Man-In-The-Middle Attacks

Do you know these people who just push themselves into conversations?
That’s Man-In-The-Middle Attacks.

And from a wider angle, Man-In-The-Middle Attacks, or MITM, are built around the idea that a conversation is being mad between 2 people (or more), and a third, external and unauthorized party is trying to “get in” or “watch” the information being exchanged in the conversation.

These types of attacks have a number of main objectives :

  • Extracting the information being exchanged.
  • Editing / Messing with the information, according to his personal needs.
  • Impersonating one side of the conversation.

The attacker who “listens” to the conversation that takes place between two computers or entities in a computer network, manages to impersonate each of them separately, transfer the transmission between them and make them believe that they are communicating directly through a private channel, while in fact the connection is being completely controlled by him.

The Man-In-The-Middle Attacks focuses on the mutual authentication process in the communication protocol, so cryptographic protocols usually take precautionary measures by adding a verification process. For example SSL enables unilateral or bilateral authentication of callers towards each other, usually using an asymmetric encryption system that uses digital signature and algorithms such as RSA. Sometimes with the help of a dedicated entity called a trusted third party or a trusted certification authority such as Verisign.

Examples of Man-In-The-Middle Attacks

DHCP Spoofing :

On a network that supports automatic address sharing using a DHCP server, devices can “come forth” without network settings and send a DHCP discover message on Broadcast. The DHCP server recognizes the referral and responds to the referring computer with a message that contains the desired network settings.
The problem is, that it is very easy to connect an unauthorized DHCP server to the network (also called Rogue DHCP server).

In a DHCP spoofing attack the attacker causes the attacking computer to think it is a legitimate DHCP server.
In order for it to not to “compete” with the original DHCP server, it must be disabled with an
DHCP Starvation attack.

The attack is effective only if the attacker and the victim are in the same Broadcast Domain. By allocating IP addresses to clients on the network, the attacker manages to splash to the Default Gateway and DNS server and thus all outgoing network traffic passes through the attacker.

ARP Poisoning :

In a network environment containing switches, Unicast traffic of which we are not a part can not be eavesdropped to.
ARP Poisoning allows the attacker to impersonate the Default Gateway or, any other destination with which the victim wants to communicate.

A successful attack causes the victim’s network traffic to be passed through to the attacker and so the attacker can listen and even change the information that passes between the two devices.


So… how can we “handle” or prevent these types of attacks ?

In the internet environment usually the best defense against such an attack is to verify the identity of the other party through an “Authentication Certificate” given by a loyal third party.

Modern browsers have a built in phishing protection mechanisms and privacy measures such as cookies deleting, history and even the use of incognito browsing.

Stay safe, choose Cytrix.

APT vs. ATP

In this article we will talk about APT vs. ATP. In other words, Advanced Persistent Threat and Advanced Threat Protection and the context between these

Read More »

Red Team

You’ve probably heard that there are teams in the Cyber field called Red Team and Blue Team. Let’s talk about the red one, shall we?

Read More »

Blue Team

We’ve talked about The Red Team before, but what about The Blue Team? How is this group different from the red one? Why would we

Read More »