A Man-in-the-Middle (MITM) attack is a form of attack that allows a hacker to secretly intercept a wired or wireless connection between two parties who believe they are communicating safely and directly with each other.
When performed successfully, a MITM attack allows the hacker not only to eavesdrop on the communication between the victims but also tamper the data they exchange with each other. Most importantly, it may give the eavesdropper full access to the victims’ valuable information (login credentials, financial information, and so on).
This is why it’s so important to know more about different types and techniques of MITM attacks, as well as the ways to prevent these attacks.
How Does a MITM Attack Work?
The basic principle of every MITM attack is pretty similar: an attacker virtually puts themselves between two communicating parties, leaving the victims unaware of their presence. Remaining undiscovered, the intruder can intercept messages the victims send to each other, extract valuable information and change the original messages if he wants.
There are two kinds of MITM attacks: passive and active. Passive MITM attacks are possible when the RSA (Rivest–Shamir–Adleman) keys are used. Then, the attacker can use server private keys to decrypt the user traffic.
When it comes to an active MITM attack, the hacker’s main goal is to split an SSL/TLS session into two completely separate sessions. Then, the attacker can act as a proxy, monitoring and possibly altering all the data transmitted through a compromised channel.
Also, there are several forms of MITM attacks that exploit vulnerabilities in internet browsers (Main in the Browser), cloud services (Man in the Cloud), mobile applications (Man in the Mobile), or the Internet of Things (Man in the IoT).
Common Types of MITM Attacks
Depending on their goals and targets, an attacker may use different types of MITM attacks. Below, we listed the most common ones.
SSL and TLS Hijacking
When browsing the internet, the users usually encounter one of the two types of protocols: HTTP (Hypertext Transfer Protocol) or HTTPS (HTTP Secure or HTTP over TLS). It is preferable to use HTTPS since it is protected via encryption through SSL/TLS. Still, even HTTPS protocols can be vulnerable to MITM attacks if a user doesn’t access them directly. When the victim first tries to access an unsecured HTTP site, the hacker may hijack the session before the user will be redirected to a safer HTTPS site.
ARP Cache Poisoning
The Address Resolution Protocol (ARP) is a protocol used for mapping an Internet Protocol (IP) address to a physical machine address, such as MAC address.
The main problem with ARP is its lack of an authentication protocol. There is a possibility of the attacker sending spoofed or fake ARP messages to the Local Area Network (LAN) and mapping the attacking MAC address to the target host’s IP address. As a result, the attacker can intercept all the traffic that was originally meant for the victim.
The Domain Name Server (DNS) spoofing, otherwise known as DNS cache poisoning, is another common type of MITM attacks. When DNS translates names of domains to numerical IP addresses, it asks other servers for unknown translations and caches these translations for some time. And if DNS caches a false translation, it may return an incorrect IP address, redirecting the victim to another computer.
Aside from MITM attacks, DNS spoofing is widely used for phishing attacks, where an attacker creates a fake version of a genuine website to gather users’ personal information.
Rogue Access Point
When targeting wireless networks, an attacker may use a rogue access point – a wireless access point connected to the network without an approval from the network administrator. In some cases, a rogue access point may be added by a well-meaning employee as a way to ease access to the network from mobile devices. Such access points also may be used by attackers for gaining access to the company’s network.
Common MITM Attack Techniques
Just as there are different types of MITM attacks, there are also several techniques a hacker may use for performing a MITM attack. The most common ones are:
- packet injection
- session hijacking
- SSL stripping
Sniffing is used for performing passive MITM attacks. The attackers inspect packets at a low level using different packet capture tools and gather information for further attacks.
Packet injection is used for compromising data communication streams by injecting malicious packets into it. Usually, this technique is used when sniffing was already performed because the attacker needs to know when exactly to craft and send malicious packets.
Session hijacking is a technique used for intercepting a session established between two endpoints, for instance, a session between two machines communicating within a local network or a session between a user and a web application or a platform.
SSL stripping is used for downgrading HTTPS and forcing the victim to establish a connection with a more vulnerable unencrypted HTTP. Using different tools, such as SSLstrip or MITMproxy, the attacker may try to split an SSL/TLS session into two completely separate sessions: one between the victim and the attacker and the other between the attacker (who acts as a legitimate user) and the server.
For instance, SSLsplit, a penetration testing and research tool, is able to replace HTTPS links with their HTTP analogs whenever it’s possible, placing the attacker “in the middle” of the connection, thus allowing them to intercept the connection.
How to Prevent MITM Attacks?
There are two common ways you can defend your network, web application or website against MITM attacks: by using authentication certificates and HTTPS protocol.
For ensuring the security of local networks and systems, you can use certificate-based authentication. It means that every employee device should have a properly configured certificate in order to gain access to your system or network.
When it comes to protecting web services, the best way is to use an HTTPS protocol instead of a much less safe HTTP. Using SSL/TLS certificates, you can upgrade the protocol of your website from HTTP to HTTPS and keep all the connections set between the website and end users encrypted and secure.
It is also important to make sure that all pages of your website are encrypted with HTTPS and there is no elements left loading over an HTTP, including widgets, scripts, pictures, and even hyperlinks. Your website’s login forms also should be HTTPS-protected to prevent possible hijacking of your users’ login credentials.
You may also use an Organization Validation (OV) SSL certificate or an Extended Validation (EV) SSL certificate to improve the level of your website’s encryption and confirm its authenticity. OV SSL and EV SSL certificates help boost your website’s credibility by showing the name of the company in the URL bar and making the address bar turn green. With these signs, the end user can be sure they are connecting to a legitimate website and not its faked copy.
Another option for preventing MITM attacks on your website is to implement HTTP Strict Transport Security (HSTS) on your server. This mechanism forces web browsers and applications to connect only HTTPS-protected content and block any attempts to connect unencrypted HTTP pages. In addition to this, HSTS helps prevent cookie hijacking, thus protecting your users’ sensitive information.
And remember: hackers will never stop trying to get their hands on valuable information, so you need to make everything in your power to protect your website, platform, or application from as many risks as possible. The least you can do is use the methods listed above. And for a higher level of protection, you can always turn to experienced professionals who will take care of defending your business against MITM attacks of all kinds.