Machine in the Middle (MitM) - General

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Summary

This documentation aims to provide a general description of Machine-in-the-Middle (MitM) attacks and two examples of tools - Ettercap and Bettercap - are given. Note that MitM is a very broad term and a lot of aspects, methodologies, and tools will fall into this category. Especially in practice, people will often use the term "MitM" in a variety of contexts. Therefore, this article should give you just an overview: depending on your specific needs and goals a deeper dig into related documentation of the technologies and tools will be necessary. You might also firstly search here in the Elvis Wiki whether an article is already provided and you can start working with that.

What is a Machine-in-the-Middle (MitM) attack?

Formerly called “Man-in-the-Middle” attack this is nowadays deprecated as it is not gender-inclusive. Therefore, and to keep the commonly used abbreviation “MitM”, it is nowadays often called Machine-in-the-Middle or sometimes also “Person-in-the-Middle” (PitM).

NIST, the National Institute of Standards and Technology, a very well-known and in the information security industry high renown organization, has the following – compact, though meaningful – definition of what a MitM is: “An attack where the adversary positions themselves between the user and the system so that they can intercept and alter data traveling between them.” (https://csrc.nist.gov/glossary/term/mitm, accessed: 22.12.2023) Please note, that the quotation has been adapted to comply with a gender-neutral language (themselves instead of himself and they instead of he). The definition given above talks about “user” and “system”. In practice, the “user” is often a client (where the human user is working on an Internet-connected device), and the “system” is usually a server that provides services, processes requests, and delivers responses.

In cyber security, it is often the goal of the adversary (or another interested party like security researchers) to gain a MitM position, as it allows this entity to read data (depending on the scenario the data might be e.g., encrypted), modify data, drop data, do further unintended actions or a combination of them.

Think of a MitM attack like this:

BasicMitM.png

In the picture, the MitM was between a client (user) and a web server providing a website.

MitM is heavily connected to the concept of ‘spoofing’ where spoofing means, very basically speaking, the faking of the (source) parameter in a protocol to mimic another identity.

Think of spoofing like this:

BasicSpoofing.png

How are Machine-in-the-Middle attack (Tools) working?

You have to know that MitM is a very general term and when going into more detail, it becomes clear that there exist several specific techniques to achieve a MitM position.

Below are some common techniques provided with a short description.

ARP Spoofing/Cache Poisoning

ARP (Address Resolution Protocol, a stateless protocol, which is responsible for translating IP addresses to MAC addresses and maintaining that in a so-called ARP table) Spoofing manipulates the ARP tables in network devices by sending fake ARP messages (works any time as ARP is stateless). The attacker's MAC address is associated with the IP address of a legitimate device then, redirecting traffic through the attacker's system. Cache Poisoning involves injecting false data into the caches of user machines, routers, and/or switches. ARP Spoofing just works when the attacker has access to the switched local network. A common goal for the attacker is to imitate the gateway the other devices are using to access the internet, as it is the most valuable connection from the perspective of the attacker.

Think of ARP like this:

ARP.png

The attacker now wants to change the mapping of the IP address to MAC. A very achievable goal for the attacker is to take the position between a client machine and the gateway as previously mentioned.

ARPSpoofing.png

DNS Cache Poisoning

DNS Cache Poisoning exploits weaknesses in the DNS (Domain Name System which is used by network-capable devices to find the IP address to a given (human-readable) name (like a URI)) resolution process. Attackers inject malicious DNS records into the cache of DNS resolvers, leading to the resolution of incorrect IP addresses for domain names. By corrupting DNS data, attackers can redirect users to malicious websites without their knowledge. One famous example of this is the Kaminsky attack in 2008, which allowed to pretend as an attacker to be www.google.com – fortunately, its most serious flaws in DNS have been patched and it is not as easy anymore as in 2008 to become Google, Amazon, Facebook or any website you can think of.

IP Spoofing

IP Spoofing is forging the source IP address in packets to deceive the target about the origin of the communication. IP spoofing is often used in conjunction with other techniques for more sophisticated attacks. One example of an IP Spoofing attack would be the “Smurf attack”. Thereby the attacker sends a large number of Internet Control Message Protocol (ICMP) Echo Request (ping) packets with a spoofed source IP address to a network's broadcast address. This leads to a flood of ICMP Echo Reply packets being sent to the victim, overwhelming its network resources.

WiFi MitM

Similar to wired networks, MitM also works in wireless environments. To give you an understanding what this might be, we will focus on one specific attack, the “Evil Twin Access Point” attack. In this scenario, an attacker creates a rogue wireless access point (AP) with an SSID identical or closely resembling a legitimate/ trusted WiFi (using e.g., airgeddon). When a device (client) connects (when already connected with the legitime AP, the attacker will have to do a Deauthentication attack or Beacon Frame spoofing), the attacker gains the capability to intercept, monitor, or manipulate the data flowing between the victim's device and the network. Especially in public WiFi this is dangerous, so one should be careful when using the WiFi at a restaurant/café, airport, train etc.

How to prevent MitM?

Tools

Ettercap

Enter these commands in the shell 

echo foo
echo bar

Bettercap

Bettercap declares itself as “[t]he Swiss Army knife for WiFi, Bluetooth Low Energy, wireless HID hijacking and IPv4 and IPv6 networks reconnaissance and MITM attacks.” (https://www.bettercap.org/, accessed on 22.12.2023)

Also, here we want to do ARP Spoofing/Cache Poisoning.

Bettercap is not preinstalled in Kali Linux, but you can easily install it with: 

sudo apt-get install bettercap


Fur further details, please note, that there is also a separate Elvis Wiki article: https://wiki.elvis.science/index.php?title=Bettercap

Used Hardware

Device to be used with this documentation Maybe another device to be used with this documentation

Courses

References

Retrieved from "https://wiki.elvis.science/index.php?title=Machine_in_the_Middle_(MitM)_-_General&oldid=13272"