From charlesreid1

Monkey in the Middle Attacks

Welcome to the Monkey in the Middle (MITM) attacks page. This page will describe the many, many forms that a MITM attack may occur and the tools that are used to carry them out. It will also cover several laboratories, which cover specific, applied MITM scenarios.

The overarching way to think about these types of attacks is to use the 7-layer OSI model of networking:

NetworkStack  · e

Layer Name Function
7 Application Topmost layer, provides users a means to access network resources (only level seen by end user)
6 Presentation Transforms data received into a format that is readable by the application layer. Handles encryption/description for secure data
5 Session Manages communication sessions between computers. Manages connections with other devices. Half-duplex or full duplex.
4 Transport Provide reliable data transport services to lower layers.
3 Network Routes data between physical networks. Handles addressing, via IP. Handles packet fragmentation and error detection. Router level. Most complex layer.
2 Data Link Transports data across a network. Provides addressing scheme to identify physical devices, bridges, switches, MAC addresses.
1 Physical The physical medium for the network communication signals.

(Please Do Not Touch Steve's Pet Alligator)

Monkey in the middle attacks can occur on Level 1 on up through Level 7, and at every level in between.

Let's run through a few specifics about MITM attacks first, then talk about what attacks at different layers look like.

What Are MITM Attacks

A monkey-in-the-middle attack is a general concept from encryption. It consists of two parties, Alice and Bob, trying to have an encrypted conversation. However, it is foiled by an attacker, Eve, who gets in the middle. This means that Alice and Eve communicate with one encryption key, while Bob and Eve communicate with another key.

Important Parts

Any monkey in the middle attack on a computer network must have the following four important pieces:

1. Recon

2. Tricking the router/network device/destination into thinking they are connected to the Sheep, when they are really connected to the Attacker

3. Tricking the Sheep into thinking they are really connected to their router/network device/destination, when they are really connected to the Attacker

4. Building a bridge between the two connections so that traffic can continue to pass between the two parties and be observed/modified.

Attack Layers Perspective on MITM

Layer 1 and Layer 2: Physical/Data Layer MITM Attacks

MITM attacks at the physical level involve interference with a normal physical channel of communication. On a wireless network, this might be a wireless radio that an attacker uses to transmit radio signals at high power at a victim, thus swamping out another radio signal. It may be physical tampering with a connection - security professionals always prefer physical network taps when possible as a way to obtain a reliable ear on a network.

These types of attacks involve not just the first layer, but also several layers up - for example, the attacker must be able to establish a connection to the sheep, which involves implementing more than just Layer 1 of the network stack. However, the main MITM mechanism occurs at Layer 1.

Main page: MITM/Layer 1 and 2

Evil twin attack: Evil Twin

Layer 3 and Layer 4: Network and Transport MITM Attacks

This is Wall of Sheep territory - Layer 3 and 4 are the layers where the protocols governing network highways are implemented. Most MITM attacks at this layer consist of maliciously rerouting network traffic so that instead of the sheep talking directly to the gateway, all of the traffic first passes through an attacker.

Layer 6 and Layer 7: Presentation and Application MITM Attacks

You can use the Nishang tool to deliver malicious payloads (executables) onto a machine. One such payload is a MITM tool for eavesdropping on HTTPS sessions: Nishang/MITM Interceptor.

The Nishang MITM interceptor requires administrator permissions to install. It generates its own malicious certificates for each site, and installs the malicious certificates on the victim machine. This allows the interceptor to MITM each HTTPS session, and keeps the attack from being detected because the malicious certificates are trusted.

This is an example of a presentation and application layer attack, as it occurs at the level of a system application's HTTPS certificate check. This tool manipulates the trust chain for that information.

Other Perspectives

From http://wiki.cas.mcmaster.ca/index.php/Man_in_the_Middle_Attack:

LAN

  • ARP Poisoining
  • DNS Spoofing
  • STP Mangling
  • Port Stealing

Local to Remote

  • ARP Poisoining
  • DNS Spoofing
  • DHCP Spoofing
  • ICMP Redirection
  • IRDP Spoofing
  • Route Mangling

Remote

  • DNS Poisoning
  • Traffic
  • Route Mangling

Wireless

  • Access Point Reassociation

Software Tools

Attack Tools

Bettercap - very nice GUI tool for conducting MITM attacks

Dsniff - password sniffer, but comes with a suite of many useful MITM tools:

  • Arpspoof - sending spoofed ARP responses to carry out MITM on local network
  • Dnsspoof - spoofing arbitrary DNS queries on local network
  • Macof - tool to flood a router with random MACs, polluting its CAM table

For stripping the SSL layer from encrypted traffic:

Wireless Tools

Tools useful for wireless MITM attacks:

Analysis Tools

Wireshark

Tcpdump

Labs

Wherein we run experiments applying MITM techniques to a sandbox network and observe the results.

MITM Labs

MITM Labs

ARP Poisoning

Dsniff ARP Poisoning: MITM Labs/Dsniffing Over Wifi

Bettercap ARP Poisoning: MITM Labs/Bettercap Over Wifi

DNS Hijacking

Bettercap to Hijack DNS: Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2

Traffic Injection

Bettercap to Replace Images: MITM Labs/Bettercap to Replace Images

MITMf to Backdoor Browsers: MITM Labs/MITMf to Backdoor Browsers

HTTPS MITM

Browser + Wireshark/SSLSniff to Decrypt HTTPS: MITM Labs/Decrypting HTTPS Traffic with Private Key File

Browser + Wireshark to Decrypt HTTPS: MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info

Device MITM

Bettercap to MITM Android Phone: MITM Labs/Bettercap Android Evo

Bettercap to MITM iPhone: MITM Labs/Bettercap iPhone

Flags