welcome to netwrkspider

Monday, September 14, 2009

Man In The Middle Attack

One of the most successful vectors for gaining control of customer information and resources is through man-in-the-middle attacks. In this class of attack, the attacker situates himself between the customer and the real web-based application, and proxies all communications between the systems. From this vantage point, the attacker can observe and record all transactions. This form of attack is successful for both HTTP and HTTPS communications. For man-in-the-middle attacks to be successful, the attacker must be able to direct the customer to their proxy server instead of the real server. Lets look at what kind of MITM attacks can be used and under what scenario.

Here is a list of Different type of MITM attacks

LOCAL AREA NETWORK: -

* ARP poisoning -
* DNS spoofing
* STP mangling
* Port stealing

FROM LOCAL TO REMOTE (through a gateway):

* ARP poisoning
* DNS spoofing
* DHCP spoofing
* ICMP redirection
* IRDP spoofing - route mangling

REMOTE:

* DNS poisoning
* Traffic tunneling
* Route mangling

However with respect to Identity Theft 'Transparent proxy attack' and 'DNS poisoning attack' are the most popular amongst Hacking community. Here is an articulate explanation of both these attacks:

* Transparent proxy attack

In order to execute this attack the hackers try to trick the victim through below mentioned Four easy steps. Step four explains analogy of MITM in case of Https. Learn more on what is https.

STEP1

URL rewriting: Prepend all URL's with the attacker's host so that requests are routed through it. http://home.netscape.com/ becomes http://www.attacker.org/http://www.server.com/

STEP2

Pages are then requested through www.attacker.org, which functions as a proxy to fetch the true page (in this case, http://www.server.com/ ), applying any of the attacker's desired transformations in the process.

STEP3




Man in the middle attack

STEP 4

After the above steps have been executed there is a secure connection between the victim and the attacker's host of which the victim is unaware as he is happy to notice that he has a secured connection hence his data is safe.

The attacker can then create a secure connection to the real host, decrypt the received data, apply transformations, re-encrypt for the victim, and send it on to him.` The Victim still remains uninformed however the Hacker has already achieved his goal.

* DNS Cache Poisoning

This is another popular MITM attack with hackers when it comes to "phishing".This attack is based on simple convention of Ip to host resolution .Here is how it works :

Every system has a host file in its systems directory in case of windows this file resides at the following location in case of windows :

C:\WINNT\system32\drivers\etc

Your computer also has a hidden system file called the Hosts file. This file can be used to hard code domain name translations and direct you to a different site. The file in you system looks like this :
Specimen of a normal Host file:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost

Normally if you try to visit www.citibank.com your computer sends the request to a DNS server to find out the IP address of that domain name. After the same has been resolved the request generated from your browser is forwarded to the Citibank Webserver.
Specimen of a normal Host file under DNS poisoning attack:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
XX.XX.XX.XX Citibank.com

However for a system under such attack Hosts file supercedes DNS records by adding an entry in the Hosts file with the domain name "citybank.com" and a different IP address to which your computer can be redirected. Rather than being sent to the true Citybank server your request will go to the address specified in the Hosts file.

In the above example XX.XX.XX.XX depicts the IP address of Hackers server which is hosting a fake login screen for the legitimate domain www.citibank.com.The victim thinks that he is passing his credentials to what he types as www.citibank.com in the browser bar. However the attacker has already achieved his goal! Once again the victim remains uninformed.

No comments: