The attacker intercepts and relays messages between to parties, while they believe they are still interacting with each other. This is called Man-in-the-middle attack. Every router, gateway or Wifi-Access-Point can act as a man in the middle. SSL encryption will not prevent this attack, because the attacker has the private key to decrypt the data. There are three different kinds of Man-in-the-middle attacking:
- Session Hijacking
- MitM: IP Spoofing
- MitM: Replay/Playback
1. MitM: Session Hijacking: The attacker hijacks a session between a trusted client and network server by forecasting the sequence number of the following TCP-Package after getting in between the communication of two systems. The attacking computer substitutes the IP address for the trusted client while the server continues the session, believing it communicates with the client. For example like this:
- A client connects to a server.
- The attacker’s computer gains control of the client.
- The attacker’s computer disconnects the client from the server.
- The attacker’s computer replaces the client’s IP address with its own IP address and spoofs the client’s sequence numbers.
- The attacker’s computer continues dialog with the server and the server believes it is still communicating with the client.
This works because mutual authentication only will be done once at the beginning of the communication
2. MitM: IP Spoofing: Internet communication works by having the sender’s (source address) and receiver’s contact (destination address) included in the IP header. This is a weakness of TCP/IP because it is generally not possible to encrypt the data. Furthermore there is no way to check the IP-Header to be legitimate by the receiver, each IP-Package can be manipulated. An attacker will pretend to be one of the two parties to get the intended data. Or to block one party to communicate with the other. For IP Spoofing to work, the system must be vulnerable for this kind of attack.
ARP-Spoofing: Is a variance of IP Spoofing used by attackers to get in the position of a man-in-the-middle by exploiting ethernet vulnerabilities. ARP-requests are faked and the MAC-Adress forged to be able to redirect the traffic. ARP-Spoofing is only possible if the attacker is in the same network as the victim, no matter if Ethernet or WiFi is used.
DNS-Spoofing: In different ways it’s possible for an attacker to redirect traffic to his own system before allowing it to arrive at the correct location. The easiest way is if the attacker responds to a DNS request with a faked IP-Address. This fake address is given to the victim, which leads to the attacker controlled server.
3. MitM: Replay/Playback:
Prevention:
- Strict encryption of all communication
- Up to date software
- Only use secure and legitimate SSL certificates by trusted companies
- Use a firewall
- Monitoring of network activities