In a man-in-the-middle attack (MITM), a black hat hacker takes a position between two victims who are communicating with one another. In this spot, the attacker relays all communication, can listen to it, and even modify it.
Imagine that Alice and Barbara talk to one another on the phone in Lojban, which is an obscure language. Nancy is a secret agent who needs to listen in on their conversation but who cannot tap the phone line. Nancy is very clever and talented, so she does the following:
Now Alice and Barbara are both certain that they are talking to one another. In reality, they are talking to Nancy who relays communication between them. Nancy knows all the secrets. She may also manipulate the information that Alice and Barbara are sharing with one another.
To pull this off, Nancy uses several tools. For example, she spoofs Barbara’s phone number, she figures out the encryption (Lojban language), and she authenticates by imitating voices. Black hat hackers do very similar things in the IT world.
In the world of IT security, black hat hackers usually use man-in-the-middle attacks to eavesdrop on communications between a client and a server. This includes HTTPS connections to websites, other SSL/TLS connections, Wi-Fi connections, and more.
Such hackers have two primary goals: to gain access to sensitive information and/or to manipulate transmitted content. In practice, they can use MITM attacks:
You must also remember that websites are not the only target of MITM attacks. A very common target are emails which by default do not use any kind of encryption. If an attacker can get access to an email account, they may intercept and spoof emails.
Man-in-the-middle attacks were known a long time before the advent of computers.
In the world of computing, some of the most famous cases linked to MITM attacks were the following:
A black hat hacker may attack a connection that is secure (encrypted) or not. In both cases, the first goal is to intercept the connection – like Nancy first has to slip a business card into Alice’s purse. There are many ways to do this including ARP spoofing, IP spoofing, and DNS spoofing. The attacker may also use other attack vectors to take control of the victim’s machine or the server and eavesdrop from there.
ARP (Address Resolution Protocol) translates between the physical address of an Internet device (MAC address – media access control) and the IP address assigned to it on the local area network. An attacker who uses ARP spoofing tries to inject false information onto the local area network to redirect connections to their device.
For example, your router has the IP address 192.168.0.1. To connect to the internet, your laptop needs to send IP (Internet Protocol) packets to this address. First, it must know which physical device has this address. The router has the following MAC address: 00-00-00-00-00-01.
Let’s say that Nancy is no longer working with phones but she is a black hat hacker:
IP spoofing means that a computer is pretending to have a different IP address – usually the same address as another machine. On its own, IP spoofing is not enough for a MITM attack. However, an attacker may combine it with TCP sequence prediction.
Most internet connections are established using TCP/IP (Transmission Control Protocol / Internet Protocol). When two devices on the network connect to one another using TCP/IP, they need to establish a session. They do it using a three-way handshake. During this process, they exchange information called sequence numbers. The sequence numbers are needed for the recipient to recognize further packets. Thanks to sequence numbers, the devices know the order in which they should put the received packets together.
In this situation, the attacker first sniffs the connection (listens in). This is very easy on a local network because all IP packets go into the network and may be read by any other device. The attacker learns the sequence numbers, predicts the next one, and sends a packet pretending to be the original sender. If that packet reaches the destination first, the attacker intercepts the connection.
Let’s go back to Nancy who wants to try IP spoofing with TCP sequence prediction this time:
ARP spoofing and IP spoofing need the attacker to connect to the local network segment that you use. An attacker using DNS spoofing can be anywhere. It’s more difficult because your DNS cache must be vulnerable. However, if successful, it can affect a large number of victims.
DNS (Domain Name System) is the system used to translate between IP addresses and symbolic names like www.example.com. This system has two primary elements: nameservers (DNS servers) and resolvers (DNS caches). The nameserver is the source of authoritative information. Usually, there are two or three systems that keep that information for every domain. For example, the IP number for www.example.com is stored on two nameservers: sns.dns.icann.org and noc.dns.icann.org. You can check this using the Google DNS lookup tool.
If every client that wants to connect to www.example.com connected to these two servers every time, they would be overloaded. That is why every client uses its local resolver to cache information. If the cache does not have information on www.example.com, it contacts sns.dns.icann.org and noc.dns.icann.org to get 126.96.36.199. Then, it stores the IP address locally for some time. All the clients that use this resolver get the address from the cache.
A DNS spoofing attack is performed by injecting a fake entry into the local cache. If a black hat hacker does that, all clients connected to this cache get the wrong IP address and connect to the attacker instead. This lets the attacker become a man-in-the-middle.
This time, Nancy cannot connect to your network so she tries DNS spoofing:
Black hat hackers may use many more methods to place themselves between the client and the server. These methods usually belong to one of the following three categories:
If the victim uses a secure connection, being in the middle is not enough. Nancy must understand the language that Alice and Barbara are using (Lojban). She must also be able to speak it fluently and imitate Alice’s and Barbara’s voices. This is needed so that Alice and Barbara are still sure that they are talking to one another. Some of the techniques used for this in the IT world are HTTPS spoofing, SSL hijacking, and SSL stripping.
International domain names (IDNs) can contain Unicode characters. Some Unicode characters look similar to ASCII characters. Black hat hackers use this to fool victims. A victim visits a fake website controlled by the attacker who intercepts information and relays it to the real website.
For example, Nancy wants you to visit a fake Acunetix website аcunetix.com (the Cyrillic
а looks exactly like the ASCII
xn--cunetix-1fg.com(you can try to create your own using Punycoder).
Current browsers (Chrome, Firefox, Opera, Internet Explorer, Edge, Safari) have protection against homograph attacks. For example, they display Punycode in the address bar instead of national characters. However, websites and emails may still contain links in Unicode that look exactly like originals.
Anyone can generate an SSL/TLS certificate for any domain. An attacker who intercepts a connection can generate certificates for all domains that the victim visits. They can present these certificates to the victim, establish a connection with the original server, and relay the traffic. This is called SSL hijacking.
However, your browser trusts only certificates that are signed by a trusted Certificate Authority (CA). If the certificate is not signed by a trusted CA, browsers display clear warnings or even refuse to open a page. Therefore, an attacker needs a way to make your browser believe that the certificate can be trusted. To do it, they must add their CA to the trusted certificate store on your computer. This can be done using other attack vectors.
If Nancy wants to listen in on your SSL/TLS connections using SSL hijacking, this is what she does:
SSL hijacking is very often used for legitimate purposes. For example, malware protection software installed on your computer probably uses SSL hijacking. If not, the software would not be able to protect you when you try to download malware using a secure connection. Some companies use SSL hijacking to control traffic in their internal networks, for example, to check what content their employees are accessing. Parental control software also uses SSL hijacking.
When you type an address in your browser, your browser first connects to an insecure site (HTTP). Then, it is usually quickly redirected to the secure site (HTTPS). If the website is available without encryption, the attacker can intercept your packets and force an HTTP connection. If you don’t notice that your connection is unencrypted, you may expose secrets to the attacker. This technique is called SSL stripping.
If Nancy wants to use SSL stripping to get your secrets:
Today, many websites use HTTP Strict Transport Security (HSTS) which means that the server refuses to provide content using an insecure connection. Such websites cannot be attacked using this method.
There are more methods used to compromise secure connections, including:
There are many types of man-in-the-middle attacks and some of them very difficult to detect. The key to preventing them is to have as little trust as possible.
It is more difficult to prevent interception. If the attacker is able to access your network directly, if they compromise the destination server, or if they control network equipment that is used for your connection, there is not much that you can do. What you can do in such cases is choose a different communication route or make sure that encryption is unbreakable.
Here are some basic tips that may help you:
Some sources may say that SSL/TLS is enough to protect against MITM attacks. This is not true for the following reasons:
Man-in-the-middle attacks are often facilitated by websites, even if your client and connection are safe. If you own a website, make sure that you regularly scan it for vulnerabilities, for example, using the Acunetix web vulnerability scanner (click here for a demo version). If you don’t, some vulnerabilities such as SQL Injection or code injection may let someone install malicious software on your web server. In addition, the Acunetix scanner also checks for SSL/TLS vulnerabilities that might let the attacker eavesdrop on connections to your web server, for example, CRIME, BREACH, and POODLE.