Man-in-the-middle (MITM) attacks perform electronic eavesdropping by placing a system between two other parties. This third system captures the data sent between the two computers. For example, if one computer is exchanging data with a server, an MITM attack can capture all the data between the two systems. The attack is transparent to the two systems.
An active MITM attack can be quite sophisticated. Here is an example. A user is connecting to a web server over the Internet and the user’s web browser indicates that a Transport Layer Security (TLS) session is established with HTTPS. However, instead of having a secure TLS session with the web browser, the user has a secure TLS session with the MITM system.
Two TLS Sessions
The MITM system establishes two TLS sessions. One session is secure between the user and the MITM system, and the other session is secure between the MITM system and the web server. The MITM system is able to decrypt all of the data, allowing attackers to read it.
It’s difficult to set up such an attack without control of either the user’s internal network or the web server’s internal network. Some organizations have set up an MITM system internally to track activity of users within the organization. For example, if the MITM system is established internally, it allows personnel to track all of the internal users’ online activity. Before doing this, an organization would typically let employees know via an acceptable use policy that their online activity is tracked and that certain activity is prohibited.
If the web server is hosted at a disreputable hosting company, the hosting company may be able to implement an MITM system there. It can then capture user data such as credit card data and then run up charges on these credit cards.
Passive or Aggressive
MITM attacks can be active or passive. In an active MITM attack, the attacker tries to capture data from specific systems. In a passive attack, the attacker attempts to capture data from any system.
A packet sniffer such as Wireshark is used in an MITM attack. The attacker captures packets and then analyzes the data to learn information. If systems transmit data in cleartext, the attacker can capture and read it.
Published on Thu 02 January 2014 by Ralph Holdsworth in Security with tag(s): attacks