Man in the middle attacks

Topics
- What are Man in the Middle Attacks?
- Ways to implement a Man in the Middle
Attack
- HTTPS
- Ways to protect against Man in the Middle
MITM Attacks - What are they?
How does the ARP protocol work
Hey, my IP address is XX.XX.XX.XX, and my MAC address is XX:XX:XX:XX:
XX:XX. I need to send something to whoever has the IP address XX.XX.XX.XX,
but I dont know what their hardware address is. Will whoever has this IP
address please respond back with their MAC address?
ARP reply packet answer: Hey transmitting device. I am who you are looking
for with the IP address of XX.XX.XX.XX. My MAC address is XX:XX:XX:XX:XX:
XX.
Once this is completed the transmitting device will update its ARP cache table
and the devices are able to communicate with one another.
- You can view the cache table with the arp -a command
ARP Cache Poisoning
ARP is a stateless protocol.
Network hosts will automatically cache any ARP replies they receive,
regardless of whether or not they requested them.
Even ARP entries which have not yet expired will be overwritten when a new
ARP reply packet is received.
There is no method in the ARP protocol by which a host can authenticate the
peer from which the packet originated.
This behavior is the vulnerability which allows ARP spoofing to occur.
ARP MITM attack
- You just have to send an ARP packet that
tells a target computer that the MAC address
that corresponds to the IP of the router/switch
is your IP.
- After this the computer will send the traffic it
would normally send to the router/switch to you.

ARP MITM attack
- What do you do now that you have all the
traffic from your target directed towards you?
ARP MITM Attacks
- Act like a proxy: send it to the real target and
send the targets response back while
inspecting it in the process (sniffing)
- Act like a proxy + modify the packets
WAN MITM attacks
DNS spoofing
TLS/SSL Hijacking
- Suppose an attacker has MITM you
You access https://mail.google.com.
Can he see the traffic? In what way?
Can he send you a fake https://mail.google.com
page that looks just like the original one, and
you enter your credentials and he captures
them?
TLS/SSL Hijacking
What can he do then?
TLS/SSL Hijacking
Redirect you to https://mail.g00gle.com.
You will probably not notice.
(This require he owns that domain)
What if he cant own it for some reason?
TLS/SSL Hijacking
1. The client browser connects to http://mail.google.com on port 80 using
HTTP.
2. The server redirects the client HTTPS version of this site using an HTTP
code 302 redirect.
3. The client connects to https://mail.google.com on port 443.
4. The server provides a certificate to the client containing its digital
signature. This certificate is used to verify the identity of the site.
5. The client takes this certificate and verifies it against its list of trusted
certificate authorities.
6. Encrypted communication ensues.
TLS/SSL Hijacking
1. The client browser connects to http://mail.google.com on port 80 using
HTTP.
2. The server redirects the (attacker) HTTPS version of this site using an
HTTP code 302 redirect.
3. The attacker connects to https://mail.google.com on port 443 and sends to
the client the page content it has received but it sends it back by stripping
the SSL/TLS layer.
Basically the client will receive what he asked for: http://mail.google.com
because he didnt explicitly ask for https://mail.google.com. The browser doesn
t suspect anything so its up to the user to notice that the small https lock icon is
missing. He wont in most cases, that icon is too small IMHO.
New HTTP Header (IETF draft, supported by Chrome, Firefox, etc):
Strict-Transport-Security: max-age=16070400;
includeSubDomains
When the browser sees this, it will remember, for the given number of seconds, that the current
domain should only be contacted over HTTPS. In the future, if the user types http:// or omits the
scheme, HTTPS is the default. In fact, all requests for URLs in the current domain will be redirected to
HTTPS. (So you have to make sure that you can serve them all!).
This is still vulnerable if the user has a fresh install/cleaned its local browser cache. To prevent this
theres a preloaded list of sites inside the browser that should only be loaded using https (e.g. if you
write http://www.google.com the browser will request https://www.google.com instead.
Defending - HSTS preloading
HTTPS mixed content MITM
https://www.coresuite.com/checklistdesigner/
Why is https mixed content very dangerous in this case?
(FYI: Its a bad idea in all cases, dont do it)
HTTPS mixed content
HTTPS safety
Im using HTTPS, Im always super-careful at
the URL and the https lock icon. Am I safe, am
I secure? :)
Sadly, history shows us that you are not.
HTTPS Safety
HTTPS is based on the concept of certificates
issued certificate authorities (Verisign,
Microsoft, Symantec, etc)
A certificate exchange takes place whenever
you access an https website (E.g. https://mail.
google.com)
HTTPS Safety
The browser has to verify that the certificate he
has received for https://www.google.com is a
good one and not one sent by an MITM
attacker.
It does this by seeing which Certificate
Authority has issued the certificate.

Unfortunately, in the past several Certificate
Authorities have issued fake certificates for the
purpose of MITM for www.google.com.
2011 - Comodo partner CA (used in Iran for
massive surveillance)
2013 - French ministry of finance CA
HTTPS safety
Certificate Pinning
Chrome browser doesnt accept certificates
unless issued by google certificate authority,
microsoft and a few others.
Unfortunately theres no way to pin your
websites CA inside Chrome, unless you are a
major website.
References
http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Understanding-Man-
in-the-Middle-Attacks-ARP-Part4.html
http://dev.chromium.org/sts
http://www.airtightnetworks.com/WPA2-Hole196
http://www.wikipedia.com