Unauthorized access, Men in the Middle (MITM)

1

IBM Rational Application Security Group (aka Watchfire)

Web Based Man In the Middle Attack © 2009 IBM Corporation

By:

Balvinder Singh & Priya Nain

Unauthorized Access:

Man-in-the-Middle Attacks(MITM)

2



In this type of attack, the attacker attempts to insert himself in themiddle of a communication for purposes of intercepting client’s dataand could potentially modify them before discarding them or sending them out to the real destination.

The attacker makes independent connections with the victims and relaysmessages between them, making them believe that they are talking directly toEach other over a private connection, when in fact the entire conversation isControlled by the attacker.

Man-in-the-middle attacks

3



Server

Client

Attacker

Attacker inserting himself in the middle of a communication

4



Name Origin, The name "Man-in-the-Middle" is derived from the basketballscenario where two players intend to pass a ball to each other while one playerbetween them tries to seize it. MITM attacks are sometimes referred to as"bucket brigade attacks" or "fire brigade attacks."

MITM attack is also known as:

• Bucket-brigade attack

• Fire brigade attack

• Session hijacking

• TCP hijacking

• TCP session hijacking

• Monkey-in-the-middle attack

5



Man-in-the-middle attacks take two common forms

• Eavesdropping, is an attacker simply listens to a set of transmissions toAnd from different hosts even though the attacker's computer isn't party to thetransaction. Many relate this type of attack to a leak, in which sensitiveinformation could be disclosed to a third party without the legitimate usersKnowledge.

• Manipulation, attacks build on the capability of eavesdropping by takingThis unauthorized receipt of a data stream and changing its contents to suit acertain purpose of the attacker-perhaps spoofing an IP address,changing a MAC address to emulate another host, or some other type ofmodification.

6



Security Breach Example

7



8



Man in the Middle Scenario

All laptop users connect to a public network

Wireless connection can easily be compromised or impersonated

Wired connections might also be compromised

InternetInternet

9



Rules of Thumb – Don’ts …

Someone might be listening to the requests– Don’t browse sensitive sites

– Don’t supply sensitive information

Someone might be altering the responses– Don’t trust any information given on web sites

– Don’t execute downloaded code

10



Rules of Thumb – What Can You Do?

This leaves us with:

– Browse Non-Sensitive sites

– Share personal information only over secure networks

InternetInternetNon-sensitive sites

Boring

Non-sensitive sites

Boring

Sensitive sites

Interesting

Sensitive sites

Interesting

11



Passive Man in the Middle Attacks

Victim browses to a website

Victim browses to a website

Attacker views the requestand forwards to server

Attacker views the requestand forwards to server

Attacker views the responseand forwards to victim

Attacker views the responseand forwards to victim Server returns a response Server returns a response

Other servers are not affectedOther servers are not affected

12



Active Man in the Middle Attack

The attacker actively directs the victim to an “interesting” site The IFrame could be invisible

Victim browses to a “boring” site

Victim browses to a “boring” site

Attack transfers the request to the

server

Attack transfers the request to the

server

Attacker adds an IFRAME referencing an “interesting” site

Attacker adds an IFRAME referencing an “interesting” site Server returns a response Server returns a response

My Weather ChannelMy Weather Channel

My Bank SiteMy Bank Site

Automatic request sent to the interesting server

Automatic request sent to the interesting server

My Bank SiteMy Bank Site

Other servers are not affectedOther servers are not affected

13



14



Secure Connections

Login Mechanism

15



Session Fixation

Cookie is being saved on victim’s computer

Cookie is being saved on victim’s computer

Attacker redirects victim to the site of interest

Attacker redirects victim to the site of interest

Attacker returns a page with a cookie generated by server

Attacker returns a page with a cookie generated by server

A while later,victim connects to the site

(with the pre-provided cookie)

A while later,victim connects to the site

(with the pre-provided cookie)

Attacker uses the same cookie to connect to the server

Attacker uses the same cookie to connect to the server

Server authenticates attacker as victim

Server authenticates attacker as victim

Result– Now server authenticate attacker as

victim/client, now attacker has same privileges as our victim have.

16



Attack strategy – Spoofing

Spoofing is the creation of TCP/IP packets using somebody else's IP address.Routers use the "destination IP" address in order to forward packets throughThe Internet, but ignore the "source IP" address. That address is onlyused by the destination machine when it responds back to the source.

An example from cryptography is the Man in the middle Attack,in which an attacker spoofs Alice into believing the attacker is Bob,and spoofs Bob into believing the attacker is Alice,thus gaining access to all messages in both directions without the trouble ofAny cryptanalytic effort.

17



• E-Mail address Spoofing

Types of Spoofing

• URL Spoofing and Phishing

• Referrer Spoofing

18



URL spoofing and phishing,

Another kind of spoofing is "webpage spoofing” also known as Phishing.In this attack, a legitimate web page such as a bank's site is reproduced in"look and feel" on another server under control of the attacker.The main intent is to fool the users into thinking that they are connected toa trusted site, for instance to harvest usernames and passwords.

Referrer spoofing,

Some websites, especially pay sites, allow access to their materials onlyfrom certain approved (login-) pages. This is enforced by checking thereferrer header of the HTTP request.

19



The sender information shown in E-Mails (the "From" field) can bespoofed easily. This technique is commonly used by spammers to hidethe origin of their e-mails and leads to problems such as misdirected Bounces.

Like attacker send a message to user by changing its ‘From' field and userThink that message is received by an trusted person and he may reply to thatMessage and our data may be misused.

E-mail address spoofing

20



Defending against Spoofing

Spoofing is difficult to defend against due to the attacks being mostlypassive by nature.

• What you get is a webpage that is different than what you are expecting.

In very targeted attacks it is very possible that you may never knowthat attackers have been entered into your system

• By using virtual proxy generator

• By using login mechanism

21



22



Unauthorized access, Men in the Middle (MITM)

Technology

Transcript of Unauthorized access, Men in the Middle (MITM)