Attacks like man in the. All about the Man in the Middle (MitM) attack

All tips

Man in the middle attack (MitM attack) is a term in cryptography that refers to a situation where an attacker is able to read and modify at will the messages exchanged between correspondents, and none of the latter can guess his identity. presence in the channel.

A method of compromising a communication channel, in which an attacker, having connected to a channel between counterparties, actively interferes with the transmission protocol, deleting, distorting information or imposing false information.

Attack principle:

Suppose object "A" plans to transmit some information to object "B". Object "C" has knowledge about the structure and properties of the data transmission method used, as well as the fact of the planned transmission of the actual information that "C" plans to intercept.
To make an attack, "C" appears to object "A" as "B" and to object "B" as "A". Object "A", mistakenly believing that it is sending information to "B", sends it to object "C".
Object "C", having received information and having performed some actions with it (for example, copying or modifying it for its own purposes), sends the data to the recipient itself - "B"; object "B", in turn, believes that the information was received directly from "A".

Example of a MitM attack:

Let's say Alice is having financial problems and, using an instant messaging program, decides to ask John for a sum of money by sending the message:
Alice: John, hi!
Alice: Please send me the encryption key, I have a small request!
John: Hello! Wait a second!

But, at this time, Mr. X, who, while analyzing the traffic using a sniffer, noticed this message, and the words “encryption key” aroused curiosity. That's why he decided to intercept the following messages and replace them with the data he needed, and when he received the following message:
John: Here is my key: 1111_D

He changed John's key to his own, and sent a message to Alice:
John: Here is my key: 6666_M

Alice, unaware and thinking it is John's key, using the private key 6666_M, sends encrypted messages to John:
Alice: John, I have problems and I urgently need money, please transfer $300 to my account: Z12345. Thank you. p.s. My key: 2222_A

Having received the message, Mr. X decrypts it using his key, reads it, and, rejoicing, changes Alice’s account number and encryption key to his own, encrypts the message with the key 1111_D, and sends John a message:
Alice: John, I have problems and I urgently need money, please transfer $300 to my account: Z67890. Thank you. p.s. My key: 6666_A

After receiving the message, John decrypts it using the key 1111_D, and without even hesitating, will transfer money to the account Z67890...
And thus, Mr. X, using the man-in-the-middle attack, earned $300, but Alice will now have to explain that she did not receive the money... And John? John must prove to Alice that he sent them...

Implementation:

This type of attack is used in some software products for network eavesdropping, for example:
NetStumbler- a program with which you can collect a lot of useful data about a wireless network and solve some problems associated with its operation. NetStumbler allows you to determine the range of your network and helps you accurately point your antenna for long-distance communications. For each access point found, you can find out the MAC address, signal-to-noise ratio, name of the service and the degree of its security. If the traffic is not encrypted, then the program's ability to detect unauthorized connections will be useful.
dsniff- is a set of programs for network auditing and penetration testing, providing passive network monitoring to search for data of interest (passwords, email addresses, files, etc.), intercepting network traffic that would normally be inaccessible for analysis (for example, in a switched network), as well as the ability to organize MITM attacks to intercept SSH and HTTPS sessions by exploiting PKI flaws.
Cain & Abel is a free program that allows you to recover lost passwords for operating systems of the Windows family. Several recovery modes are supported: brute force hacking, dictionary selection, viewing passwords hidden by asterisks, etc. There are also options for identifying the password by intercepting information packets and their subsequent analysis, recording network conversations, cache analysis, and others.
Ettercap- is a sniffer, packet interceptor and recorder for local Ethernet networks, which supports active and passive analysis of multiple protocols, and it is also possible to “throw” your own data into an existing connection and filter “on the fly” without disrupting connection synchronization. The program allows you to intercept SSH1, HTTPS and other secure protocols and provides the ability to decrypt passwords for the following protocols: TELNET, ftp, POP, RLOGIN, SSH1, icq, SMB, Mysql, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG.
KARMA– a set of utilities for assessing the security of wireless clients, is a wireless sniffer that, by passively listening to 802.11 Probe Request frames, allows you to detect clients and their preferred/trusted networks. A fake access point can then be created for one of the requested networks, to which it can be automatically connected. High-level fake services can be used to steal personal data or exploit client vulnerabilities on the host.
AirJack- a set of programs that, according to experts in the field of WiFi hacking, is the best tool for generating various 802.11 frames. AirJack includes a number of utilities designed to detect a hidden ESSID, send session termination frames with a fake MAC, conduct MitM attacks and modify it.
Counteraction:
To avoid attacks of this type, subscribers “A” and “B” only need to transfer digital signatures of public encryption keys to each other using a reliable channel. Then, when comparing key signatures in encryption sessions, it will be possible to determine which key was used to encrypt the data, and whether the keys have been replaced.

10/18/2016 | Vladimir Khazov

The plans of the FSB, the Ministry of Telecom and Mass Communications and the Ministry of Industry and Trade to implement the provisions of the Yarovaya Law regarding the interception and decryption of correspondence of Russians are no longer just plans, but are already beginning to be put into action by an order for the preparation of an expert opinion on the possibility of intercepting WhatsApp, Viber, Facebook Messenger, Telegram, Skype messages using MITM attacks and demonstration of a prototype of such a tool.

We wrote about the scheme for organizing a “legitimate” MITM attack in a previous article. Today we will dwell in more detail on the very principle of such an attack and the methods of its implementation.

What is a MITM attack

Man In The Middle (MITM) translates as “man in the middle.” This term refers to a network attack where an attacker is between the Internet user and the application that he is accessing. Not physically, of course, but with the help of special software. It presents itself to the user as the requested application (this could be a website or an Internet service), simulates working with it, and does this in such a way as to give the impression of normal operation and exchange of information.

The target of the attack is the user's personal data, such as login credentials for various systems, bank details and card numbers, personal correspondence and other confidential information. In most cases, financial applications (bank clients, online banks, payment and money transfer services), company SaaS services, e-commerce sites (online stores) and other sites where authorization is required to log into the system are attacked.

The information that an attacker obtains can be used for a variety of purposes, including illegal money transfers, changing accounts, intercepting personal correspondence, making purchases at someone else's expense, compromising and blackmailing.

In addition, after stealing credentials and hacking a system, criminals can install malicious software on a corporate network to steal intellectual property (patents, designs, databases) and cause economic damage by deleting important data.

A MITM attack can be compared to a postman who, while delivering your correspondence, opens a letter, rewrites its contents for personal use, or even falsifies the handwriting, adds something of his own, and then seals the envelope and delivers it to the addressee as if nothing had happened. . Moreover, if you have encrypted the text of the letter, and want to communicate the decryption code personally to the addressee, the postman will introduce himself as the addressee in such a way that you will not even notice the substitution.

How a MITM attack is carried out

Executing a MITM attack consists of two phases: interception and decryption.

Interception

The first stage of the attack is to intercept traffic from the user to the intended target and direct it into the attacker's network.

The most common and easiest way to intercept is a passive attack, when an attacker creates Wi-Fi points with free access (without a password or authorization). The moment a user connects to such a point, the attacker gains access to all traffic passing through it and can extract any data from it for interception.

The second method is active interception, which can be carried out in one of the following ways:

IP spoofing– replacing the target’s IP address in the packet header with the attacker’s address. As a result, users, instead of visiting the requested URL, end up on the attacker’s website.

ARP spoofing– substitution of the host’s real MAC address for the attacker’s address in the victim’s ARP table. As a result, data sent by the user to the IP address of the required node ends up at the attacker's address.

DNS spoofing infection of the DNS cache, penetration of the DNS server and spoofing of the website address matching record. As a result, the user tries to access the requested site, but receives the address of the attacker’s site from the DNS server.

Decryption

Once intercepted, two-way SSL traffic must be decrypted in such a way that the user and the resource he is requesting do not notice the interference.

There are several methods for this:

HTTPS spoofing– a fake certificate is sent to the victim’s browser when a connection to the site is established via the HTTPS protocol. This certificate contains a digital signature of the compromised application, due to which the browser accepts the connection with the attacker as reliable. Once such a connection is established, the attacker gains access to any data entered by the victim before it is transmitted to the application.

SSL BEAST(browser exploit against SSL/TLS) – the attack exploits the SSL vulnerability in TLS versions 1.0 and 1.2. The victim's computer is infected with malicious JavaScript, which intercepts encrypted cookies sent to the web application. This compromises the "ciphertext block chaining" encryption mode such that the attacker obtains the decrypted cookies and authentication keys.

SSL hijacking– transfer of fake authentication keys to the user and application at the start of a TCP session. This creates the appearance of a secure connection when in fact the session is controlled by a “man in the middle.”

SSL stripping– Downgrades the connection from secure HTTPS to plain HTTP by intercepting the TLS authentication sent by the application to the user. The attacker provides the user with unencrypted access to the site, while he maintains a secure session with the application, gaining the ability to see the victim’s transmitted data.\

Protection against MITM attacks

Reliable protection against MITM attacks is possible if the user takes several preventive actions and uses a combination of encryption and authentication methods by web application developers.

User actions:

Avoid connecting to Wi-Fi points that do not have password protection. Disable the function of automatically connecting to known access points - an attacker can disguise his Wi-Fi as legitimate.
Pay attention to the browser notification about going to an unsecured site. Such a message may indicate a transition to a fake website of an attacker or problems with the protection of a legitimate website.
End the session with the application (logout) if it is not in use.
Do not use public networks (cafes, parks, hotels, etc.) to conduct confidential transactions (business correspondence, financial transactions, purchases in online stores, etc.).
Use an antivirus with up-to-date databases on your computer or laptop; it will help protect against attacks using malicious software.

Developers of web applications and websites must use secure TLS and HTTPS protocols, which greatly complicate spoofing attacks by encrypting transmitted data. Their use also prevents traffic interception in order to obtain authorization parameters and access keys.

It is considered good practice to protect TLS and HTTPS not only for authorization pages, but also for all other sections of the site. This reduces the chance of an attacker stealing the user's cookies at the moment when he navigates through unprotected pages after authorization.

Protection against MITM attacks is the responsibility of the user and the telecom operator. The most important thing for the user is not to lose vigilance, use only proven methods of accessing the Internet, and choose sites with HTTPS encryption when transferring personal data. Telecom operators can be recommended to use Deep Packet Inspection (DPI) systems to detect anomalies in data networks and prevent spoofing attacks.

Government agencies plan to use the MITM attack to protect citizens, not to cause damage, unlike attackers. The interception of personal messages and other user traffic is carried out within the framework of current legislation, carried out by decision of the judicial authorities to combat terrorism, drug trafficking and other prohibited activities. For ordinary users, “legitimate” MITM attacks do not pose a threat.

Denoting a situation where an attacker is able to read and modify at will messages exchanged between correspondents, and none of the latter can guess his presence in the channel.

Wikimedia Foundation. 2010.

See what “Man in the middle (attack)” is in other dictionaries:

Man in the middle attack, MITM attack (English Man in the middle) is a term in cryptography denoting a situation where a cryptanalyst (attacker) is able to read and modify at will the messages exchanged... ... Wikipedia

- ... Wikipedia

Cryptanalysis (from the Greek κρυπτός hidden and analysis) is the science of methods for obtaining the original meaning of encrypted information without having access to the secret information (key) necessary for this. In most cases, this means... ... Wikipedia

A hacker attack in the narrow sense of the word is currently understood by the phrase “Attempt on a security system,” and tends rather to the meaning of the following term Cracker attack. This happened due to a distortion of the meaning of the word “hacker” itself... Wikipedia

- (from other Greek κρυπτός hidden and analysis) the science of methods for decrypting encrypted information without a key intended for such decryption. The term was coined by American cryptographer William F. Friedman in 1920. Informally... ... Wikipedia

In this article, we will try to understand the theory of man-in-the-middle attacks and some practical points that will help prevent these types of attacks. This will help us understand the risk that such intrusions pose to our privacy, since MitM attacks allow us to intrude on communications and eavesdrop on our conversations.

Understanding how the Internet works

To understand the principle of a man-in-the-middle attack, it is worth first understanding how the Internet itself works. Main points of interaction: clients, routers, servers. The most common communication protocol between client and server is Hypertext Transfer Protocol (HTTP). Surfing the Internet using a browser, email, instant messaging - all this is done via HTTP.

When you type in your browser's address bar, the client (you) sends a request to the server to display a web page. The packet (HTTP GET request) is transmitted through several routers to the server. The server then responds with a web page, which is sent to the client and displayed on its monitor. HTTP messages must be transmitted securely to ensure confidentiality and anonymity.

Figure 1. Client-server interaction

Securing the Communication Protocol

A secure communication protocol must have each of the following properties:

Privacy- only the intended recipient can read the message.
Authenticity- the identity of the interacting parties has been proven.
Integrity- confirmation that the message was not modified in transit.

If any of these rules are not followed, the entire protocol is compromised.

Man-in-the-middle attack via HTTP protocol

An attacker can easily carry out a man-in-the-middle attack using a technique called ARP spoofing. Anyone on your Wi-Fi network can send you a spoofed ARP packet, causing you to unknowingly send all your traffic through the attacker instead of your router.

After this, the attacker has full control over the traffic and can monitor requests sent in both directions.

Figure 2. Man-in-the-middle attack pattern

To prevent such attacks, a secure version of the HTTP protocol was created. Transport Layer Security (TLS) and its predecessor, Secure Socket Layer (SSL), are cryptographic protocols that provide security for data transmission over a network. Therefore, the secure protocol will be called HTTPS. You can see how the secure protocol works by typing in your browser's address bar (note the S in https).

Man-in-the-Middle Attack on Poorly Implemented SSL

Modern SSL uses a good encryption algorithm, but that doesn't matter if it's not implemented correctly. If a hacker can intercept the request, they can modify it by removing the "S" from the requested URL, thereby bypassing SSL.

Such interception and modification of the request can be noticed. For example, if you request https://login.yahoo.com/ and the response is http://login.yahoo.com/ , this should raise suspicions. At the time of writing, this attack actually works on the Yahoo email service.

Figure 3. Request interception and modification

To prevent such an attack, servers can implement HTTP Strict Transport Security (HSTS), a mechanism that enables a forced secure connection over the HTTPS protocol. In this case, if an attacker modifies the request by removing “S” from the URL, the server will still redirect the user with a 302 redirect to a page with a secure protocol.

Figure 4. HSTS operation diagram

This way of implementing SSL is vulnerable to another type of attack - the attacker creates an SSL connection to the server, but uses various tricks to force the user to use HTTP.

Figure 5. HSTS attack pattern

To prevent such attacks, modern browsers like Chrome, Firefox and Tor monitor sites using HSTS and force a client-side connection to them via SSL. In this case, the attacker conducting a man-in-the-middle attack would have to create an SSL connection with the victim.

Figure 6. Attack pattern where the attacker establishes an SSL connection with the victim

In order to provide an SLL connection to a user, an attacker must know how to act as a server. Let's understand the technical aspects of SSL.

Understanding SSL

From a hacker's point of view, compromising any communication protocol comes down to finding the weak link among the components listed above (privacy, authenticity and integrity).

SSL uses an asymmetric encryption algorithm. The problem with symmetric encryption is that the same key is used to encrypt and decrypt data, this approach is not valid for Internet protocols because an attacker can trace this key.

Asymmetric encryption includes 2 keys for each side: a public key used for encryption, and a private key used to decrypt the data.

Figure 7. Public and private keys work

How does SSL provide the three properties needed for secure communications?

Because asymmetric cryptography is used to encrypt data, SSL provides a private connection. This encryption is not that easy to break and remain undetected.
The server confirms its legitimacy by sending the client an SSL certificate issued by a certificate authority - a trusted third party.

If an attacker somehow manages to obtain the certificate, they could open the door to a man-in-the-middle attack. Thus, it will create 2 connections - with the server and with the victim. The server in this case thinks that the attacker is an ordinary client, and the victim has no way to identify the attacker, since he provided a certificate proving that he is the server.

Your messages arrive and arrive in encrypted form, but follow a chain through the cybercriminal's computer, where he has complete control.

Figure 8. Attack pattern if the attacker has a certificate

The certificate does not need to be forged if an attacker has the ability to compromise the victim's browser. In this case, he can insert a self-signed certificate, which will be trusted by default. This is how most man-in-the-middle attacks are carried out. In more complex cases, the hacker must take a different route - forge the certificate.

Certificate Authority Problems

The certificate sent by the server was issued and signed by a certification authority. Each browser has a list of trusted certificate authorities and you can add or remove them. The problem here is that if you decide to remove large authorities, you will not be able to visit sites that use certificates signed by those authorities.

Certificates and certificate authorities have always been the weakest link in an HTTPS connection. Even if everything was implemented correctly and each certificate authority has a solid authority, it is still difficult to come to terms with the fact that you have to trust many third parties.

Today there are more than 650 organizations capable of issuing certificates. If an attacker were to hack any of them, he would get whatever certificates he wanted.

Even when there was only one certificate authority, VeriSign, there was a problem - people who were supposed to prevent man-in-the-middle attacks were selling interception services.

Also, many certificates were created due to hacking of certificate authorities. Various techniques and tricks have been used to trick the targeted user into trusting fraudulent certificates.

Forensics

Because the attacker sends spoofed ARP packets, the attacker's IP address cannot be seen. Instead, you need to pay attention to the MAC address, which is specific to each device on the network. If you know your router's MAC address, you can compare it with the default gateway's MAC address to find out if it's really your router or an attacker.

For example, on Windows, you can use the ipconfig command in the Command Prompt (CMD) to see your default gateway IP address (last line):

Figure 9. Using the ipconfig command

Then use the arp –a command to find out the MAC address of this gateway:

Figure 10. Using the arp –a command

But there is another way to notice the attack - if you were monitoring network activity at the time it started and watching the ARP packets. For example, you can use Wireshark for this purpose, this program will notify you if the MAC address of the default gateway has changed.

Note: If the attacker correctly spoofs MAC addresses, tracking him will become a big problem.

Conclusion

SSL is a protocol that forces an attacker to do a lot of work to carry out an attack. But it won't protect you from state-sponsored attacks or from skilled hacking organizations.

The user's job is to protect their browser and computer to prevent a fake certificate from being inserted (a very common technique). It is also worth paying attention to the list of trusted certificates and removing those that you do not trust.

In which an attacker, having connected to a channel between counterparties, interferes with the transmission protocol, deleting or distorting information.

Attack principle

The attack usually begins with eavesdropping on the communication channel and ends with the cryptanalyst trying to replace the intercepted message, extract useful information from it, and redirect it to some external resource.

Suppose object A plans to transmit some information to object B. Object C has knowledge about the structure and properties of the data transmission method used, as well as the fact of the planned transmission of the actual information that C plans to intercept. To carry out an attack, C “appears” to object A as B, and to object B as A. Object A, mistakenly believing that it is sending information to B, sends it to object C. Object C, having received the information, and performs some actions with it (for example , copying or modifying for their own purposes) forwards the data to the recipient itself - B; object B, in turn, believes that the information was received directly from A.

Example attack

Injection of malicious code

A man-in-the-middle attack allows a cryptanalyst to insert code into emails, SQL statements, and web pages (i.e., allowing SQL injection, HTML/script injection, or XSS attacks), and even modify user-uploaded binaries to to gain access to a user's account or change the behavior of a program downloaded by the user from the Internet.

Downgrade Attack

The term “Downgrade Attack” refers to an attack in which a cryptanalyst forces the user to use less secure functions, protocols that are still supported for compatibility reasons. This type of attack can be carried out on the SSH, IPsec and PPTP protocols.

To protect against Downgrade Attack, insecure protocols must be disabled on at least one side; Simply supporting and using secure protocols by default is not enough!

SSH V1 instead of SSH V2

An attacker may try to change the connection parameters between the server and the client when a connection is established between them. According to a talk given at the Blackhat Conference Europe 2003, a cryptanalyst can "force" a client to start a SSH1 session instead of SSH2 by changing the version number "1.99" for the SSH session to "1.51", which means using SSH V1. The SSH-1 protocol has vulnerabilities that can be exploited by a cryptanalyst.

IPsec

In this attack scenario, the cryptanalyst misleads his victim into thinking that the IPsec session cannot begin at the other end (server). This results in messages being forwarded explicitly if the host machine is running in rollback mode.

PPTP

At the stage of negotiating PPTP session parameters, the attacker can force the victim to use less secure PAP authentication, MSCHAP V1 (that is, “roll back” from MSCHAP V2 to version 1), or not use encryption at all.

The attacker can force his victim to repeat the stage of negotiating the parameters of the PPTP session (send a Terminate-Ack packet), steal the password from the existing tunnel and repeat the attack.

Public communications without protecting the accuracy, confidentiality, availability and integrity of information

The most common means of communication for this group are a social network, a public email service and an instant messaging system. The owner of the resource providing the communications service has full control over the information exchanged between correspondents and, at his own discretion, can freely carry out an attack at any time.

Unlike previous scenarios based on technical and technological aspects of communications, in this case the attack is based on mental aspects, namely on ingraining in the minds of users the concept of ignoring information security requirements.

Will encryption help?

Let's consider the case of a standard HTTP transaction. In this case, an attacker can quite easily split the original TCP connection into two new ones: one between himself and the client, the other between himself and the server. This is quite easy to do, since very rarely the connection between client and server is direct, and in most cases they are connected through a number of intermediate servers. A MITM attack can be carried out on any of these servers.

However, if the client and server communicate using HTTPS, a protocol that supports encryption, a man-in-the-middle attack can also be carried out. This type of connection uses TLS or SSL to encrypt requests, which would seem to make the channel protected from sniffing and MITM attacks. An attacker can create two independent SSL sessions for each TCP connection. The client establishes an SSL connection with the attacker, who in turn creates a connection with the server. In such cases, the browser usually warns that the certificate is not signed by a trusted certification authority, but ordinary users of outdated browsers can easily bypass this warning. In addition, the attacker may have a certificate signed by the root certification authority (for example, such certificates are sometimes used for DLP) and does not generate warnings. Additionally, there are a number of attacks against HTTPS. Thus, the HTTPS protocol cannot be considered protected from MITM attacks for ordinary users. [ ] There are a number of measures that prevent some MITM attacks on https sites, in particular, HSTS, which prohibits the use of http connections from sites, Certificate pinning and HTTP Public Key Pinning, which prohibit certificate substitution.

MITM attack detection

To detect a man-in-the-middle attack, you need to analyze network traffic. For example, to detect an SSL attack, you should pay attention to the following parameters:

Server IP address
DNS server
X.509 - server certificate
- Is the certificate self-signed?
- Is the certificate signed by a certification authority?
- Has the certificate been revoked?
- Has the certificate changed recently?
- Have other clients on the Internet received the same certificate?

MITM attack implementations

The listed programs can be used to carry out man-in-the-middle attacks, as well as to detect them and test the system for vulnerabilities.

Write a review about the article "Man in the Middle Attack"

Literature

Excerpt characterizing the Man in the Middle Attack

“Quartire, quartire, logement,” said the officer, looking down at the little man with a condescending and good-natured smile. – Les Francais sont de bons enfants. Que diable! Voyons! Ne nous fachons pas, mon vieux, [Apartments, apartments... The French are good guys. Damn it, let's not quarrel, grandfather.] - he added, patting the frightened and silent Gerasim on the shoulder.
- Aca! Dites donc, on ne parle donc pas francais dans cette boutique? [Well, really, no one here speaks French?] he added, looking around and meeting Pierre’s eyes. Pierre pulled away from the door.
The officer turned to Gerasim again. He demanded that Gerasim show him the rooms in the house.
“The master is gone, don’t understand... mine is yours...” said Gerasim, trying to make his words clearer by the fact that he spoke them inside out.
The French officer, smiling, spread his hands in front of Gerasim's nose, making him feel that he did not understand him, and, limping, walked to the door where Pierre stood. Pierre wanted to move away to hide from him, but at that very time he saw Makar Alekseich leaning out from the open kitchen door with a pistol in his hands. With the cunning of a madman, Makar Alekseich looked at the Frenchman and, raising his pistol, took aim.
- Aboard!!! - the drunk shouted, pressing the trigger of the pistol. The French officer turned around at the shout, and at the same instant Pierre rushed at the drunken man. While Pierre grabbed and raised the pistol, Makar Alekseich finally hit the trigger with his finger, and a shot was heard that was deafening and covered everyone in gunpowder smoke. The Frenchman turned pale and rushed back to the door.
Having forgotten his intention not to reveal his knowledge of the French language, Pierre, snatching the pistol and throwing it, ran up to the officer and spoke to him in French.
“Vous n"etes pas blesse? [Are you not injured?],” he said.
“Je crois que non,” answered the officer, feeling himself, “mais je l"ai manque belle cette fois ci,” he added, pointing to the loose plaster in the wall. “Quel est cet homme? [It seems not... but this since it was close. Who is this man?] - the officer said, looking sternly at Pierre.
“Ah, je suis vraiment au desespoir de ce qui vient d"arriver, [Ah, I’m really in despair at what happened],” Pierre said quickly, completely forgetting his role. “C”est un fou, un malheureux qui ne savait pas ce qu"il faisait. [This is an unfortunate madman who did not know what he was doing.]
The officer approached Makar Alekseich and grabbed him by the collar.
Makar Alekseich, his lips parted, as if falling asleep, swayed, leaning against the wall.
“Brigand, tu me la payeras,” said the Frenchman, removing his hand.
– Nous autres nous sommes clements apres la victoire: mais nous ne pardonnons pas aux traitres, [Robber, you will pay me for this. Our brother is merciful after victory, but we do not forgive traitors,” he added with gloomy solemnity in his face and with a beautiful energetic gesture.
Pierre continued in French to persuade the officer not to punish this drunken, insane man. The Frenchman listened silently, without changing his gloomy appearance, and suddenly turned to Pierre with a smile. He looked at him silently for several seconds. His handsome face took on a tragically tender expression, and he extended his hand.
“Vous m"avez sauve la vie! Vous etes Francais, [You saved my life. You are a Frenchman," he said. For a Frenchman, this conclusion was undeniable. Only a Frenchman could accomplish a great deed, and saving his life, m r Ramball "I capitaine du 13 me leger [Monsieur Rambal, captain of the 13th light regiment] - was, without a doubt, the greatest thing.
But no matter how undoubted this conclusion and the officer’s conviction based on it were, Pierre considered it necessary to disappoint him.
“Je suis Russe, [I am Russian,”] Pierre said quickly.
“Ti ti ti, a d"autres, [tell this to others," said the Frenchman, waving his finger in front of his nose and smiling. "Tout a l"heure vous allez me conter tout ca," he said. – Charme de rencontrer un compatriote. Eh bien! qu"allons nous faire de cet homme? [Now you'll tell me all this. It's very nice to meet a compatriot. Well! What should we do with this man?] - he added, addressing Pierre as if he were his brother. Even if Pierre was not a Frenchman, having once received this highest title in the world, he could not renounce it, said the expression on the face and tone of the French officer. To the last question, Pierre once again explained who Makar Alekseich was, explained that just before their arrival this a drunken, crazy man stole a loaded pistol, which they did not have time to take away from him, and asked that his act be left unpunished.
The Frenchman stuck out his chest and made a royal gesture with his hand.
– Vous m"avez sauve la vie. Vous etes Francais. Vous me demandez sa grace? Je vous l"accorde. Qu"on emmene cet homme, [You saved my life. You are a Frenchman. Do you want me to forgive him? I forgive him. Take this man away," the French officer said quickly and energetically, taking the hand of the one who had earned him for saving his life into the French Pierre, and went with him to the house.
The soldiers who were in the yard, hearing the shot, entered the vestibule, asking what had happened and expressing their readiness to punish those responsible; but the officer strictly stopped them.
“On vous demandera quand on aura besoin de vous,” he said. The soldiers left. The orderly, who had meanwhile managed to be in the kitchen, approached the officer.
“Capitaine, ils ont de la soupe et du gigot de mouton dans la cuisine,” he said. - Faut il vous l "apporter? [Captain, they have soup and fried lamb in the kitchen. Would you like to bring it?]
“Oui, et le vin, [Yes, and wine,”] said the captain.

The French officer and Pierre entered the house. Pierre considered it his duty to again assure the captain that he was not a Frenchman and wanted to leave, but the French officer did not want to hear about it. He was so polite, kind, good-natured and truly grateful for saving his life that Pierre did not have the spirit to refuse him and sat down with him in the hall, in the first room they entered. In response to Pierre's assertion that he was not a Frenchman, the captain, obviously not understanding how one could refuse such a flattering title, shrugged his shoulders and said that if he certainly wanted to pass for a Russian, then let it be so, but that he, despite then, everyone is still forever connected with him with a feeling of gratitude for saving his life.
If this man had been gifted with at least some ability to understand the feelings of others and had guessed about Pierre’s feelings, Pierre would probably have left him; but this man’s animated impenetrability to everything that was not himself defeated Pierre.
“Francais ou prince russe incognito, [Frenchman or Russian prince incognito," said the Frenchman, looking at Pierre’s dirty but thin underwear and the ring on his hand. – Je vous dois la vie je vous offre mon amitie. Un Francais n "oublie jamais ni une insulte ni un service. Je vous offre mon amitie. Je ne vous dis que ca. [I owe you my life, and I offer you friendship. The Frenchman never forgets either insult or service. I offer my friendship to you. I say nothing more.]
There was so much good nature and nobility (in the French sense) in the sounds of the voice, in the facial expression, in the gestures of this officer that Pierre, responding with an unconscious smile to the Frenchman’s smile, shook the outstretched hand.
- Capitaine Ramball du treizieme leger, decore pour l "affaire du Sept, [Captain Ramball, thirteenth light regiment, Chevalier of the Legion of Honor for the cause of the seventh of September," he introduced himself with a smug, uncontrollable smile that wrinkled his lips under his mustache. - Voudrez vous bien me dire a present, a qui" j"ai l"honneur de parler aussi agreablement au lieu de rester a l"ambulance avec la balle de ce fou dans le corps. [Will you be so kind as to tell me now who I am with I have the honor of talking so pleasantly, instead of being at a dressing station with a bullet from this madman in my body?]
Pierre replied that he could not say his name, and, blushing, began, trying to invent a name, to talk about the reasons why he could not say this, but the Frenchman hastily interrupted him.
“De grace,” he said. – Je comprends vos raisons, vous etes officier... officier superieur, peut être. Vous avez porte les armes contre nous. Ce n"est pas mon affaire. Je vous dois la vie. Cela me suffit. Je suis tout a vous. Vous etes gentilhomme? [To be complete, please. I understand you, you are an officer... a staff officer, perhaps. You served against us . This is not my business. I owe you my life. This is enough for me, and I am all yours. Are you a nobleman?] - he added with a hint of a question. Pierre bowed his head. - Votre nom de bapteme, s"il vous plait? Je ne demande pas davantage. Monsieur Pierre, dites vous... Parfait. C "est tout ce que je desire savoir. [Your name? I don’t ask anything else. Monsieur Pierre, did you say? Great. That’s all I need.]
When fried lamb, scrambled eggs, a samovar, vodka and wine from the Russian cellar, which the French had brought with them, were brought, Rambal asked Pierre to take part in this dinner and immediately, greedily and quickly, like a healthy and hungry person, began to eat, quickly chewing with his strong teeth, constantly smacking his lips and saying excellent, exquis! [wonderful, excellent!] His face was flushed and covered with sweat. Pierre was hungry and gladly took part in the dinner. Morel, the orderly, brought a saucepan with warm water and put a bottle of red wine in it. In addition, he brought a bottle of kvass, which he took from the kitchen for testing. This drink was already known to the French and received its name. They called kvass limonade de cochon (pork lemonade), and Morel praised this limonade de cochon, which he found in the kitchen. But since the captain had wine obtained during the passage through Moscow, he provided kvass to Morel and took up a bottle of Bordeaux. He wrapped the bottle up to the neck in a napkin and poured himself and Pierre some wine. Satisfied hunger and wine revived the captain even more, and he talked incessantly during dinner.
- Oui, mon cher monsieur Pierre, je vous dois une fiere chandelle de m"avoir sauve... de cet enrage... J"en ai assez, voyez vous, de balles dans le corps. En voila une (he pointed to his side) a Wagram et de deux a Smolensk,” he showed the scar that was on his cheek. - Et cette jambe, comme vous voyez, qui ne veut pas marcher. C"est a la grande bataille du 7 a la Moskowa que j"ai recu ca. Sacre dieu, c"etait beau. Il fallait voir ca, c"etait un deluge de feu. Vous nous avez taille une rude besogne; vous pouvez vous en vanter, nom d"un petit bonhomme. Et, ma parole, malgre l"atoux que j"y ai gagne, je serais pret a recommencer. Je plains ceux qui n"ont pas vu ca. [Yes, my dear Mr. Pierre, I am obliged to light a good candle for you because you saved me from this madman. You see, I've had enough of the bullets that are in my body. Here is one near Wagram, the other near Smolensk. And this leg, you see, doesn’t want to move. This was during the big battle of the 7th near Moscow. ABOUT! it was wonderful! You should have seen it was a flood of fire. You gave us a difficult job, you can boast about it. And by God, despite this trump card (he pointed to the cross), I would be ready to start all over again. I feel sorry for those who did not see this.]
“J"y ai ete, [I was there],” said Pierre.
- Bah, vraiment! “Eh bien, tant mieux,” said the Frenchman. – Vous etes de fiers ennemis, tout de meme. La grande redoute a ete tenace, nom d"une pipe. Et vous nous l"avez fait cranement payer. J"y suis alle trois fois, tel que vous me voyez. Trois fois nous etions sur les canons et trois fois on nous a culbute et comme des capucins de cartes. Oh!! c"etait beau, Monsieur Pierre. Vos grenadiers ont ete superbes, tonnerre de Dieu. Je les ai vu six fois de suite serrer les rangs, et marcher comme a une revue. Les beaux hommes! Notre roi de Naples, qui s"y connait a crie: bravo! Ah, ah! soldat comme nous autres! - he said, smiling, after a moment of silence. - Tant mieux, tant mieux, monsieur Pierre. Terribles en bataille... galants... - he winked with a smile, - avec les belles, voila les Francais, monsieur Pierre, n "est ce pas? [Bah, really? All the better. You are fierce enemies, I must admit. The big redoubt held up well, damn it. And you made us pay dearly. I've been there three times, as you can see me. Three times we were on the guns, three times we were knocked over like card soldiers. Your grenadiers were magnificent, by God. I saw how their ranks closed six times and how they marched out like a parade. Wonderful people! Our Neapolitan king, who ate the dog in these matters, shouted to them: bravo! - Ha, ha, so you are our brother soldier! - So much the better, so much the better, Mr. Pierre. Terrible in battle, kind to beauties, these are the French, Mr. Pierre. Is not it?]
The captain was so naively and good-naturedly cheerful, whole-hearted, and pleased with himself that Pierre almost winked himself, looking at him cheerfully. Probably the word “galant” made the captain think about the situation in Moscow.