Network security man in the middle (MITM) attacks


Published on

Network security man in the middle (MITM) attacks

Published in: Technology, News & Politics
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Network security man in the middle (MITM) attacks

  1. 1. Ravi Kumar @TheRavikr Purbey Network security- Man in the middle (mitm) attacks
  2. 2. Why Network Security ? In today's technologically advanced world, computers play a dominant role. No matter you are at work, in studies at college or school, or just enjoying a leisurely time in your home, it is certain that you may either switch on your computer or any other related state of the art devices. The importance of computer is further enhanced by increased usage of the internet.
  3. 3. Different types of attack  Denial of service  Man in the middle  SQL Injection Scripts Attack Buffer overflows Logic Bomb etc.   
  4. 4. Network security- Man in the middle (mitm) attacks
  5. 5. What is MITM ?  A man-in-the-middle (MITM) attack is a form of eavesdropping where communication between two users is monitored and modified by an unauthorized party. Generally, the attacker actively eavesdrops by intercepting a public key message exchange and retransmits the message while replacing the requested key with his own.
  6. 6. MITM attack is also known as:       Bucket-brigade attack Fire brigade attack Monkey-in-the-middle attack Session hijacking TCP hijacking TCP session hijacking
  7. 7. Name Origin:  The name "Man-in-the-Middle" is derived from the basketball scenario where two players intend to pass a ball to each other while one player between them tries to seize it. MITM attacks are sometimes referred to as "bucket brigade attacks" or "fire brigade attacks." Those names are derived from the fire brigade operation of dousing off the fire by passing buckets from one person to another between the water source and the fire.
  8. 8. How Does It Work?  Man in the middle is known most to others as "session hijacking" and to general public as "hijacking". These hackers are primarily targeting specific data about the transactions on computers. This can be anything from an email to a bank transaction that said the hackers begin their investigation of the party of interest
  9. 9. How Does It Work?
  10. 10. A BASIC ILLUSTRATION  An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time.
  12. 12. MITM TECHNIQUES     The techniques used for MITM attacks can be classified below in consideration of the following three network environment types: Local Area Network From Local To Remote (through a gateway) Remote
  13. 13. Local Area Network Attack  ARP poisoning- ARP (Address Resolution Protocol) spoofing is also known as "ARP spoofing " or ARP Poison Routing. The attacker may use ARP spoofing to sniff data frames on LAN and to modify the packets. The attacker may corrupt the ARP caches of directly connected hosts and finally take over the IP address of the victim host.
  14. 14. Local Area Network Attack  DNS spoofing- The attacker starts by sniffing the ID of any DNS request, and then replies to the target requests before the real DNS server.
  16. 16. Local Area Network Attack  IP address spoofing- The attacker creates IP packets with a forged source IP address in order to conceal the identity of the packet sender or to impersonate another computer system. (This method of attack on a remote system can be very difficult, because it involves modifying thousands of packets at a time. This type of attack is most effective where trust relationships exist between endpoints.)
  17. 17. Local Area Network Attack  Port stealing-The term "Port Stealing" refers to the MITM technique used to spoof the switch forwarding database (FDB) and usurp the switch port of the victim host for packet sniffing on Layer 2 switched networks. The attacker starts by flooding the switch with the forged ARP packets that contain the same source MAC address as that of the victim host and the same destination MAC address as that of the attacker host.
  18. 18. Local Area Network Attack 1 2 3 Layer 2 switch Gratuitous ARP (forged) A Attacker B
  19. 19. From Local to Remote (through a gateway) DHCP spoofing- The DHCP requests are made in broadcast mode. If the attacker replies before the real DHCP server it can manipulate: • IP address of the victim • GW address assigned to the victim • DNS address 
  20. 20. From Local to Remote (through a gateway)  IRDP spoofing- The attacker can forge some advertisement packet pretending to be the router for the LAN. He/she can set the “preference level” and the “lifetime” at high values to be sure the hosts will choose it as the preferred router.
  21. 21. From Local to Remote (through a gateway) INTERNET GW AT H The attacker can forge packets for the gateway (GW) pretending to be a router with a good metric for a specified host on the internet
  22. 22. REMOTE ATTACK DNS poisoning Type 1 attack •The attacker sends a request to the victim DNS asking for one host. •The attacker spoofs the reply which is expected to come from the real DNS •The spoofed reply must contain the correct ID (brute force or semi-blind guessing) Type 2 attack •The attacker can send a “dynamic update” to the victim DNS •If the DNS processes it, it is even worst because it will be authoritative for those entries
  23. 23. REMOTE- Traffic tunneling Server Router 1 Tunnel GRE INTERNET Fake host Attacker Gateway Client
  24. 24. REMOTE- Traffic tunneling ROUTE mangling revisited The attacker aims to hijack the traffic between the two victims A and B. The attack will collect sensitive information through: •Traceroute •port scanning •protoscanning
  25. 25. REMOTE- Traffic tunneling Scenario 1 a (IGRP inside the AS) A R1 B R2 The attacker pretends to be the GW
  26. 26. REMOTE- Traffic tunneling Scenario 1 b (IGRP inside the AS) A R1 R3 R2 B
  27. 27. MITM Tools For Hacking dsniff - A tool for SSH and SSL MITM attacks . Cain - A Windows GUI tool which can perform MITM attacks, along with sniffing and ARP poisoning Ettercap - A tool for LAN based MITM attacks Karma - A tool that uses 802.11 Evil Twin attacks to perform MITM attacks AirJack - A tool that demonstrates 802.11 based MITM attacks wsniff - A tool for 802.11 HTTP/HTTPS based MITM attacks an additional card reader and a method to intercept key-presses on an Automated teller machine
  28. 28. Conclusions The security of a connection relies on: •Proper configuration of the client (avoiding ICMP Redirect, ARP Poisoning etc.) •The other endpoint infrastructure (e.g.. DNS dynamic update), •The strength of a third party appliances on which we don’t have access (e.g.. Tunneling and Route Mangling). The best way to ensure secure communication is the correct and conscious use of cryptographic systems. •Both client and server side •At the network layer (i.e.. IPSec) •At transport layer (i.e.. SSLv3) •At application layer (i.e.. PGP).
  29. 29. Thanks Ravi Kumar Purbey @TheRavikr www.ravikumarpurbey.c om 4x3 16x9