What Is a Man-in-the-Middle (MITM) Attack?

ByFelez

Uzman üye
9 Tem 2013
1,822
1,778
A man-in-the-middle attack is an attack method that covers the network, but also makes all kinds of changes, by eavesdropping on communication between two connections, capturing various data, or eavesdropping on communication. In MITM, communication between two parties can be interrupted or a misleading communication can be created. This attack can be summarized as capturing and manipulating packets on the network.

Since packets are fully broadcast on wireless networks, all packets can be caught by the attacker without any pre-processing. Therefore, areas that provide Free Wi-Fi are the most suitable areas for MiTM attack. The contents of unencrypted packets can be easily read. Attackers in wifi domains direct network traffic to circumvent them. Thus, the traffic of the people on that network starts to flow through the attacker. The attacker who seizes this traffic, many personal data, passwords, etc. from here. seized. you can get.

In the attack carried out by the attacker, interception of traffic passing between the target and network elements (server, switch, router or modem) and interception of data packets freely circulating in the communication network can be performed in the local network or in a remote network. There are many different types, including the following.


uR0jPF.png


Attacks on Local Network
ARP Poisoning: The attacker presents himself as a target with a bogus ARP Request framework. Thus, the packets that will go to the real destination come towards the attacker. The attacker maps the MAC Address to the target computer's table 'Network Device MAC Address'. In this way, traffic begins to flow over itself.

DNS Spoofing: DNS cache poisoning is a process by which a DNS server adds or alters data in its cache database, causing the name server to return incorrect IP addresses and redirect traffic to another computer (usually the attacker's computer). is an attack.

Port Stealing: The attacker creates a fake ARP frame using the destination server's MAC address as the source address. The switch is tricked into thinking that the victim computer is actually connected to an attacker's port. Thus, all data frames sent for the victim's computer are sent to the attacker's switch port.

STP Mangling: It is a type of attack that prevents the STP protocol from working and constantly sends a topology change request.


uR0jPF.png


Attacks Over Local Network to Remote Gateway
ARP Poisoning

DNS Spoofing

DHCP Spoofing: The attacker acts as a DHCP server, scattering the IP to the victim computers and giving their own address as the gateway. In this way, network traffic flows over itself.

ICMP Redirect:
Broadcast ICMP Redirect messages are the attack method used by attackers to hijack their traffic for attack purposes.

IRDP Spoofing: The ICMP Router discovery protocol allows the host to discover the IP address of active routers. The attacker sends the IRDP router advertisement message on the fake network to the host on the subnet, causing it to change its default router.

Route Mangling:
An attacker tricks the internet into sending fake packets to the gateway, which is the best route for the client. Packets are forwarded directly to the client without going through the gateway.


Attacks on a Remote Network
DNS Poisoning

Traffic Tunnel: A type of attack that allows the attacker to create a tunnel and insert himself into the internal network.

Route Mangling


MITM.jpg


Detection and Protection Methods
Since it is very difficult to detect a man-in-the-middle attack, it would be more appropriate to pay attention to protection methods.

It can be one of the methods of authentication, protection and detection that allows to verify where the message came from. Verifying that the message exchanged with the server is genuine protects against forged packets. Authentication can be done using certificates. A public key infrastructure such as TLS can strengthen TCP against MITM attack. DNSSEC can secure DNS protocol by validating DNS records and preventing malicious ip redirection. Using secure protocols such as SSH and potentially IPSec can make the network more secure, authenticate and encrypt data. Every point in the network must be secured.

Having a strong encryption mechanism on wireless access points prevents unwanted users from joining your network. The stronger the encryption application, the more secure the network. Avoid using public and unencrypted WiFi networks.

Your network should have strong firewalls and protocols to prevent unauthorized access.

Use third-party penetration testing tools, software, and HTTPS encryption to detect and block phishing attempts. Use HTTPS supported sites.

Install active virus and malware protection that includes a boot scanner running on your system.

Provide trainings to ensure that employees are aware of this issue.

Use VPN. It can be used to create a subnet within the framework of a secure local network for the exchange of sensitive data. Key-based encryption will ensure that all traffic is encrypted and only authorized persons can see the encrypted data. Therefore, man-in-the-middle attacks are difficult to perform if VPN is available.

uR0jPF.png


Forensic Analysis

Records to search to determine if there is a MiTM attack on the network and, if so, its source.

Server's IP address – DNS name
Server's X.509 certificate validity status, which certificate authority it was signed by, etc. Attack analysis can be done by examining the details about the certificate.



iUBacd.gif
 
Üst

Turkhackteam.org internet sitesi 5651 sayılı kanun’un 2. maddesinin 1. fıkrasının m) bendi ile aynı kanunun 5. maddesi kapsamında "Yer Sağlayıcı" konumundadır. İçerikler ön onay olmaksızın tamamen kullanıcılar tarafından oluşturulmaktadır. Turkhackteam.org; Yer sağlayıcı olarak, kullanıcılar tarafından oluşturulan içeriği ya da hukuka aykırı paylaşımı kontrol etmekle ya da araştırmakla yükümlü değildir. Türkhackteam saldırı timleri Türk sitelerine hiçbir zararlı faaliyette bulunmaz. Türkhackteam üyelerinin yaptığı bireysel hack faaliyetlerinden Türkhackteam sorumlu değildir. Sitelerinize Türkhackteam ismi kullanılarak hack faaliyetinde bulunulursa, site-sunucu erişim loglarından bu faaliyeti gerçekleştiren ip adresini tespit edip diğer kanıtlarla birlikte savcılığa suç duyurusunda bulununuz.