Man in the middle download the program. Terms

Youtube

10/18/2016 | Vladimir Khazov

The plans of the FSB, the Ministry of Telecom and Mass Communications and the Ministry of Industry and Trade to implement the provisions of the Yarovaya Law regarding the interception and decryption of correspondence of Russians are no longer just plans, but are already beginning to be put into action by an order for the preparation of an expert opinion on the possibility of intercepting WhatsApp, Viber, Facebook Messenger, Telegram, Skype messages using MITM attacks and demonstration of a prototype of such a tool.

We wrote about the scheme for organizing a “legitimate” MITM attack in a previous article. Today we will dwell in more detail on the very principle of such an attack and the methods of its implementation.

What is a MITM attack

Man In The Middle (MITM) translates as “man in the middle.” This term refers to a network attack where an attacker is between the Internet user and the application that he is accessing. Not physically, of course, but with the help of special software. It presents itself to the user as the requested application (this could be a website or an Internet service), simulates working with it, and does this in such a way as to give the impression of normal operation and exchange of information.

The target of the attack is the user's personal data, such as login credentials for various systems, bank details and card numbers, personal correspondence and other confidential information. In most cases, financial applications (bank clients, online banks, payment and money transfer services), company SaaS services, e-commerce sites (online stores) and other sites where authorization is required to log into the system are attacked.

The information that an attacker obtains can be used for a variety of purposes, including illegal money transfers, changing accounts, intercepting personal correspondence, making purchases at someone else's expense, compromising and blackmailing.

In addition, after stealing credentials and hacking a system, criminals can install malicious software on a corporate network to steal intellectual property (patents, designs, databases) and cause economic damage by deleting important data.

A MITM attack can be compared to a postman who, while delivering your correspondence, opens a letter, rewrites its contents for personal use, or even falsifies the handwriting, adds something of his own, and then seals the envelope and delivers it to the addressee as if nothing had happened. . Moreover, if you have encrypted the text of the letter, and want to communicate the decryption code personally to the addressee, the postman will introduce himself as the addressee in such a way that you will not even notice the substitution.

How a MITM attack is carried out

Executing a MITM attack consists of two phases: interception and decryption.

Interception

The first stage of the attack is to intercept traffic from the user to the intended target and direct it into the attacker's network.

The most common and easiest way to intercept is a passive attack, when an attacker creates Wi-Fi points with free access (without a password or authorization). The moment a user connects to such a point, the attacker gains access to all traffic passing through it and can extract any data from it for interception.

The second method is active interception, which can be carried out in one of the following ways:

IP spoofing– replacing the target’s IP address in the packet header with the attacker’s address. As a result, users, instead of visiting the requested URL, end up on the attacker’s website.

ARP spoofing– substitution of the host’s real MAC address for the attacker’s address in the victim’s ARP table. As a result, data sent by the user to the IP address of the required node ends up at the attacker's address.

DNS spoofing infection of the DNS cache, penetration of the DNS server and spoofing of the website address matching record. As a result, the user tries to access the requested site, but receives the address of the attacker’s site from the DNS server.

Decryption

Once intercepted, two-way SSL traffic must be decrypted in such a way that the user and the resource he is requesting do not notice the interference.

There are several methods for this:

HTTPS spoofing– a fake certificate is sent to the victim’s browser when a connection to the site is established via the HTTPS protocol. This certificate contains a digital signature of the compromised application, due to which the browser accepts the connection with the attacker as reliable. Once such a connection is established, the attacker gains access to any data entered by the victim before it is transmitted to the application.

SSL BEAST(browser exploit against SSL/TLS) – the attack exploits the SSL vulnerability in TLS versions 1.0 and 1.2. The victim's computer is infected with malicious JavaScript, which intercepts encrypted cookies sent to the web application. This compromises the "ciphertext block chaining" encryption mode such that the attacker obtains the decrypted cookies and authentication keys.

SSL hijacking– transfer of fake authentication keys to the user and application at the start of a TCP session. This creates the appearance of a secure connection when in fact the session is controlled by a “man in the middle.”

SSL stripping– Downgrades the connection from secure HTTPS to plain HTTP by intercepting the TLS authentication sent by the application to the user. The attacker provides the user with unencrypted access to the site, while he maintains a secure session with the application, gaining the ability to see the victim’s transmitted data.\

Protection against MITM attacks

Reliable protection against MITM attacks is possible if the user takes several preventive actions and uses a combination of encryption and authentication methods by web application developers.

User actions:

Avoid connecting to Wi-Fi points that do not have password protection. Disable the function of automatically connecting to known access points - an attacker can disguise his Wi-Fi as legitimate.
Pay attention to the browser notification about going to an unsecured site. Such a message may indicate a transition to a fake website of an attacker or problems with the protection of a legitimate website.
End the session with the application (logout) if it is not in use.
Do not use public networks (cafes, parks, hotels, etc.) to conduct confidential transactions (business correspondence, financial transactions, purchases in online stores, etc.).
Use an antivirus with up-to-date databases on your computer or laptop; it will help protect against attacks using malicious software.

Developers of web applications and websites must use secure TLS and HTTPS protocols, which greatly complicate spoofing attacks by encrypting transmitted data. Their use also prevents traffic interception in order to obtain authorization parameters and access keys.

It is considered good practice to protect TLS and HTTPS not only for authorization pages, but also for all other sections of the site. This reduces the chance of an attacker stealing the user's cookies at the moment when he navigates through unprotected pages after authorization.

Protection against MITM attacks is the responsibility of the user and the telecom operator. The most important thing for the user is not to lose vigilance, use only proven methods of accessing the Internet, and choose sites with HTTPS encryption when transferring personal data. Telecom operators can be recommended to use Deep Packet Inspection (DPI) systems to detect anomalies in data networks and prevent spoofing attacks.

Government agencies plan to use the MITM attack to protect citizens, not to cause damage, unlike attackers. The interception of personal messages and other user traffic is carried out within the framework of current legislation, carried out by decision of the judicial authorities to combat terrorism, drug trafficking and other prohibited activities. For ordinary users, “legitimate” MITM attacks do not pose a threat.

Man in the middle attack (MitM attack) is a term in cryptography that refers to a situation where an attacker is able to read and modify at will the messages exchanged between correspondents, and none of the latter can guess his identity. presence in the channel.

A method of compromising a communication channel, in which an attacker, having connected to a channel between counterparties, actively interferes with the transmission protocol, deleting, distorting information or imposing false information.

Attack principle:

Suppose object "A" plans to transmit some information to object "B". Object "C" has knowledge about the structure and properties of the data transmission method used, as well as the fact of the planned transmission of the actual information that "C" plans to intercept.
To make an attack, "C" appears to object "A" as "B" and to object "B" as "A". Object "A", mistakenly believing that it is sending information to "B", sends it to object "C".
Object "C", having received information and having performed some actions with it (for example, copying or modifying it for its own purposes), sends the data to the recipient itself - "B"; object "B", in turn, believes that the information was received directly from "A".

Example of a MitM attack:

Let's say Alice is having financial problems and, using an instant messaging program, decides to ask John for a sum of money by sending the message:
Alice: John, hi!
Alice: Please send me the encryption key, I have a small request!
John: Hello! Wait a second!

But, at this time, Mr. X, who, while analyzing the traffic using a sniffer, noticed this message, and the words “encryption key” aroused curiosity. That's why he decided to intercept the following messages and replace them with the data he needed, and when he received the following message:
John: Here is my key: 1111_D

He changed John's key to his own, and sent a message to Alice:
John: Here is my key: 6666_M

Alice, unaware and thinking it is John's key, using the private key 6666_M, sends encrypted messages to John:
Alice: John, I have problems and I urgently need money, please transfer $300 to my account: Z12345. Thank you. p.s. My key: 2222_A

Having received the message, Mr. X decrypts it using his key, reads it, and, rejoicing, changes Alice’s account number and encryption key to his own, encrypts the message with the key 1111_D, and sends John a message:
Alice: John, I have problems and I urgently need money, please transfer $300 to my account: Z67890. Thank you. p.s. My key: 6666_A

After receiving the message, John decrypts it using the key 1111_D, and without even hesitating, will transfer money to the account Z67890...
And thus, Mr. X, using the man-in-the-middle attack, earned $300, but Alice will now have to explain that she did not receive the money... And John? John must prove to Alice that he sent them...

Implementation:

This type of attack is used in some software products for network eavesdropping, for example:
NetStumbler- a program with which you can collect a lot of useful data about a wireless network and solve some problems associated with its operation. NetStumbler allows you to determine the range of your network and helps you accurately point your antenna for long-distance communications. For each access point found, you can find out the MAC address, signal-to-noise ratio, name of the service and the degree of its security. If the traffic is not encrypted, then the program's ability to detect unauthorized connections will be useful.
dsniff- is a set of programs for network auditing and penetration testing, providing passive network monitoring to search for data of interest (passwords, email addresses, files, etc.), intercepting network traffic that would normally be inaccessible for analysis (for example, in a switched network), as well as the ability to organize MITM attacks to intercept SSH and HTTPS sessions by exploiting PKI flaws.
Cain & Abel is a free program that allows you to recover lost passwords for operating systems of the Windows family. Several recovery modes are supported: brute force hacking, dictionary selection, viewing passwords hidden by asterisks, etc. There are also options for identifying the password by intercepting information packets and their subsequent analysis, recording network conversations, cache analysis, and others.
Ettercap- is a sniffer, packet interceptor and recorder for local Ethernet networks, which supports active and passive analysis of multiple protocols, and it is also possible to “throw” your own data into an existing connection and filter “on the fly” without disrupting connection synchronization. The program allows you to intercept SSH1, HTTPS and other secure protocols and provides the ability to decrypt passwords for the following protocols: TELNET, ftp, POP, RLOGIN, SSH1, icq, SMB, Mysql, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG.
KARMA– a set of utilities for assessing the security of wireless clients, is a wireless sniffer that, by passively listening to 802.11 Probe Request frames, allows you to detect clients and their preferred/trusted networks. A fake access point can then be created for one of the requested networks, to which it can be automatically connected. High-level fake services can be used to steal personal data or exploit client vulnerabilities on the host.
AirJack- a set of programs that, according to experts in the field of WiFi hacking, is the best tool for generating various 802.11 frames. AirJack includes a number of utilities designed to detect a hidden ESSID, send session termination frames with a fake MAC, conduct MitM attacks and modify it.
Counteraction:
To avoid attacks of this type, subscribers “A” and “B” only need to transfer digital signatures of public encryption keys to each other using a reliable channel. Then, when comparing key signatures in encryption sessions, it will be possible to determine which key was used to encrypt the data, and whether the keys have been replaced.

A man-in-the-middle attack is a generic name for various techniques aimed at gaining access to traffic as an intermediary. Due to the wide variety of these techniques, it is problematic to implement a single tool for detecting these attacks that would work for all possible situations. For example, in a man-in-the-middle attack on a local network, ARP spoofing (poisoning) is usually used. And many man-in-the-middle attack detection tools monitor changes in Ethernet address pairs/or report suspicious ARP activity by passively monitoring ARP requests/responses. But if this attack is used on a maliciously configured proxy server, VPN, or other options that do not use ARP poisoning, then such tools are helpless.

The purpose of this section is to review some techniques for detecting man-in-the-middle attacks, as well as some tools designed to determine if you are being targeted by a MitM attack. Due to the variety of methodologies and implementation scenarios, 100% detection cannot be guaranteed.

1. Detection of traffic modification

As already mentioned, man-in-the-middle attacks do not always use ARP spoofing. So while activity detection at the ARP layer is the most popular detection method, a more general method is traffic modification detection. The mitmcanary program can help us with this.

The principle of operation of the program is that it makes “control” requests and saves the responses received. After that, it repeats the same requests at certain intervals and compares the responses it receives. The program is quite intelligent and, to avoid false positives, it identifies dynamic elements in responses and processes them correctly. As soon as the program has detected traces of the activity of tools for MitM attacks, it reports this.

Examples of how some tools can “inherit”:

MITMf, by default, changes all HTTPS URLs in HTML code to HTTP. Detected by comparing HTTP content.
Zarp + MITMProxy, MITMProxy has functionality that allows you to clear HTTP compression, this is used for transparency of transmitted traffic, this combination is detected by the disappearance of previously present compression
Responder, identified by sudden changes in the transformation of mDNS responses: unexpected response; the answer is internal, but external is expected; the response is different from the expected IP

MITMCanary vs MITMf:

MITMCanary vs Responder:

MITMCanary vs Zarp + MITMProxy:

Sudo pip install Cython sudo apt-get install python-kivy python-dbus sudo pip install plyer uuid urlopen analysis request simplejson datetime git clone https://github.com/CylanceSPEAR/mitmcanary.git cd mitmcanary/

As already mentioned, mitmcanary needs to start working with control requests. To do this, go to the directory

CD service/

And run the file setup_test_persistence.py:

Python2 setup_test_persistence.py

This will take some time - wait for it to finish. There should be no error messages (if so, then you are missing some dependencies).

The output will be something like this:

Mial@HackWare:~/bin/mitmcanary/service$ python2 setup_test_persistence.py Older configuration version detected (0 instead of 14) Upgrading configuration in progress. Purge log fired. Analyzing... Purge finished! Record log in /home/mial/.kivy/logs/kivy_16-11-01_0.txt v1.9.1 v2.7.12+ (default, Sep 1 2016, 20:27:38)

After this process is finished, in the same directory execute (this will start a background process):

Python2 main.py

After that, open a new terminal window and go to the end directory with mitmcanary. My directory is bin/mitmcanary/, so I enter

Cd bin/mitmcanary/

and do there:

Python2 main.py

The first window displays something like:

Mial@HackWare:~/bin/mitmcanary/service$ python2 main.py Record log in /home/mial/.kivy/logs/kivy_16-11-01_1.txt v1.9.1 v2.7.12+ (default, Sep 1 2016, 20:27:38) using for socket listening for Tuio on 127.0.0.1:3000 Sleeping for 60 seconds Sleeping for 60 seconds Sleeping for 60 seconds Sleeping for 60 seconds Sleeping for 60 seconds Sleeping for 60 seconds

Those. The program makes control requests once a minute and looks for signs of a man-in-the-middle attack.

The second window also contains output + a dark window opens; the authors of the program call this window a “graphical interface”:

You can wait a while and surf the Internet to make sure that the program does not issue any false warnings.

Let's try the classic program Ettercap.

I'm launching a regular MitM attack with ARP spoofing. mitmcanary does not respond to etching itself. The mitmcanary tool generates the traffic itself, i.e. no user action is required. After some time, one single warning appears, which is not confirmed during subsequent checks. But a similar warning appears after a few minutes. Without further analysis, I'm hard pressed to say whether this is an example of a false positive - it looks a lot like it. It is quite possible that this warning is caused by a communication failure due to the need for traffic to pass additional routes, or due to the peculiarities of my poor-quality Internet connection.

Since the result is not obvious (more likely “no” than “yes”), let’s try the Bettercap program, which has a variety of modules. I have no doubt that if we used various Ettercap plugins and/or additional programs to expand functionality, we would also “light up” for mitmcanary.

For the purity of the experiment, I restart the equipment, run mitmcanary on the attacked machine and Bettercap on the attacking one. At the same time, it is not necessary to make control requests again on the attacked machine - they are saved in a file inside the directory with the program. Those. It is enough to start the service and the graphical interface.

And in the attacking machine we will launch Bettercap with parsers enabled:

Sudo bettercap -X

Individual warnings appear, which also look more like false positives.

But running this command:

Sudo bettercap -X --proxy

On the attacked machine, a large number of warnings about a possible man-in-the-middle attack are generated:

So, the more powerful a man-in-the-middle attack tool is, the more traces it leaves in traffic. For practical use of mitmcanary, the following conditions must be met:

make initial requests on a trusted network when you are sure that there is no intermediary in the transmission of traffic;
edit the resources to which verification requests are made, since a professional attacker can add default resources to exceptions, which will make him invisible to this tool.

2. Detecting ARP spoofing (ARP cache poisoning)

Very often, a man-in-the-middle attack on a local network begins with ARP poisoning. That is why many tools designed to detect MitM attacks are based on a mechanism for monitoring changes in the ARP cache, which assigns correspondence between Ethernet (MAC addresses) and IP addresses.

As an example of such programs, we can recall arpwatch, arpalert and a large number of new programs. The ArpON program not only monitors changes in the ARP cache, but also protects it from them.

As an example, let's run arpwatch in debug mode, without creating forks in the background and sending messages by mail. Instead, messages are sent to stderr (standard error output).

Sudo /usr/sbin/arpwatch -d

Let's launch Ettercap on the attacking machine and start ARP spoofing. On the attacked machine we observe:

The arpwatch program will help you quickly find out about new devices that have connected to your local network, as well as about changes in the ARP cache.

Another tool for detecting ARP spoofing in real time is the Ettercap plugin called arp_cop. On the attacked machine, launch Ettercap as follows:

Sudo ettercap -TQP arp_cop ///

And on the attacker we will start ARP poisoning. Warnings immediately begin to appear on the attacked machine:

3. Detection of DNS spoofing

DNS spoofing indicates that there is an intermediary between you and your destination who can modify your traffic. How can you detect that DNS records have been spoofed? The easiest way to do this is to compare with the answers from a nameserver you trust. But the entries in the response sent to your request can also be replaced...

Those. you need to check either through an encrypted channel (for example, through Tor), or use non-standard settings (another port, TCP instead of UDP). This is roughly what the sans program from XiaoxiaoPu is designed for (at least as I understand it). Using this program, I was able to redirect DNS requests via Tor and through non-standard settings to my DNS server. But I couldn’t get her to show me messages about DNS response spoofing. Without this, the meaning of the program is lost.

I couldn't find any more worthy alternatives.

In principle, given that DNS spoofers usually monitor only port 53, and only the UDP protocol, even manually it is enough to simply check the fact of DNS spoofing, although this requires your own DNS server with a non-standard configuration. For example, on the attacking machine I created a file dns.conf with the following content:

Local mi-al.ru

Those. when requesting a DNS record for the mi-al.ru website, the IP of the attacker’s machine will be sent instead of the real IP.

I run on the attacking machine:

Sudo bettercap --dns dns.conf

And on the attacked one I do two checks:

Dig mi-al.ru # and dig mi-al.ru -p 4560 @185.117.153.79

Results:

Mial@HackWare:~$ dig mi-al.ru ;<<>> DiG 9.10.3-P4-Debian<<>> mi-al.ru ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51993 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mi-al.ru. IN A ;; ANSWER SECTION: mi-al.ru. 86400 IN A 192.168.1.48 ;; Query time: 2 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Nov 02 09:25:20 MSK 2016 ;; MSG SIZE rcvd: 42 mial@HackWare:~$ dig mi-al.ru -p 4560 @185.117.153.79 ; <<>> DiG 9.10.3-P4-Debian<<>> mi-al.ru -p 4560 @185.117.153.79 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 401 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;mi-al.ru. IN A ;; ANSWER SECTION: mi-al.ru. 3799 IN A 185.26.122.50 ;; Query time: 304 msec ;; SERVER: 185.117.153.79#4560(185.117.153.79) ;; WHEN: Wed Nov 02 09:25:27 MSK 2016 ;; MSG SIZE rcvd: 53

It can be seen that for a “regular” DNS request, local IP 192.168.1.48 was sent, and when requesting DNS on an atypical port, the correct server IP was sent.

If the server was configured to use TCP (rather than UDP), then the command would look like this:

Dig mi-al.ru -p 4560 +tcp @185.117.153.79

There is clearly a lack of a tool that would itself monitor DNS responses in traffic, double-check them against an alternative source, and raise an alarm in case of spoofing.

To avoid setting up your own remote DNS, you can make name server queries via Tor. Since all Tor traffic is encrypted, the DNS responses obtained in this way are beyond the capabilities of an intermediary. If Tor is not already installed, install it.

Sudo apt-get install tor

Sudo pacman -S tor

Start the service:

Sudo systemctl start tor

If you need it, add this service to startup:

Sudo systemctl enable tor

Open the file /etc/tor/torrc and add the following lines there:

DNSPort 530 AutomapHostsOnResolve 1 AutomapHostsSuffixes .exit,.onion

Pay attention to the number 530. This is the port number; instead of 530, you can specify any other (unused) port. The main thing is to remember it.

We check again:

Dig mi-al.ru # and dig mi-al.ru -p 530 @localhost

Now we specify as the server localhost, and write the port number that you specified in the /etc/tor/torrc settings.

As you can see from the following screenshot, a DNS spoofing attack is carried out on the machine on which the check was made:

4. Search for network interfaces in promiscuous mode

If there is (and especially if it suddenly appeared) equipment in promiscuous mode on your local network, this is very suspicious, although it does not clearly indicate a man-in-the-middle attack.

In this mode, the network card allows you to receive all packets regardless of who they are addressed to.

In normal state, the Ethernet interface uses link layer packet filtering and if the MAC address in the destination header of the received packet does not match the MAC address of the current network interface and is not broadcast, then the packet is discarded. In “promiscuous” mode, filtering on the network interface is disabled and all packets, including those not destined for the current node, are allowed into the system.

Most operating systems require administrator rights to enable promiscuous mode. Those. Setting a network card to promiscuous mode is a deliberate action that may serve sniffing purposes.

To search for network interfaces in promiscuous mode there is a plugin called Ettercap called search_promisc.

Example of running the plugin:

Sudo ettercap -TQP search_promisc ///

The plugin's operation is not completely reliable; errors may occur in determining the network interface mode.

Conclusion

Some man-in-the-middle attack methods leave a lot of traces, and some (like passive proxy credential lookup) are impossible or nearly impossible to detect.

There are almost always several ways to achieve the desired result. This also applies to the information security field. Sometimes, to achieve a goal, you can use brute force, look for holes and develop exploits yourself, or listen to what is transmitted over the network. Moreover, the last option is often optimal. That is why today we will talk about tools that will help us catch information that is valuable to us from network traffic, using MITM attacks for this.

MITMf

Let's start with one of the most interesting candidates. This is a whole framework for conducting man-in-the-middle attacks, built on the basis of sergio-proxy. Recently included in Kali Linux. To install it yourself, just clone the repository and run a couple of commands:

# setup.sh # pip install -r requirements.txt

# pip install -r requirements.txt

It has an architecture that is extensible through plugins. Among the main ones are the following:

Spoof - allows you to redirect traffic using ARP/DHCP spoofing, ICMP redirects and modify DNS requests;
Sniffer - this plugin tracks login attempts for various protocols;
BeEFAutorun - allows you to automatically launch BeEF modules based on the type of OS and client browser;
AppCachePoison - carries out a cache poisoning attack;
SessionHijacking - hijacks sessions and stores the resulting cookies in the Firefly profile;
BrowserProfiler - tries to get a list of plugins used by the browser;
FilePwn - allows you to replace files sent via HTTP using Backdoor Factory and BDFProxy;
Inject - injects arbitrary content into an HTML page;
jskeylogger - embeds a JavaScript keylogger into client pages.

If this functionality seems insufficient to you, then you can always add your own by implementing the appropriate extension.

PuttyRider

Another utility worthy of attention. True, unlike all other tools considered today, it is very narrowly specialized. As the author of the project himself says, he was inspired to create such a utility by the fact that during penetration tests, the most important data was located on Linux/UNIX servers, to which administrators connected via SSH/Telnet/rlogin. Moreover, in most cases, it was much easier to gain access to the administrators’ machine than to the target server. Having penetrated the system administrator’s machine, all that remains is to make sure that PuTTY is running and, using this tool, build a back bridge to the attacker.

The utility allows you not only to capture “communication” between the admin and the remote server (including passwords), but also to execute arbitrary shell commands within a given session. Moreover, all this will happen absolutely transparently for the user (administrator). If you are interested in technical details, for example, how PuTTY is implemented into the process, I recommend that you read the author’s presentation.

Quite an old utility, born more than eight years ago. Intended for cloning sessions by stealing cookies. To hijack sessions, he has basic skills in detecting hosts (if connected to an open wireless network or hub) and conducting ARP poisoning. The only problem is that today, unlike eight years ago, almost all large companies such as Yahoo or Facebook use SSL encryption, which makes this tool completely useless. Despite this, there are still enough resources on the Internet that do not use SSL, so it is too early to write off the utility. Its advantages include the fact that it automatically integrates into Firefox and creates a separate profile for each intercepted session. The source code is available in the repository, and you can build it yourself using the following sequence of commands:

# apt-get install build-essential libwxgtk2.8-dev libgtk2.0-dev libpcap-dev # g++ $(wx-config --cppflags --libs) -lpcap -o sessionthief *.cpp # setcap cap_net_raw,cap_net_admin=eip sessionthief

# apt-get install build-essential libwxgtk2.8-dev libgtk2.0-dev libpcap-dev

# g++ $(wx-config --cppflags --libs) -lpcap -o sessionthief *.cpp

# setcap cap_net_raw,cap_net_admin=eip sessionthief

ProxyFuzz

ProzyFuzz has nothing to do directly with conducting MITM attacks. As you can guess from the name, the tool is designed for fuzzing. This is a small non-deterministic network fuzzer, implemented in Python, that randomly changes the contents of network traffic packets. Supports TCP and UDP protocols. You can configure it to fuzz only one side. It comes in handy when you need to quickly test some network application (or protocol) and develop a PoC. Usage example:

Python proxyfuzz -l -r -p

python proxyfuzz -l -r -p

The list of options includes:

w - specifies the number of requests sent before fuzzing begins;
c - fuzz only the client (otherwise both sides);
s - fuzz only the server (otherwise both sides);
u - UDP protocol (otherwise TCP is used).

The Middler

A utility for conducting MITM attacks on various protocols presented at the DEF CON conference. The alpha version supported the HTTP protocol and had three cool plugins in its arsenal:

plugin-beef.py - injects the Browser Exploitation Framework (BeEF) into any HTTP request coming from the local network;
plugin-metasploit.py - embeds an IFRAME into unencrypted (HTTP) requests, which loads browser exploits from Metasploit;
plugin-keylogger.py - embeds a JavaScript onKeyPress event handler for all text fields that will be submitted over HTTPS, causing the browser to send the user-entered password character-by-character to the attacker's server before the entire form is submitted.

The Middler not only automatically analyzes network traffic and finds cookies in it, but also independently requests them from the client, that is, the process is automated to the maximum. The program guarantees the collection of all unprotected accounts on a computer network (or public hotspot) to whose traffic it has access. For the program to work correctly, the following packages must be installed on the system: Scapy, libpcap, readline, libdnet, python-netfilter. Unfortunately, the repository has not been updated for a long time, so you will have to add new functionality yourself.

A console utility that allows you to interactively examine and modify HTTP traffic. Thanks to such skills, the utility is used not only by pentesters/hackers, but also by ordinary developers who use it, for example, to debug web applications. With its help, you can get detailed information about what requests the application makes and what responses it receives. Also, mitmproxy can help in studying the peculiarities of the functioning of some REST APIs, especially those that are poorly documented.

Installation is extremely simple:

$ sudo aptitude install mitmproxy

It is worth noting that mitmproxy also allows you to intercept HTTPS traffic by issuing a self-signed certificate to the client. A good example of how to set up traffic interception and modification can be found here.

Dsniff

Well, this utility is generally one of the first things that should come to mind as soon as you hear
"MITM attack". The tool is quite old, but continues to be actively updated, which is good news. There is no point in talking in detail about its capabilities; over the fourteen years of its existence, it has been covered on the Internet more than once. For example, in a guide like this:

or instructions from our website:

Lastly..

As usual, we haven’t looked at all utilities, but only the most popular ones; there are also many little-known projects that we might talk about someday. As you can see, there is no shortage of tools for carrying out MITM attacks, and, which does not happen very often, one of the cool tools is implemented for Windows. There is nothing to say about nix systems - a whole variety. So I think you can always find the right tool for theft
other people's credentials. Oops, that is, for testing.

In which an attacker, having connected to a channel between counterparties, interferes with the transmission protocol, deleting or distorting information.

Encyclopedic YouTube

1 / 3

✪ No. 4 HOW TO BECOME A HACKER? "Attack of the Broker"! |HACKING from A to Z|

✪ MiTM attack on iOS. Technique and consequences

✪ Bitcoin Chronology of Hacker Attacks and Exchange Hacks on the Cryptocurrency Market (2012 - 2018)

Subtitles

Attack principle

The attack usually begins with eavesdropping on the communication channel and ends with the cryptanalyst trying to replace the intercepted message, extract useful information from it, and redirect it to some external resource.

Suppose object A plans to transmit some information to object B. Object C has knowledge about the structure and properties of the data transmission method used, as well as the fact of the planned transmission of the actual information that C plans to intercept. To carry out an attack, C “appears” to object A as B, and to object B as A. Object A, mistakenly believing that it is sending information to B, sends it to object C. Object C, having received the information, and performs some actions with it (for example , copying or modifying for their own purposes) forwards the data to the recipient itself - B; object B, in turn, believes that the information was received directly from A.

Example attack

Injection of malicious code

A man-in-the-middle attack allows a cryptanalyst to insert code into emails, SQL statements, and web pages (i.e., allowing SQL injection, HTML/script injection, or XSS attacks), and even modify user-uploaded binaries to to gain access to a user account or change the behavior of a program downloaded by the user from the Internet.

Downgrade Attack

The term “Downgrade Attack” refers to an attack in which a cryptanalyst forces the user to use less secure functions, protocols that are still supported for compatibility reasons. This type of attack can be carried out on the SSH, IPsec and PPTP protocols.

To protect against Downgrade Attack, insecure protocols must be disabled on at least one side; Simply supporting and using secure protocols by default is not enough!

SSH V1 instead of SSH V2

An attacker may try to change the connection parameters between the server and the client when a connection is established between them. According to a talk given at the Blackhat Conference Europe 2003, a cryptanalyst can "force" a client to start an SSH1 session by changing the version number "1.99" for the SSH session to "1.51" instead of SSH2, which means using SSH V1. The SSH-1 protocol has vulnerabilities that can be exploited by a cryptanalyst.

IPsec

In this attack scenario, the cryptanalyst misleads his victim into thinking that the IPsec session cannot begin at the other end (the server). This results in messages being forwarded explicitly if the host machine is running in rollback mode.

PPTP

At the stage of negotiating PPTP session parameters, the attacker can force the victim to use less secure PAP authentication, MSCHAP V1 (that is, “roll back” from MSCHAP V2 to version 1), or not use encryption at all.

The attacker can force his victim to repeat the stage of negotiating the parameters of the PPTP session (send a Terminate-Ack packet), steal the password from the existing tunnel and repeat the attack.

Public communications without protecting the accuracy, confidentiality, availability and integrity of information

The most common means of communication for this group are a social network, a public email service and an instant messaging system. The owner of the resource providing the communications service has full control over the information exchanged between correspondents and, at his own discretion, can freely carry out an attack at any time.

Unlike previous scenarios based on technical and technological aspects of communications, in this case the attack is based on mental aspects, namely on ingraining in the minds of users the concept of ignoring information security requirements.

Will encryption help?

Let's consider the case of a standard HTTP transaction. In this case, an attacker can quite easily split the original TCP connection into two new ones: one between himself and the client, the other between himself and the server. This is quite easy to do, since very rarely the connection between client and server is direct, and in most cases they are connected through a number of intermediate servers. A MITM attack can be carried out on any of these servers.

However, if the client and server communicate using HTTPS, a protocol that supports encryption, a man-in-the-middle attack can also be carried out. This type of connection uses TLS or SSL to encrypt requests, which would seem to make the channel protected from sniffing and MITM attacks. An attacker can create two independent SSL sessions for each TCP connection. The client establishes an SSL connection with the attacker, who, in turn, creates a connection with the server. In such cases, the browser usually warns that the certificate is not signed by a trusted certification authority, but ordinary users of outdated browsers can easily bypass this warning. In addition, the attacker may have a certificate signed by the root certification authority (for example, such certificates are sometimes used for DLP) and does not generate warnings. Additionally, there are a number of attacks against HTTPS. Thus, the HTTPS protocol cannot be considered protected from MITM attacks for ordinary users. [ ] There are a number of measures that prevent some MITM attacks on https sites, in particular, HSTS, which prohibits the use of an http connection from sites, Certificate pinning and HTTP Public Key Pinning, which prohibit certificate substitution.

MITM attack detection

To detect a man-in-the-middle attack, you need to analyze network traffic. For example, to detect an SSL attack, you should pay attention to the following parameters:

Server IP address
DNS server
X.509 - server certificate
- Is the certificate self-signed?
- Is the certificate signed by a certification authority?
- Has the certificate been revoked?
- Has the certificate changed recently?
- Have other clients on the Internet received the same certificate?

MITM attack implementations

The listed programs can be used to carry out man-in-the-middle attacks, as well as to detect them and test the system for vulnerabilities.