A man-in-the-middle attack is a type of cyberattack where a malicious actor inserts him/herself into a conversation between two parties, impersonates both parties and gains access to information that the two parties were trying to send to each other.
How MITM works?
Sniffing the traffic is actually pretty straightforward thing. For example, for WiFi sniffing a standard adapter implementing the 802.11 protocol is sufficient for the HW part. In addition the device driver & firmware must support sniffing mode. The only principal difference between normal and sniffing mode is the packet filtering. Normally, the device SW will drop the traffic not directed to it by checking the destination MAC address. In sniffer mode it will accept all traffic and pass it to upper layers for analysis.
Packet sniffing, or packet analysis, is the process of capturing any data passed over the local network and looking for any information that may be useful. Most of the time, we system administrators use packet sniffing to troubleshoot network problems (like finding out why traffic is so slow in one part of the network) or to detect intrusions or compromised workstations (like a workstation that is connected to a remote machine on port 6667 continuously when you don't use IRC clients), and that is what this type of analysis originally was designed for.
There are basically three types of packet sniffing:
ARP Sniffing: ARP sniffing involves information packets that are sent to the administrator through the ARP cache of both network hosts. Instead of sending the network traffic to both hosts, it forwards the traffic directly to the administrator.
IP Sniffing: IP sniffing works through the network card by sniffing all of the information packets that correspond with the IP address filter. This allows the sniffer to capture all of the information packets for analysis and examination.
MAC Sniffing: MAC sniffing also works through a network card which allows the device to sniff all of the information packets that correspond with the MAC address filter.
How you perform MITM
To perform this locally, we need to spoof ourselves to look like our router and start requesting traffic from another computer on our network. In order to trick another computer on our network into sending their traffic to ours, we need to ARP poison. This will make the target computer believe we are the default gateway and that it should be sending its traffic through us. After, we route the traffic to the actual default gateway and the gateway will send traffic back that we can forward to the victim. Everything appears to be normal and working on both ends.
ARP or Address Resolution Protocol is a method of letting the network map out IPs rather than giving each computer a table of the mapping. It is vulnerable to poisoning because there is no method of checking the authenticity of ARP replies built-in to the protocol. Thus, replies can be spoofed from other addresses on the network.
Tools to perform MITM
For HTTP you can use Burp Suite's proxy (Java), or mitmproxy.
tcpcatcher is a more general Java-based GUI capture and modify proxy. It's HTTP biased, but accepts any TCP. It has SSL support, though the only drawback seems to be there's no (documented) way to use your own specific certificate, only on-the-fly ones.
ettercap includes features for ARP, ICMP (redirect), DNS and DHCP "interventions", and supports direct SSL MITM (though not currently via GUI, you need to tinker with the conf and/or command line). This seems to be the best all-in-one for most purposes.
sslsplit is another useful CLI tool, it's (mostly) for intercept and log, not modification. It's quicker to get started with than ettercap and has features like SNI inspection, dynamic certificate generation, support for *BSD and Linux FW/NAT, and OCSP/HPKP/SPDY countermeasures for HTTPS.
0 σχόλια:
Δημοσίευση σχολίου