A man-in-the-middle (MITM) attack is one in which the attacker inserts himself in the middle of a connection. It differs from a hijacking attack in that it does not replace the client, but rather acts as a relay between the client and server. Both sides think they are communicating directly with each other, but they are actually doing it through the MITM. The MITM then captures information that might otherwise be encrypted, or manipulates the data in some other way.
Here are some common examples of an MITM attack:
- SSL downgrading/stripping:
- The MITM inserts itself between a web client and server.
- The MITM creates a secure HTTPS session with the server.
- The MITM forces the client to accept either a cleartext HTTP session or a downgraded HTTPS session with a more vulnerable version of SSL.
- The MITM runs some type of sniffer that collects credentials as the user logs on.
- Netcat relay:
- A target Windows Server is sitting behind a firewall.
- The firewall permits TCP 80 but not TCP 135 to pass through it.
- A Netcat listener has been planted on the target. It is waiting for incoming TCP 80 connections.
- When TCP 80 traffic comes to the target, Netcat rewrites the destination port to TCP 135 and relays the traffic to the DCOM service.
- An outside attacker is able to exploit DCOM even through a firewall.
- A WiFi Pineapple or Pumpkin (rogue wireless access point) attracts Wi-Fi clients to connect to the network through it.
- A Stingray or other IMSI catcher masquerades as a legitimate cell phone tower, inducing cell phones to make calls through it.
MITM requires some type of spoofing, usually ARP poisoning or changing IP addresses/port numbers. It can be thwarted if the client and server digitally sign their packets, or in the case of the website if the server requires HTTP Strict Transport Security (HSTS).
Here are some common tools that are used in man-in-the-middle attacks:
- CERT Tapioca
- Metasploit mitm proxy modules
Note: MITMf (Framework for Man-in-the-Middle Attacks) is a python script that contains a complete suite of attack features. For more information, see https://github.com/byt3bl33d3r/MITMf
Note: Do not confuse MITM with proxying. Although they are similar, their intent is different. MITM manipulates traffic generated by a legitimate host. Proxying manipulates traffic generated by an attacker.