 (EDT)

Heifetj at 03:46, 13 April 2009

2009-04-13T03:46:21Z

← Older revision		Revision as of 03:46, 13 April 2009
Line 1:		Line 1:
	[[Image:Man_in_the_Middle.jpg\|frame\|Man in the Middle Example]]		[[Image:Man_in_the_Middle.jpg\|frame\|Man in the Middle Example]]
-	Man in the Middle ~~Attacks~~ (~~sometimes~~ MITM) are attacks where the attacker intercepts communication between two parties, forwarding the communication as if the attacker were not present. The name is derived from the popular game Man in the Middle.	+	Man in the Middle (MITM) Attacks are attacks where the attacker intercepts communication between two parties, forwarding the communication as if the attacker were not present. The name is derived from the popular game Man in the Middle. It is also referred to as a fire-brigade or bucket brigade attack based on the method for putting out a fire. Additionally it is referred to as a Janus attack in reference to the roman two-headed god of gates.<sup>[1]</sup>
-	It is also referred to as a fire-brigade or bucket brigade attack based on the method for putting out a fire.	+
-	~~Lastly~~ it is referred to as a Janus attack in reference to the roman two-headed god of gates.<sup>[1]</sup>	+

	==Generic Example==		==Generic Example==
	Alice sends a communication to Bob, which is intercepted by an attacker, and then forwarded on to Bob. Bob then replies to Alice which is also intercepted by the attacker, and then forwarded to Alice. The attacker may or may not modify the communications.		Alice sends a communication to Bob, which is intercepted by an attacker, and then forwarded on to Bob. Bob then replies to Alice which is also intercepted by the attacker, and then forwarded to Alice. The attacker may or may not modify the communications.
	<BR>		<BR>
-	*If tokens are used, the MITM attacker can intercept and replay the one-time password ~~(OTP) within~~ the ~~60-second validity period~~.	+	*If tokens are used, the MITM attacker can intercept and replay the one-time password before the token times out.
	*If challenge questions are used, the MITM attacker can simply observe the challenge question and present it to the user, replaying the response to the legitimate site. <sup>[2]</sup>		*If challenge questions are used, the MITM attacker can simply observe the challenge question and present it to the user, replaying the response to the legitimate site. <sup>[2]</sup>

Line 15:		Line 13:
	Recently, there has been alot of press about MITM attacks defeating even SSL security. This is an especially distressing issue as this is the major form of security used on the web today. One researcher intercepted 200 requests for SSL encrypted pages over 20 hours, including 114 Yahoo! credentials, 50 Gmail credentials and 16 credit-card numbers.<sup>[6,7]</sup>		Recently, there has been alot of press about MITM attacks defeating even SSL security. This is an especially distressing issue as this is the major form of security used on the web today. One researcher intercepted 200 requests for SSL encrypted pages over 20 hours, including 114 Yahoo! credentials, 50 Gmail credentials and 16 credit-card numbers.<sup>[6,7]</sup>
	<br><br>		<br><br>
-	In a recent example of a successful attack combining social engineering with phishing and malware, more than 20,000 senior corporate executives were fooled into clicking a link in an e-mail that purported to be a subpoena. The resulting malware installation enabled a man-in-the-middle attack to be successfully completed without the end-users’ knowledge. <sup>[2]</sup>	+	In a recent example of a successful attack combining social engineering with phishing and malware, more than 20,000 senior corporate executives were fooled into clicking a link in an e-mail that purported to be a subpoena. The resulting malware installation enabled a man-in-the-middle attack to be successfully completed without the end-users’ knowledge. <sup>[4]</sup>

-	==MITM Attack Examples==	+	==MITM Attack Examples <sup>[4]</sup>==
	===LAN===		===LAN===
	*ARP Poisoining		*ARP Poisoining
Line 62:		Line 60:
	The major defense used today is to always use SSL connections for important data and never use insecure connections. This strategy is not enough for many users, as several of the attacks described are smart enough to defeat SSL when not used properly. Most browsers today do not make it simple enough for users to recognize when a MITM attack has been initiated and a secure connection is no longer being used. Additionally most web users do not check the validity of certificates they accept on a daily basis.		The major defense used today is to always use SSL connections for important data and never use insecure connections. This strategy is not enough for many users, as several of the attacks described are smart enough to defeat SSL when not used properly. Most browsers today do not make it simple enough for users to recognize when a MITM attack has been initiated and a secure connection is no longer being used. Additionally most web users do not check the validity of certificates they accept on a daily basis.
	===Multifactor Authentication <sup>[2]</sup>===		===Multifactor Authentication <sup>[2]</sup>===
-	*Public Key Infrastructure	+	*Public Key Infrastructure - external certifications for digital certificates
	*IP Geolocation - identifies where a user’s currently assigned IP is geographically and whether it is normal or appropriate for the user		*IP Geolocation - identifies where a user’s currently assigned IP is geographically and whether it is normal or appropriate for the user
	*Machine Fingerprinting and Tagging – stores and validates a profile of the customers system		*Machine Fingerprinting and Tagging – stores and validates a profile of the customers system

	==See Also==		==See Also==
		+	*[[IP Spoofing]]
	*[[Bots & Botnets]]<BR>		*[[Bots & Botnets]]<BR>
	*[[Information security awareness]]<BR>		*[[Information security awareness]]<BR>

Heifetj at 03:37, 13 April 2009

2009-04-13T03:37:42Z

← Older revision		Revision as of 03:37, 13 April 2009
Line 94:		Line 94:
	#http://www.thenetworkadministrator.com/2005tophackingtools.htm		#http://www.thenetworkadministrator.com/2005tophackingtools.htm
	#http://www.owasp.org/index.php/Man-in-the-middle_attack		#http://www.owasp.org/index.php/Man-in-the-middle_attack
		+	#http://wapedia.mobi/en/Man-in-the-middle_attack?t=3.

	----		----
	--[[User:Heifetj\|Heifetj]] 10:24, 12 April 2009 (EDT)		--[[User:Heifetj\|Heifetj]] 10:24, 12 April 2009 (EDT)

Heifetj: /* Attacking Tools ^[9,10] */

2009-04-13T03:37:17Z

Attacking Tools <sup>[9,10] </sup>

← Older revision		Revision as of 03:37, 13 April 2009
Line 52:		Line 52:
	There are many different scenarios and types of active attacks that make browsing even sites traditionally thought safe dangerous.		There are many different scenarios and types of active attacks that make browsing even sites traditionally thought safe dangerous.

-	==Attacking Tools <sup>[9,10] </sup> ==	+	==Attacking Tools <sup>[9,10,11] </sup> ==
-	*[http://naughty.monkey.org/~dugsong/dsniff/ Dsniff]: A collection of tools for network auditing and penetration testing	+	*[http://naughty.monkey.org/~dugsong/dsniff/ Dsniff] - A collection of tools for network auditing and penetration testing
-	*[http://ettercap.sourceforge.net/ Ettercap]: A suite of tools for MITM attacks over LAN.	+	*[http://ettercap.sourceforge.net/ Ettercap] - A suite of tools for MITM attacks over LAN.
-	*[http://www.softpedia.com/get/Network-Tools/Network-Testing/PacketCreator.shtml PacketCreator]: A tool that uses ARP cache poisoning for network testing.	+	*[http://www.softpedia.com/get/Network-Tools/Network-Testing/PacketCreator.shtml PacketCreator] - A tool that uses ARP cache poisoning for network testing.
-	*[http://www.oxid.it/cain.html Cain and Abel]: A password recovery tool for Microsoft operating systems.	+	*[http://www.oxid.it/cain.html Cain and Abel] - A password recovery tool for Microsoft operating systems.
-	*~~Juggernaut~~: A ~~network sniffer~~ that ~~can be used to hijack TCP sessions~~.	+	*[http://www.google.com/gwt/n?u=http://www.theta44.org/karma/ Karma] - A tool that uses 802.11 Evil Twin attacks to perform MITM attacks

	==Defences==		==Defences==

Heifetj at 03:33, 13 April 2009

2009-04-13T03:33:22Z

← Older revision		Revision as of 03:33, 13 April 2009
Line 65:		Line 65:
	*IP Geolocation - identifies where a user’s currently assigned IP is geographically and whether it is normal or appropriate for the user		*IP Geolocation - identifies where a user’s currently assigned IP is geographically and whether it is normal or appropriate for the user
	*Machine Fingerprinting and Tagging – stores and validates a profile of the customers system		*Machine Fingerprinting and Tagging – stores and validates a profile of the customers system
-
-	~~==Beyond Computing==~~

	==See Also==		==See Also==

Heifetj: /* External Links */

2009-04-13T03:32:31Z

External Links

← Older revision		Revision as of 03:32, 13 April 2009
Line 83:		Line 83:
	* [http://www.schneier.com/blog/archives/2008/07/maninthemiddle_1.html Schneier on Security - Man in the Middle Attacks]		* [http://www.schneier.com/blog/archives/2008/07/maninthemiddle_1.html Schneier on Security - Man in the Middle Attacks]
	* [http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-ornaghi-valleri.pdf Man in the Middle Attacks - Demos]		* [http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-ornaghi-valleri.pdf Man in the Middle Attacks - Demos]
		+	* [http://enc.slider.com/Enc/Man_in_the_middle Slider - Man in the Middle Attacks]

	==References==		==References==

Heifetj: /* Defences */

2009-04-13T03:29:44Z

Defences

← Older revision		Revision as of 03:29, 13 April 2009
Line 61:		Line 61:
	==Defences==		==Defences==
	The major defense used today is to always use SSL connections for important data and never use insecure connections. This strategy is not enough for many users, as several of the attacks described are smart enough to defeat SSL when not used properly. Most browsers today do not make it simple enough for users to recognize when a MITM attack has been initiated and a secure connection is no longer being used. Additionally most web users do not check the validity of certificates they accept on a daily basis.		The major defense used today is to always use SSL connections for important data and never use insecure connections. This strategy is not enough for many users, as several of the attacks described are smart enough to defeat SSL when not used properly. Most browsers today do not make it simple enough for users to recognize when a MITM attack has been initiated and a secure connection is no longer being used. Additionally most web users do not check the validity of certificates they accept on a daily basis.
		+	===Multifactor Authentication <sup>[2]</sup>===
		+	*Public Key Infrastructure
		+	*IP Geolocation - identifies where a user’s currently assigned IP is geographically and whether it is normal or appropriate for the user
		+	*Machine Fingerprinting and Tagging – stores and validates a profile of the customers system

	==Beyond Computing==		==Beyond Computing==

Heifetj: /* Specific MITM Attacks */

2009-04-13T03:24:35Z

Specific MITM Attacks

← Older revision		Revision as of 03:24, 13 April 2009
Line 11:		Line 11:

	==Specific MITM Attacks==		==Specific MITM Attacks==
-	Historically, several different man in the middle attacks have been described. Perhaps the earliest reference was a paper showing the possibility of IP spoofing in BSD Linux.<sup>[3]</sup> A more recent and famous example is [[The Mitnick attack]], a man in the middle attack taking advantage of the structure of IP to establish the trusted connections. <br>	+	Historically, several different man in the middle attacks have been described. Perhaps the earliest reference was a paper showing the possibility of IP spoofing in BSD Linux.<sup>[3]</sup> A more recent and famous example is [[The Mitnick attack]], a man in the middle attack taking advantage of the structure of IP to establish the trusted connections.
-	~~Another common man in the middle attack is [[IP Spoofing]], where victims have all their web traffic re-routed through the attacker.<sup>[4]</sup~~> <br>	+	<br><br>
-	~~[[Image:IP_Spoofing.jpg\|frame\|IP Spoofing Diagram <sup>[5]</sup>]]~~	+
	Recently, there has been alot of press about MITM attacks defeating even SSL security. This is an especially distressing issue as this is the major form of security used on the web today. One researcher intercepted 200 requests for SSL encrypted pages over 20 hours, including 114 Yahoo! credentials, 50 Gmail credentials and 16 credit-card numbers.<sup>[6,7]</sup>		Recently, there has been alot of press about MITM attacks defeating even SSL security. This is an especially distressing issue as this is the major form of security used on the web today. One researcher intercepted 200 requests for SSL encrypted pages over 20 hours, including 114 Yahoo! credentials, 50 Gmail credentials and 16 credit-card numbers.<sup>[6,7]</sup>
		+	<br><br>
	In a recent example of a successful attack combining social engineering with phishing and malware, more than 20,000 senior corporate executives were fooled into clicking a link in an e-mail that purported to be a subpoena. The resulting malware installation enabled a man-in-the-middle attack to be successfully completed without the end-users’ knowledge. <sup>[2]</sup>		In a recent example of a successful attack combining social engineering with phishing and malware, more than 20,000 senior corporate executives were fooled into clicking a link in an e-mail that purported to be a subpoena. The resulting malware installation enabled a man-in-the-middle attack to be successfully completed without the end-users’ knowledge. <sup>[2]</sup>

Heifetj: /* Specific MITM Attacks */

2009-04-13T03:23:09Z

Specific MITM Attacks

← Older revision		Revision as of 03:23, 13 April 2009
Line 15:		Line 15:
	[[Image:IP_Spoofing.jpg\|frame\|IP Spoofing Diagram <sup>[5]</sup>]]		[[Image:IP_Spoofing.jpg\|frame\|IP Spoofing Diagram <sup>[5]</sup>]]
	Recently, there has been alot of press about MITM attacks defeating even SSL security. This is an especially distressing issue as this is the major form of security used on the web today. One researcher intercepted 200 requests for SSL encrypted pages over 20 hours, including 114 Yahoo! credentials, 50 Gmail credentials and 16 credit-card numbers.<sup>[6,7]</sup>		Recently, there has been alot of press about MITM attacks defeating even SSL security. This is an especially distressing issue as this is the major form of security used on the web today. One researcher intercepted 200 requests for SSL encrypted pages over 20 hours, including 114 Yahoo! credentials, 50 Gmail credentials and 16 credit-card numbers.<sup>[6,7]</sup>
		+	In a recent example of a successful attack combining social engineering with phishing and malware, more than 20,000 senior corporate executives were fooled into clicking a link in an e-mail that purported to be a subpoena. The resulting malware installation enabled a man-in-the-middle attack to be successfully completed without the end-users’ knowledge. <sup>[2]</sup>

	==MITM Attack Examples==		==MITM Attack Examples==

Heifetj at 03:22, 13 April 2009

2009-04-13T03:22:05Z

← Older revision		Revision as of 03:22, 13 April 2009
Line 8:		Line 8:
	<BR>		<BR>
	*If tokens are used, the MITM attacker can intercept and replay the one-time password (OTP) within the 60-second validity period.		*If tokens are used, the MITM attacker can intercept and replay the one-time password (OTP) within the 60-second validity period.
-	*If challenge questions are used, the MITM attacker can simply observe the challenge question and present it to the user, replaying the response to the legitimate site.	+	*If challenge questions are used, the MITM attacker can simply observe the challenge question and present it to the user, replaying the response to the legitimate site. <sup>[2]</sup>

	==Specific MITM Attacks==		==Specific MITM Attacks==
-	Historically, several different man in the middle attacks have been described. Perhaps the earliest reference was a paper showing the possibility of IP spoofing in BSD Linux.<sup>[2]</sup> A more recent and famous example is [[The Mitnick attack]], a man in the middle attack taking advantage of the structure of IP to establish the trusted connections. <br>	+	Historically, several different man in the middle attacks have been described. Perhaps the earliest reference was a paper showing the possibility of IP spoofing in BSD Linux.<sup>[3]</sup> A more recent and famous example is [[The Mitnick attack]], a man in the middle attack taking advantage of the structure of IP to establish the trusted connections. <br>
-	Another common man in the middle attack is [[IP Spoofing]], where victims have all their web traffic re-routed through the attacker.<sup>[3]</sup> <br>	+	Another common man in the middle attack is [[IP Spoofing]], where victims have all their web traffic re-routed through the attacker.<sup>[4]</sup> <br>
-	[[Image:IP_Spoofing.jpg\|frame\|IP Spoofing Diagram <sup>[4]</sup>]]	+	[[Image:IP_Spoofing.jpg\|frame\|IP Spoofing Diagram <sup>[5]</sup>]]
-	Recently, there has been alot of press about MITM attacks defeating even SSL security. This is an especially distressing issue as this is the major form of security used on the web today. One researcher intercepted 200 requests for SSL encrypted pages over 20 hours, including 114 Yahoo! credentials, 50 Gmail credentials and 16 credit-card numbers.<sup>[5,6]</sup>	+	Recently, there has been alot of press about MITM attacks defeating even SSL security. This is an especially distressing issue as this is the major form of security used on the web today. One researcher intercepted 200 requests for SSL encrypted pages over 20 hours, including 114 Yahoo! credentials, 50 Gmail credentials and 16 credit-card numbers.<sup>[6,7]</sup>

	==MITM Attack Examples==		==MITM Attack Examples==
Line 36:		Line 36:
	*Access Point Reassociation		*Access Point Reassociation

-	==Active MITM Attacks <sup> [7] </sup> ==	+	==Active MITM Attacks <sup> [8] </sup> ==
	Recently a new class of MITM attacks have been occurring with two important differences;		Recently a new class of MITM attacks have been occurring with two important differences;
	*It is initiated by the attacker		*It is initiated by the attacker
Line 51:		Line 51:
	There are many different scenarios and types of active attacks that make browsing even sites traditionally thought safe dangerous.		There are many different scenarios and types of active attacks that make browsing even sites traditionally thought safe dangerous.

-	==Attacking Tools <sup>[8,9] </sup> ==	+	==Attacking Tools <sup>[9,10] </sup> ==
	*[http://naughty.monkey.org/~dugsong/dsniff/ Dsniff]: A collection of tools for network auditing and penetration testing		*[http://naughty.monkey.org/~dugsong/dsniff/ Dsniff]: A collection of tools for network auditing and penetration testing
	*[http://ettercap.sourceforge.net/ Ettercap]: A suite of tools for MITM attacks over LAN.		*[http://ettercap.sourceforge.net/ Ettercap]: A suite of tools for MITM attacks over LAN.
Line 81:		Line 81:
	==References==		==References==
	#http://en.wikipedia.org/wiki/Man-in-the-middle_attack		#http://en.wikipedia.org/wiki/Man-in-the-middle_attack
		+	#http://download.entrust.com/resources/download.cfm/22836/WP_MITM_Sept08.pdf/?start
	#A Weakness in the 4.2BSD Unix TCP/IP Software, Robert T. Morris, AT&T Bell Laboratories, February 1985 <BR>		#A Weakness in the 4.2BSD Unix TCP/IP Software, Robert T. Morris, AT&T Bell Laboratories, February 1985 <BR>
	#http://www.csl.sri.com/users/ddean/papers/spoofing.pdf		#http://www.csl.sri.com/users/ddean/papers/spoofing.pdf

Man in the Middle Attack - Revision history

Heifetj at 03:46, 13 April 2009

Heifetj at 03:46, 13 April 2009

Heifetj at 03:37, 13 April 2009

Heifetj: /* Attacking Tools [9,10] */

Heifetj at 03:33, 13 April 2009

Heifetj: /* External Links */

Heifetj: /* Defences */

Heifetj: /* Specific MITM Attacks */

Heifetj: /* Specific MITM Attacks */

Heifetj at 03:22, 13 April 2009

Heifetj: /* Attacking Tools ^[9,10] */