Unauthorized access, Men in the Middle (MITM)

IBM Rational Application Security Group (aka Watchfire)

Balvinder Singh & Priya Nain

Unauthorized Access:

Man-in-the-Middle Attacks(MITM)

In this type of attack, the attacker attempts to insert himself in themiddle of a communication for purposes of intercepting client’s dataand could potentially modify them before discarding them or sending them out to the real destination.

The attacker makes independent connections with the victims and relaysmessages between them, making them believe that they are talking directly toEach other over a private connection, when in fact the entire conversation isControlled by the attacker.

Man-in-the-middle attacks

Server

Client

Attacker

Attacker inserting himself in the middle of a communication

Name Origin, The name "Man-in-the-Middle" is derived from the basketballscenario where two players intend to pass a ball to each other while one playerbetween them tries to seize it. MITM attacks are sometimes referred to as"bucket brigade attacks" or "fire brigade attacks."

MITM attack is also known as:

• Bucket-brigade attack

• Fire brigade attack

• Session hijacking

• TCP hijacking

• TCP session hijacking

• Monkey-in-the-middle attack

Man-in-the-middle attacks take two common forms

• Eavesdropping, is an attacker simply listens to a set of transmissions toAnd from different hosts even though the attacker's computer isn't party to thetransaction. Many relate this type of attack to a leak, in which sensitiveinformation could be disclosed to a third party without the legitimate usersKnowledge.

• Manipulation, attacks build on the capability of eavesdropping by takingThis unauthorized receipt of a data stream and changing its contents to suit acertain purpose of the attacker-perhaps spoofing an IP address,changing a MAC address to emulate another host, or some other type ofmodification.

Security Breach Example

Man in the Middle Scenario

All laptop users connect to a public network

Wireless connection can easily be compromised or impersonated

Wired connections might also be compromised

InternetInternet

Rules of Thumb – Don’ts …

Someone might be listening to the requests– Don’t browse sensitive sites

– Don’t supply sensitive information

Someone might be altering the responses– Don’t trust any information given on web sites

– Don’t execute downloaded code

Rules of Thumb – What Can You Do?

This leaves us with:

– Browse Non-Sensitive sites

– Share personal information only over secure networks

InternetInternetNon-sensitive sites

Boring

Non-sensitive sites

Boring

Sensitive sites

Interesting

Sensitive sites

Interesting

Passive Man in the Middle Attacks

Victim browses to a website

Attacker views the requestand forwards to server

Attacker views the responseand forwards to victim

Attacker views the responseand forwards to victim Server returns a response Server returns a response

Other servers are not affectedOther servers are not affected

Active Man in the Middle Attack

The attacker actively directs the victim to an “interesting” site The IFrame could be invisible

Victim browses to a “boring” site

Attack transfers the request to the

server

Attack transfers the request to the

server

Attacker adds an IFRAME referencing an “interesting” site

Attacker adds an IFRAME referencing an “interesting” site Server returns a response Server returns a response

My Weather ChannelMy Weather Channel

My Bank SiteMy Bank Site

Automatic request sent to the interesting server

My Bank SiteMy Bank Site

Other servers are not affectedOther servers are not affected

Secure Connections

Login Mechanism

Session Fixation

Cookie is being saved on victim’s computer

Attacker redirects victim to the site of interest

Attacker returns a page with a cookie generated by server

A while later,victim connects to the site

(with the pre-provided cookie)

A while later,victim connects to the site

(with the pre-provided cookie)

Attacker uses the same cookie to connect to the server

Server authenticates attacker as victim

Result– Now server authenticate attacker as

victim/client, now attacker has same privileges as our victim have.

Attack strategy – Spoofing

Spoofing is the creation of TCP/IP packets using somebody else's IP address.Routers use the "destination IP" address in order to forward packets throughThe Internet, but ignore the "source IP" address. That address is onlyused by the destination machine when it responds back to the source.

An example from cryptography is the Man in the middle Attack,in which an attacker spoofs Alice into believing the attacker is Bob,and spoofs Bob into believing the attacker is Alice,thus gaining access to all messages in both directions without the trouble ofAny cryptanalytic effort.

• E-Mail address Spoofing

Types of Spoofing

• URL Spoofing and Phishing

• Referrer Spoofing

URL spoofing and phishing,

Another kind of spoofing is "webpage spoofing” also known as Phishing.In this attack, a legitimate web page such as a bank's site is reproduced in"look and feel" on another server under control of the attacker.The main intent is to fool the users into thinking that they are connected toa trusted site, for instance to harvest usernames and passwords.

Referrer spoofing,

Some websites, especially pay sites, allow access to their materials onlyfrom certain approved (login-) pages. This is enforced by checking thereferrer header of the HTTP request.

The sender information shown in E-Mails (the "From" field) can bespoofed easily. This technique is commonly used by spammers to hidethe origin of their e-mails and leads to problems such as misdirected Bounces.

Like attacker send a message to user by changing its ‘From' field and userThink that message is received by an trusted person and he may reply to thatMessage and our data may be misused.

E-mail address spoofing

Defending against Spoofing

Spoofing is difficult to defend against due to the attacks being mostlypassive by nature.

• What you get is a webpage that is different than what you are expecting.

In very targeted attacks it is very possible that you may never knowthat attackers have been entered into your system

• By using virtual proxy generator

• By using login mechanism

Unauthorized access, Men in the Middle (MITM)

Technology

Transcript of Unauthorized access, Men in the Middle (MITM)

MITM attack demov2

MITM ARP Poison Attack - simms-teach.com · CIS 76 MITM via ARP Poisoning MITM ARP Poison Attack 1 DRAFT Last updated 9/4/2017

mitm - Man in the midle

MITM Attacks on HTTPS: Another Perspective · - A. stops the MitM attack 4. JS can interact with HostA in a usual way Browser knows nothing about MitM! ... MITM Attacks on HTTPS:

180-7010-04 MITM HSP

BeEF Injection MITM

Prying open Pandora’s box: KCI attacks against TLS · KCI attacks against TLS ... (MitM) attacks. This paper ... fraudulentcertiﬁcates for the purposeof active MitM in-terception

Bh Us 12 Ocepek Linn Beef Mitm Wp

MITM using SSLStrip & Mitigation Methods - … · MITM using SSLStrip & Mitigation Methods Page 4 The Attack ARP Spoofing and SSL Stripping Considered an active eavesdropping attack,

A whole new protocol to exploit - RedIRIS · Cabecera TCP DATOS . 2- MITM . 2- MITM . 2- MITM . 3- Reputación ¿Dónde creemos que está el mayor riesgo? 4- EN LA TRANSICIÓN . Ejemplo

MITM 613 Intelligent System

MiTM Attacks in Android Apps - TDC 2014

Domain Validation++ For MitM-Resilient PKIDomain Validation++ For MitM-Resilient PKI Markus Brandt Fraunhofer SIT TU Darmstadt Tianxiang Dai Fraunhofer SIT Amit Klein Fraunhofer SIT

SELF STUDY REPORT - MITM

SSL/TLS and MITM attacks - Uppsala University · SSL/TLS and MITM attacks A case study in Network Security By Lars Nybom & Alexander Wall

Troshichev i os mitm attack

20170629 pses mitm - confs.imirhil.fr

Uncommon MiTM in uncommon conditions

iOS MITM Attack

MITM 743 - Lecture 7 Advanced Project Management.