MITM: Difference between revisions

From charlesreid1
 
(35 intermediate revisions by 2 users not shown)
Line 1: Line 1:
=What It Is=
=Monkey in the Middle Attacks=


A man-in-the-middle attack is a general concept from encryption. It consists of two parties, Alice and Bob, trying to have an encrypted conversation. However, it is foiled by an attacker, Eve, who gets in the middle. This means that Alice and Eve communicate with one encryption key, while Bob and Eve communicate with another key.
Welcome to the Monkey in the Middle (MITM) attacks page. This page will describe the many, many forms that a MITM attack may occur and the tools that are used to carry them out. It will also cover several laboratories, which cover specific, applied MITM scenarios.


==The Key Pieces==
The overarching way to think about these types of attacks is to use the 7-layer OSI model of networking:


Any man in the middle attack on a computer network must have three key pieces:
{{NetworkStack}}


1. Tricking the router/network device/destination into thinking they are connected to the Sheep, when they are really connected to the Attacker
Monkey in the middle attacks can occur on Level 1 on up through Level 7, and at every level in between.


2. Tricking the Sheep into thinking they are really connected to their router/network device/destination, when they are really connected to the Attacker
Let's run through a few specifics about MITM attacks first, then talk about what attacks at different layers look like.


3. Building a bridge between the two connections so that traffic can continue to pass between the two parties and be observed/modified.
==What Are MITM Attacks==


=Wired Network=
A monkey-in-the-middle attack is a general concept from encryption. It consists of two parties, Alice and Bob, trying to have an encrypted conversation. However, it is foiled by an attacker, Eve, who gets in the middle. This means that Alice and Eve communicate with one encryption key, while Bob and Eve communicate with another key.


Man-in-the-middle attacks on a wired network are explained on the [[Man in the Middle/Wired]] page.
==Important Parts==


Any monkey in the middle attack on a computer network must have the following four important pieces:


=Wireless Network=
1. Recon


A wireless network man-in-the-middle attack can be conducted a couple of different ways.
2. Tricking the router/network device/destination into thinking they are connected to the Sheep, when they are really connected to the Attacker


==ARP Cache Poisoning==
3. Tricking the Sheep into thinking they are really connected to their router/network device/destination, when they are really connected to the Attacker


More on the [[ARP Poisoning]] page.
4. Building a bridge between the two connections so that traffic can continue to pass between the two parties and be observed/modified.


On a wireless router, ARP cache poisoning is only possible if the wireless router device itself has a physical switch built into it (i.e., multiple ethernet ports). If there is a single ethernet port or no ethernet ports, ARP cache poisoning will not work on that wireless router.
=Attack Layers Perspective on MITM=


==Network Tap: Evil Twin Access Point==
==Layer 1 and Layer 2: Physical/Data Layer MITM Attacks==


The analogy of a physical tap, for a wireless network, is the Evil Twin access point attack. This creates a fake access point with the same information as the authentic access point. In this way, the target Sheep will connect to your device, rather than to the network device. Just as with a physical network tap, where the target device is physically connected to your network tap, with the Evil Twin access point the target device is wirelessly connected to your network tap.
{{Main|MITM/Layer 1 and 2}}


This can be tricky to pull off, or even know when the Sheep is connected to your fake access point, as signal strength, distance, and scatter are important factors that are constantly shifting.
MITM attacks at the physical level involve interference with a normal physical channel of communication. On a wireless network, this might be a wireless radio that an attacker uses to transmit radio signals at high power at a victim, thus swamping out another radio signal. It may be physical tampering with a connection - security professionals always prefer physical network taps when possible as a way to obtain a reliable ear on a network.  


The [[Evil Twin]] page describes the configuration for the attack (but only half). This describes how a fake access point is created, and how a Sheep is tricked into connecting to the fake access point.
These types of attacks involve not just the first layer, but also several layers up - for example, the attacker must be able to establish a connection to the sheep, which involves implementing more than just Layer 1 of the network stack. However, the main MITM mechanism occurs at Layer 1.  


The [[Man in the Middle/Evil Twin]] page describes more details about the other half of the attack, namely, connecting to the network, and creating an interface to sniff traffic.
Main page: [[MITM/Layer 1 and 2]]


=Notes=
Evil twin attack: [[Evil Twin]]


==Evil Twin Attack==  
==Layer 3 and Layer 4: Network and Transport MITM Attacks==


===2015-08-24===
{{Main|MITM/Layer 3 and 4}}


[[Man in the Middle/Evil Twin]]
This is Wall of Sheep territory - Layer 3 and 4 are the layers where the protocols governing network highways are implemented. Most MITM attacks at this layer consist of maliciously rerouting network traffic so that instead of the sheep talking directly to the gateway, all of the traffic first passes through an attacker.


I've built an Evil Twin, gotten the sheep to connect, built a working bridge from the sheep to the internet, and sniffed the traffic with tcpdump. However, Wireshark and Ettercap both failed to recognize the bridge or see traffic on it, and I'm not sure what to do with it.
==Layer 6 and Layer 7: Presentation and Application MITM Attacks==


===2015-08-25===
You can use the [[Nishang]] tool to deliver malicious payloads (executables) onto a machine. One such payload is a MITM tool for eavesdropping on HTTPS sessions: [[Nishang/MITM Interceptor]].


Backing up a step.
The Nishang MITM interceptor requires administrator permissions to install. It generates its own malicious certificates for each site, and installs the malicious certificates on the victim machine. This allows the interceptor to MITM each HTTPS session, and keeps the attack from being detected because the malicious certificates are trusted.


Man in the middle experiments on a wired network.
This is an example of a presentation and application layer attack, as it occurs at the level of a system application's HTTPS certificate check. This tool manipulates the trust chain for that information.


=Other Perspectives=


From http://wiki.cas.mcmaster.ca/index.php/Man_in_the_Middle_Attack:


LAN
* ARP Poisoining
* DNS Spoofing
* STP Mangling
* Port Stealing


Local to Remote
* ARP Poisoining
* DNS Spoofing
* DHCP Spoofing
* ICMP Redirection
* IRDP Spoofing
* Route Mangling


{{AircrackFlag}}
Remote
* DNS Poisoning
* Traffic
* Route Mangling


Wireless
* Access Point Reassociation
=Software Tools=
==Attack Tools==
[[Bettercap]] - very nice GUI tool for conducting MITM attacks
[[Dsniff]] - password sniffer, but comes with a suite of many useful MITM tools:
* [[Arpspoof]] - sending spoofed ARP responses to carry out MITM on local network
* [[Dnsspoof]] - spoofing arbitrary DNS queries on local network
* [[Macof]] - tool to flood a router with random MACs, polluting its CAM table
For stripping the SSL layer from encrypted traffic:
* [[SSLStrip]]
* [[SSLSniff]]
==Wireless Tools==
Tools useful for wireless MITM attacks:
* [[Aircrack]]
* [[Karma]]
==Analysis Tools==
[[Wireshark]]
[[Tcpdump]]
=Labs=
Wherein we run experiments applying MITM techniques to a sandbox network and observe the results.
{{MITMLabs}}
=Flags=
{{MITMFlag}}


[[Category:Man in the Middle]]
[[Category:Wireless]]
[[Category:Wireless]]
[[Category:Security]]
[[Category:Security]]
[[Category:August 2016]]

Latest revision as of 04:48, 25 March 2022

Monkey in the Middle Attacks

Welcome to the Monkey in the Middle (MITM) attacks page. This page will describe the many, many forms that a MITM attack may occur and the tools that are used to carry them out. It will also cover several laboratories, which cover specific, applied MITM scenarios.

The overarching way to think about these types of attacks is to use the 7-layer OSI model of networking:

NetworkStack  · e

Layer Name Function
7 Application Topmost layer, provides users a means to access network resources (only level seen by end user)
6 Presentation Transforms data received into a format that is readable by the application layer. Handles encryption/description for secure data
5 Session Manages communication sessions between computers. Manages connections with other devices. Half-duplex or full duplex.
4 Transport Provide reliable data transport services to lower layers.
3 Network Routes data between physical networks. Handles addressing, via IP. Handles packet fragmentation and error detection. Router level. Most complex layer.
2 Data Link Transports data across a network. Provides addressing scheme to identify physical devices, bridges, switches, MAC addresses.
1 Physical The physical medium for the network communication signals.

(Please Do Not Touch Steve's Pet Alligator)

(Phys Dat Net Trans Sesh Prezzy App)

Monkey in the middle attacks can occur on Level 1 on up through Level 7, and at every level in between.

Let's run through a few specifics about MITM attacks first, then talk about what attacks at different layers look like.

What Are MITM Attacks

A monkey-in-the-middle attack is a general concept from encryption. It consists of two parties, Alice and Bob, trying to have an encrypted conversation. However, it is foiled by an attacker, Eve, who gets in the middle. This means that Alice and Eve communicate with one encryption key, while Bob and Eve communicate with another key.

Important Parts

Any monkey in the middle attack on a computer network must have the following four important pieces:

1. Recon

2. Tricking the router/network device/destination into thinking they are connected to the Sheep, when they are really connected to the Attacker

3. Tricking the Sheep into thinking they are really connected to their router/network device/destination, when they are really connected to the Attacker

4. Building a bridge between the two connections so that traffic can continue to pass between the two parties and be observed/modified.

Attack Layers Perspective on MITM

Layer 1 and Layer 2: Physical/Data Layer MITM Attacks

Main article: MITM/Layer 1 and 2

MITM attacks at the physical level involve interference with a normal physical channel of communication. On a wireless network, this might be a wireless radio that an attacker uses to transmit radio signals at high power at a victim, thus swamping out another radio signal. It may be physical tampering with a connection - security professionals always prefer physical network taps when possible as a way to obtain a reliable ear on a network.

These types of attacks involve not just the first layer, but also several layers up - for example, the attacker must be able to establish a connection to the sheep, which involves implementing more than just Layer 1 of the network stack. However, the main MITM mechanism occurs at Layer 1.

Main page: MITM/Layer 1 and 2

Evil twin attack: Evil Twin

Layer 3 and Layer 4: Network and Transport MITM Attacks

Main article: MITM/Layer 3 and 4

This is Wall of Sheep territory - Layer 3 and 4 are the layers where the protocols governing network highways are implemented. Most MITM attacks at this layer consist of maliciously rerouting network traffic so that instead of the sheep talking directly to the gateway, all of the traffic first passes through an attacker.

Layer 6 and Layer 7: Presentation and Application MITM Attacks

You can use the Nishang tool to deliver malicious payloads (executables) onto a machine. One such payload is a MITM tool for eavesdropping on HTTPS sessions: Nishang/MITM Interceptor.

The Nishang MITM interceptor requires administrator permissions to install. It generates its own malicious certificates for each site, and installs the malicious certificates on the victim machine. This allows the interceptor to MITM each HTTPS session, and keeps the attack from being detected because the malicious certificates are trusted.

This is an example of a presentation and application layer attack, as it occurs at the level of a system application's HTTPS certificate check. This tool manipulates the trust chain for that information.

Other Perspectives

From http://wiki.cas.mcmaster.ca/index.php/Man_in_the_Middle_Attack:

LAN

  • ARP Poisoining
  • DNS Spoofing
  • STP Mangling
  • Port Stealing

Local to Remote

  • ARP Poisoining
  • DNS Spoofing
  • DHCP Spoofing
  • ICMP Redirection
  • IRDP Spoofing
  • Route Mangling

Remote

  • DNS Poisoning
  • Traffic
  • Route Mangling

Wireless

  • Access Point Reassociation

Software Tools

Attack Tools

Bettercap - very nice GUI tool for conducting MITM attacks

Dsniff - password sniffer, but comes with a suite of many useful MITM tools:

  • Arpspoof - sending spoofed ARP responses to carry out MITM on local network
  • Dnsspoof - spoofing arbitrary DNS queries on local network
  • Macof - tool to flood a router with random MACs, polluting its CAM table

For stripping the SSL layer from encrypted traffic:

Wireless Tools

Tools useful for wireless MITM attacks:

Analysis Tools

Wireshark

Tcpdump

Labs

Wherein we run experiments applying MITM techniques to a sandbox network and observe the results.

MITM Labs

MITM Labs

ARP Poisoning

Dsniff ARP Poisoning: MITM Labs/Dsniffing Over Wifi

Bettercap ARP Poisoning: MITM Labs/Bettercap Over Wifi

DNS Hijacking

Bettercap to Hijack DNS: Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2

Traffic Injection

Bettercap to Replace Images: MITM Labs/Bettercap to Replace Images

MITMf to Backdoor Browsers: MITM Labs/MITMf to Backdoor Browsers

HTTPS MITM

Browser + Wireshark/SSLSniff to Decrypt HTTPS: MITM Labs/Decrypting HTTPS Traffic with Private Key File

Browser + Wireshark to Decrypt HTTPS: MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info

Device MITM

Bettercap to MITM Android Phone: MITM Labs/Bettercap Android Evo

Bettercap to MITM iPhone: MITM Labs/Bettercap iPhone

Flags


Defcon.png
monkey in the middle attacks
in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker.

MITM

Wireless Attacks: MITM/Wireless

Wired Attacks: MITM/Wired


Layer 1 and 2 MITM Attacks:

MITM/Layer 1 and 2

Network Tap: MITM/Wired/Network Tap

Evil Twin Attack: Evil Twin  · MITM/Evil Twin


Layer 3 and 4 MITM Attacks:

MITM/Layer 3 and 4

Traffic Sniffing: MITM/Sniffing

ARP Poisoning: MITM/ARP Poisoning

Traffic Injection/Modification: MITM/Traffic Injection

DNS Attacks: MITM/DNS  · Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2

DHCP Attacks: MITM/DHCP

WPAD MITM Attack: MITM/WPAD

Port Stealing: MITM/Port Stealing

Rushing Attack: MITM/Rushing Attack

Attacking HTTPS: MITM/HTTPS


Layer 5 MITM Attacks:

Session Hijacking: MITM/Session Hijacking


Toolz:

Ettercap  · Bettercap  · MITMf  · EvilFOCA

Wireshark  · Aircrack

Dsniff  · Arpspoof  · Dnsspoof

SSLSniff  · SSLStrip  · Frankencert

Driftnet  · Karma


MITM Labs: {{MITMLabs}}


Category:MITM  · Category:Attacks  · Category:Kali Attack Layers

Template:MITMLabs  · Template:MITMFlag

Flags  · Template:MITMFlag  · e




Retrieved from "https://charlesreid1.com/w/index.php?title=MITM&oldid=29464"