Network attack mim. Detection of man-in-the-middle attacks (MitM attacks)

In which an attacker, having connected to a channel between counterparties, interferes with the transmission protocol, deleting or distorting information.

Encyclopedic YouTube

1 / 3

✪ No. 4 HOW TO BECOME A HACKER? "Attack of the Broker"! |HACKING from A to Z|

✪ MiTM attack on iOS. Technique and consequences

✪ Bitcoin Timeline Hacker Attacks and Exchange Hacks on the Cryptocurrency Market (2012 - 2018)

Subtitles

Attack principle

The attack usually begins with eavesdropping on the communication channel and ends with the cryptanalyst trying to replace the intercepted message and extract useful information, redirect it to some external resource.

Suppose object A plans to transmit some information to object B. Object C has knowledge about the structure and properties of the data transmission method used, as well as the fact of the planned transmission of the actual information that C plans to intercept. To carry out an attack, C “appears” to object A as B, and to object B as A. Object A, mistakenly believing that it is sending information to B, sends it to object C. Object C, having received the information, and performs some actions with it (for example , copying or modifying for their own purposes) forwards the data to the recipient itself - B; object B, in turn, believes that the information was received directly from A.

Example attack

Injection of malicious code

A man-in-the-middle attack allows a cryptanalyst to insert his code into emails, SQL statements and web pages (i.e. allows SQL injection, HTML/script injection or XSS attacks), and even modify user-uploaded binaries in order to gain access to account user or change the behavior of a program downloaded by the user from the Internet.

Downgrade Attack

The term “Downgrade Attack” refers to an attack in which a cryptanalyst forces the user to use less secure functions, protocols that are still supported for compatibility reasons. This type of attack can be carried out on the SSH, IPsec and PPTP protocols.

To protect against Downgrade Attack, insecure protocols must be disabled on at least one side; Simply supporting and using secure protocols by default is not enough!

SSH V1 instead of SSH V2

An attacker may try to change the connection parameters between the server and the client when a connection is established between them. According to a talk given at the Blackhat Conference Europe 2003, a cryptanalyst can "force" a client to start an SSH1 session by changing the version number "1.99" for the SSH session to "1.51" instead of SSH2, which means using SSH V1. The SSH-1 protocol has vulnerabilities that can be exploited by a cryptanalyst.

IPsec

In this attack scenario, the cryptanalyst misleads his victim into thinking that the IPsec session cannot begin at the other end (the server). This results in messages being forwarded explicitly if the host machine is running in rollback mode.

PPTP

At the stage of negotiating PPTP session parameters, the attacker can force the victim to use less secure PAP authentication, MSCHAP V1 (that is, “roll back” from MSCHAP V2 to version 1), or not use encryption at all.

The attacker can force his victim to repeat the stage of negotiating the parameters of the PPTP session (send a Terminate-Ack packet), steal the password from the existing tunnel and repeat the attack.

Public communications without protecting the accuracy, confidentiality, availability and integrity of information

The most common means of communication of this group are social network, public service Email and an instant messaging system. The owner of the resource providing the communications service has full control over the information exchanged between correspondents and, at his own discretion, can freely carry out an attack at any time.

Unlike previous scenarios based on technical and technological aspects of communications, in this case the attack is based on mental aspects, namely on ingraining in the minds of users the concept of ignoring information security requirements.

Will encryption help?

Let's consider the case of a standard HTTP transaction. In this case, an attacker can quite easily split the original TCP connection into two new ones: one between himself and the client, the other between himself and the server. This is quite easy to do, since very rarely the connection between client and server is direct, and in most cases they are connected through a number of intermediate servers. A MITM attack can be carried out on any of these servers.

However, if the client and server communicate using HTTPS, a protocol that supports encryption, a man-in-the-middle attack can also be carried out. This type of connection uses TLS or SSL to encrypt requests, which would seem to make the channel protected from sniffing and MITM attacks. An attacker can create two independent SSL sessions for each TCP connection. The client establishes an SSL connection with the attacker, who, in turn, creates a connection with the server. In such cases, the browser usually warns that the certificate is not signed by a trusted certification authority, but ordinary users of outdated browsers can easily bypass this warning. In addition, the attacker may have a certificate signed by the root certification authority (for example, such certificates are sometimes used for DLP) and does not generate warnings. Additionally, there are a number of attacks against HTTPS. Thus, the HTTPS protocol cannot be considered protected from MITM attacks for ordinary users. [ ] There are a number of measures that prevent some MITM attacks on https sites, in particular, HSTS, which prohibits the use of an http connection from sites, Certificate pinning and HTTP Public Key Pinning, which prohibit certificate substitution.

MITM attack detection

To detect a man-in-the-middle attack, you need to analyze network traffic. For example, to detect an SSL attack, you should pay attention to the following parameters:

• Server IP address
• DNS server
• X.509 - server certificate
  • Is the certificate self-signed?
  • Is the certificate signed by a certification authority?
  • Has the certificate been revoked?
  • Has the certificate changed recently?
  • Have other clients on the Internet received the same certificate?

MITM attack implementations

The listed programs can be used to carry out man-in-the-middle attacks, as well as to detect them and test the system for vulnerabilities.

see also

• Aspidistra (English) - British radio transmitter used during the Second World War "invasion", a variant of the MITM attack.
• The Babington Conspiracy (English) - a conspiracy against Elizabeth I, during which Walsingham intercepted correspondence.

Other attacks

• “Man-in-the-Browser” is a type of attack in which the attacker is able to instantly change transaction parameters and change pages completely transparent to the victim.
• Meet-in-the-middle attack is a cryptographic attack that, like the birthday attack, exploits the trade-off between time and memory.
• “Miss in the middle attack” - effective method the so-called impossible differential cryptanalysis.
• Relay attack is a variant of a MITM attack based on forwarding an intercepted message to a valid recipient, but not to the one for whom the message was intended.

Achieve desired result There are almost always several ways. This also applies to the information security field. Sometimes, to achieve a goal, you can use brute force, look for holes and develop exploits yourself, or listen to what is transmitted over the network. Moreover, the last option is often optimal. That is why today we will talk about tools that will help us catch valuable information from network traffic, attracting MITM attacks for this.

MITMf

Let's start with one of the most interesting candidates. This is a whole framework for conducting man-in-the-middle attacks, built on the basis of sergio-proxy. Recently included in Kali Linux. To install it yourself, just clone the repository and run a couple of commands:

# setup.sh # pip install -r requirements.txt

It has an architecture that is extensible through plugins. Among the main ones are the following:

• Spoof - allows you to redirect traffic using ARP/DHCP spoofing, ICMP redirects and modify DNS requests;
• Sniffer - this plugin tracks login attempts for various protocols;
• BeEFAutorun - allows you to automatically launch BeEF modules based on the type of OS and client browser;
• AppCachePoison - carries out a cache poisoning attack;
• SessionHijacking - hijacks sessions and stores the resulting cookies in the Firefly profile;
• BrowserProfiler - tries to get a list of plugins used by the browser;
• FilePwn - allows you to replace messages sent via HTTP files using Backdoor Factory and BDFProxy;
• Inject - injects arbitrary content into an HTML page;
• jskeylogger - embeds a JavaScript keylogger into client pages.

If this functionality seems insufficient to you, then you can always add your own by implementing the appropriate extension.

PuttyRider

Another utility worthy of attention. True, unlike all other tools considered today, it is very narrowly specialized. As the author of the project himself says, he was inspired to create such a utility by the fact that during penetration tests, the most important data was located on Linux/UNIX servers, to which administrators connected via SSH/Telnet/rlogin. Moreover, in most cases, it was much easier to gain access to the administrators’ machine than to the target server. Having penetrated the system administrator’s machine, all that remains is to make sure that PuTTY is running and, using this tool, build a back bridge to the attacker.

The utility allows you not only to capture “communication” between the admin and the remote server (including passwords), but also to execute arbitrary shell commands within a given session. Moreover, all this will happen absolutely transparently for the user (administrator). If you are interested in technical details, for example, how PuTTY is implemented into the process, I recommend that you read the author’s presentation.

Quite an old utility, born more than eight years ago. Intended for cloning sessions by stealing cookies. For session hijacking, it has basic host detection skills (in case of connecting to an open wireless network or hub) and conducting ARP poisoning. The only problem is that today, unlike eight years ago, almost all large companies such as Yahoo or Facebook use SSL encryption, which makes this tool completely useless. Despite this, there are still enough resources on the Internet that do not use SSL, so it is too early to write off the utility. Its advantages include the fact that it automatically integrates into Firefox and creates a separate profile for each intercepted session. Source is available in the repository, and you can build it yourself using the following sequence of commands:

# apt-get install build-essential libwxgtk2.8-dev libgtk2.0-dev libpcap-dev # g++ $(wx-config --cppflags --libs) -lpcap -o sessionthief *.cpp # setcap cap_net_raw,cap_net_admin=eip sessionthief

ProxyFuzz

ProzyFuzz has nothing to do directly with conducting MITM attacks. As you can guess from the name, the tool is designed for fuzzing. This is a small non-deterministic network fuzzer, implemented in Python, that randomly changes the contents of network traffic packets. Supports TCP and UDP protocols. You can configure it to fuzz only one side. Useful when you need to quickly check something network application(or protocol) and develop a PoC. Usage example:

Python proxyfuzz -l -r -p

The list of options includes:

• w - specifies the number of requests sent before fuzzing begins;
• c - fuzz only the client (otherwise both sides);
• s - fuzz only the server (otherwise both sides);
• u - UDP protocol (otherwise TCP is used).

The Middler

A utility for conducting MITM attacks on various protocols presented at the DEF CON conference. The alpha version supported the HTTP protocol and had three cool plugins in its arsenal:

• plugin-beef.py - injects the Browser Exploitation Framework (BeEF) into any HTTP request coming from the local network;
• plugin-metasploit.py - embeds an IFRAME into unencrypted (HTTP) requests, which loads browser exploits from Metasploit;
• plugin-keylogger.py - embeds a JavaScript onKeyPress event handler for all text fields that will be submitted over HTTPS, causing the browser to send the user-entered password character-by-character to the attacker's server before the entire form is submitted.

The Middler not only automatically analyzes network traffic and finds cookies in it, but also independently requests them from the client, that is, the process is automated to the maximum. The program guarantees the collection of all unprotected accounts on a computer network (or public hotspot) to whose traffic it has access. For the program to work correctly, the following packages must be installed on the system: Scapy, libpcap, readline, libdnet, python-netfilter. Unfortunately, the repository has not been updated for a long time, so you will have to add new functionality yourself.

A console utility that allows you to interactively examine and modify HTTP traffic. Thanks to such skills, the utility is used not only by pentesters/hackers, but also by ordinary developers who use it, for example, to debug web applications. With its help, you can get detailed information about what requests the application makes and what responses it receives. Also, mitmproxy can help in studying the peculiarities of the functioning of some REST APIs, especially those that are poorly documented.

Installation is extremely simple:

$ sudo aptitude install mitmproxy

$ pip install mitmproxy

$easy_install mitmproxy

It is worth noting that mitmproxy also allows you to intercept HTTPS traffic by issuing a self-signed certificate to the client. Good example You can learn how to configure interception and modification of traffic.

Intercepter-NG

It would be strange if this legendary instrument were not included in our review. Even if you’ve never used it, you’ve probably heard about it (and simply have to get to know it better) - it appears quite often on the pages of the magazine. I will not fully describe its functionality - firstly, we are interested in MITM, and secondly, such a description will take up the entire article.

Continuation is available only to members

Option 1. Join the “site” community to read all materials on the site

Membership in the community within the specified period will give you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score rating!

Man in the middle attack (MitM attack) is a term in cryptography that refers to a situation where an attacker is able to read and modify at will the messages exchanged between correspondents, and none of the latter can guess his identity. presence in the channel.

A method of compromising a communication channel, in which an attacker, having connected to a channel between counterparties, actively interferes with the transmission protocol, deleting, distorting information or imposing false information.

Attack principle:

Suppose object "A" plans to transmit some information to object "B". Object "C" has knowledge about the structure and properties of the data transmission method used, as well as the fact of the planned transmission of the actual information that "C" plans to intercept.

To make an attack, "C" appears to object "A" as "B" and to object "B" as "A". Object "A", mistakenly believing that it is sending information to "B", sends it to object "C".

Object "C", having received information and having performed some actions with it (for example, copying or modifying it for its own purposes), sends the data to the recipient itself - "B"; object "B", in turn, believes that the information was received directly from "A".

Example of a MitM attack:

Let's say Alice is having financial problems and, using an instant messaging program, decides to ask John for a sum of money by sending the message:

Alice: John, hi!
Alice: Please send me the encryption key, I have a small request!
John: Hello! Wait a second!

But, at this time, Mr. X, who, while analyzing the traffic using a sniffer, noticed this message, and the words “encryption key” aroused curiosity. That's why he decided to intercept the following messages and replace them with the data he needed, and when he received the following message:

John: Here is my key: 1111_D

He changed John's key to his own, and sent a message to Alice:

John: Here is my key: 6666_M

Alice, unaware and thinking it is John's key, using the private key 6666_M, sends encrypted messages to John:

Alice: John, I have problems and I urgently need money, please transfer $300 to my account: Z12345. Thank you. p.s. My key: 2222_A

Having received the message, Mr. X decrypts it using his key, reads it, and, rejoicing, changes Alice’s account number and encryption key to his own, encrypts the message with the key 1111_D, and sends John a message:

Alice: John, I have problems and I urgently need money, please transfer $300 to my account: Z67890. Thank you. p.s. My key: 6666_A

After receiving the message, John decrypts it using the key 1111_D, and without even hesitating, will transfer money to the account Z67890...

And thus, Mr. X, using the man-in-the-middle attack, earned $300, but Alice will now have to explain that she did not receive the money... And John? John must prove to Alice that he sent them...

Implementation:

This type of attack is used in some software products for network eavesdropping, for example:

NetStumbler- a program with which you can collect a lot of useful data about a wireless network and solve some problems associated with its operation. NetStumbler allows you to determine the range of your network and helps you accurately point your antenna for long-distance communications. For each access point found, you can find out the MAC address, signal-to-noise ratio, name of the service and the degree of its security. If the traffic is not encrypted, then the program's ability to detect unauthorized connections will be useful.

dsniff- is a set of programs for network auditing and penetration testing, providing passive network monitoring to search for data of interest (passwords, email addresses, files, etc.), intercepting network traffic that would normally be inaccessible for analysis (for example, in a switched network), as well as the ability to organize MITM attacks to intercept SSH and HTTPS sessions by exploiting PKI flaws.

Cain & Abel - free program, which allows you to recover lost passwords for operating systems Windows family. Several recovery modes are supported: brute force hacking, dictionary selection, viewing passwords hidden by asterisks, etc. There are also options for identifying the password by intercepting information packets and their subsequent analysis, recording network conversations, cache analysis, and others.

Ettercap- is a sniffer, packet interceptor and recorder for local Ethernet networks, which supports active and passive analysis of multiple protocols, and it is also possible to “throw” your own data into an existing connection and filter “on the fly” without disrupting connection synchronization. The program allows you to intercept SSH1, HTTPS and other secure protocols and provides the ability to decrypt passwords for the following protocols: TELNET, ftp, POP, RLOGIN, SSH1, icq, SMB, Mysql, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG.

KARMA– a set of utilities for assessing the security of wireless clients, is a wireless sniffer that, by passively listening to 802.11 Probe Request frames, allows you to detect clients and their preferred/trusted networks. A fake access point can then be created for one of the requested networks, to which it can be automatically connected. High-level fake services can be used to steal personal data or exploit client vulnerabilities on the host.

AirJack- a set of programs that, according to experts in the field of WiFi hacking, is the best tool for generating various 802.11 frames. AirJack includes a number of utilities designed to detect a hidden ESSID, send session termination frames with a fake MAC, conduct MitM attacks and modify it.

Counteraction:

To avoid attacks of this type, subscribers “A” and “B” only need to transfer digital signatures of public encryption keys to each other using a reliable channel. Then, when comparing key signatures in encryption sessions, it will be possible to determine which key was used to encrypt the data, and whether the keys have been replaced.

MTProto uses an original method to achieve reliability in a currently vulnerable mobile communications and speed in delivering large files (for example, photos, videos and documents up to 1 GB in size). This document is intended to clarify the details of our system and address elements that may be difficult to understand at first glance.

Detailed protocol documentation is available on this page. If you have any questions, write to Twitter.

Note: Each message encrypted through MTProto always contains the following data, which will be checked during decryption in order to make the system secure against known problems:

• session identifier - session id;
• message length - message length;

Note 2: See additional comments regarding usage, and modified scheme .

Why don't you use X [your option]

While other ways to achieve the same cryptographic goals undoubtedly exist, we believe that the current solution is both reliable and succeeds in our secondary goal of outperforming insecure messengers in terms of delivery speed and stability.

Why do you rely on classical cryptoalgorithms?

We prefer to use well-known algorithms created in the days when bandwidth and computing power They met quite rarely in pairs. It is these algorithms that have a significant impact on today's application development for mobile devices, forcing their authors to get rid of known shortcomings. The weaknesses of such algorithms are also well known and have been exploited by attackers for decades. We use these algorithms in this implementation because, as we believe, they lead to any known attack to failure. However, we would be happy to see any evidence to the contrary (no such cases have occurred so far) in order to improve our system.

I am a security expert and I believe that your protocol is insecure.

You can take part in our competition: Pavel Durov is offering $200,000 in Bitcoin to the first person to hack MTProto. You can read the announcement and the Competition FAQ. If you have any other comments, we'd be happy to hear them at [email protected].

Protection against known attacks

Known-Plaintext Attacks

By definition, a plaintext attack is a type of cryptanalytic attack in which the attacker has both encrypted and plaintext versions of the text. The AES IGE used in MTProto is resistant to such attacks. In addition, the plaintext in MTProto always contains the server salt and session ID.

Adaptive Plaintext Attack

By definition, an adaptive plaintext attack is a type of attack in cryptanalysis that involves the cryptanalyst being able to select a plaintext and obtain a corresponding ciphertext. MTProto uses AES in IGE mode, which is secure against such attacks. IGE is known to be vulnerable to blockwise-adaptive attacks, but MTProto fixes this in the manner described below. Each plaintext message to be encrypted contains the following data, which is verified during decryption:

• server salt (64-Bit);
• message sequence number;
• time the message was sent - time.

In addition, to replace the plaintext, you also have to use the correct AES key and initialization vector, which depend on auth_key . This makes MTProto resistant to adaptive plaintext attacks.

Matched Ciphertext Attacks

According to the definition, a chosen ciphertext attack is a cryptographic attack in which a cryptanalyst collects information about the cipher by selecting the ciphertext and obtaining its decryption with an unknown key. In such an attack, an attacker can enter one or more known ciphertexts into the system and obtain the plaintexts. Using this data, an attacker can try to recover the key used for decryption. In MTProto, each time a message is decrypted, a check is made to ensure that the msg_key matches the SHA-1 of the decrypted data. The plaintext (decrypted data) also always contains information about the length of the message, its sequence number and the server salt. This negates attacks based on selected ciphertext.

Replay attacks

Attacks replay are not possible because each plaintext message contains a server salt, a unique message identifier, and a sequence number.

Man in the Middle (MitM) attack

Telegram has two communication modes: regular chats, which use client-server encryption, and secret chats, which use end-to-end encryption and are protected from man-in-the-middle attacks. Data transfer between client and server is protected from such attacks during key generation using the Diffie-Hellman protocol thanks to an algorithm with public key RSA, which is built into Telegram clients. After this, if the clients of the interlocutors trust software servers, secret chats between them are protected by the server from man-in-the-middle attacks. Especially for those who Not trusts the server, a comparison of secret codes is available in the application. Keys are visualized as images. By comparing visualized keys, users can verify that a man-in-the-middle attack has not occurred.

Encryption

Are you using IGE? It's hacked!

Yes, we use IGE, but in our implementation everything is fine with it. The fact that we do not use IGE along with other elements of our system in the same way as MAC makes attempts to hack IGE pointless. IGE, just like the common ciphertext block chaining (CBC) mode, is susceptible to blockwise-adaptive attacks. But adaptive attacks are only a threat when the same key is used in multiple messages (this is not the case).

Adaptive attacks are even theoretically impossible in MTProto, because to decrypt messages the latter must first be fully typed, since the message key depends on its content. As for non-adaptive CPA attacks, IGE is protected from them, just like CBC.

A three-step process for starting a TCP session. The client sends a packet with the SYN flag to the server. Having received a packet with the SYN flag from the client, the server responds with a packet with the SYN+ACK flags and enters the ESTABLISHED state. Having received a correct response from the server, the client sends a packet with the ACK flag and enters the ESTABLISHED state

Ban list

A list of clients who do not have rights to certain actions. Using a ban list, you usually limit the capabilities of bots when a DDoS attack is detected. Also in the realities of game servers in this list Players with a bad reputation who use cheat codes or commit illegal actions are included.

Bot

The computer used to conduct DDoS attack"real" traffic. In most cases this is a computer regular user, infected with a virus. Often the user cannot notice that his computer is infected and is being used for illegal purposes

Web server

A computer on a network that accepts HTTP requests from clients, usually web browsers, and provides them with HTTP responses. Typically, along with an HTTP response, the web server responds with an HTML page, image, media stream, or other data

Web service

Web services are services provided on the Internet. When using this term, we can talk about search, web mail, storing documents, files, bookmarks, etc. Typically, web services can be used regardless of the computer, browser or location where you access the Internet.

Domain

The concept of "Domain" can be used in various contexts when talking about network technologies. Most often by domain they mean Domain name site. Domains are divided into different levels, for example, in the domain example.com, com is the first level domain and example is the second level domain. To make communication easier, people also use the term "Subdomain" which means a domain that is more than two levels deep. For example, in the domain mail.example.com, mail is a subdomain.

Search robot

Service search engine to discover new pages on the Internet and change existing ones. The principle of operation is similar to a browser. It analyzes the content of the page, stores it in some special form on the server of the search engine to which it belongs, and sends links to subsequent pages.

Bandwidth

The maximum possible amount of data transmitted per unit of time. Often, Internet providers, promising higher speeds of Internet access, do not fulfill their promises. In most cases, this is due to the bandwidth being completely occupied.