Difference between revisions of "Man-in-the-middle attack"

From OWASP
Jump to: navigation, search
Line 2: Line 2:
  
 
==Description==
 
==Description==
 
 
The man-in-the middle attack acts intercepting a communication between two systems, for example, in the http transaction the target is the TCP connection between client and server.
 
The man-in-the middle attack acts intercepting a communication between two systems, for example, in the http transaction the target is the TCP connection between client and server.
 
Using different techniques the attacker splits the original TCP connection in 2 new connections, one between the client and  the attacker and the other between the attacker  and the server, as shown in figure 1. Once  the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication.  
 
Using different techniques the attacker splits the original TCP connection in 2 new connections, one between the client and  the attacker and the other between the attacker  and the server, as shown in figure 1. Once  the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication.  
 
  
 
<center>
 
<center>
 
[[Image:main_the_middle.JPG]]
 
[[Image:main_the_middle.JPG]]
 
 
Figure 1. Illustration of man-in-the-middle attack
 
Figure 1. Illustration of man-in-the-middle attack
 
</center>
 
</center>
 
  
 
In the web context the MITM attack is very effective because of the nature of the http protocol and the data transfer which are  all ASCII based. This way, it’s possible to view and interview within the http protocol and  also in the data transferred. So, for example,  it’s possible to capture a session cookie reading the http header, but it’s also possible to change  an  amount of  money transaction inside the application context, as shown in figure 2.
 
In the web context the MITM attack is very effective because of the nature of the http protocol and the data transfer which are  all ASCII based. This way, it’s possible to view and interview within the http protocol and  also in the data transferred. So, for example,  it’s possible to capture a session cookie reading the http header, but it’s also possible to change  an  amount of  money transaction inside the application context, as shown in figure 2.
 
  
 
<center>
 
<center>
 
[[Image:request.JPG]]
 
[[Image:request.JPG]]
   
+
  Figure 2. Illustration of a HTTP Packet intercepted with Paros Proxy.
Figure 2. Illustration of a HTTP Packet intercepted with Paros Proxy.
+
 
</center>
 
</center>
 
  
 
The MITM attack could also be done over https connection by using the same technique, the only difference consists  in  the establishment of two independent SSL sessions, one over each TCP connection. The browser sets  a SSL connection with attacker and the attacker establishes  another SSL connection with the web server. In general the browser warns  the user that the digital certificate used is not valid, but sometimes the user could ignore the warning because he doesn’t understand the threat.. In some specific contexts it’s possible that the warn doesn’t appear, as for example, when the Server certificate is compromised by the attacker or when the attacker certificate is signed by a trusted CA and the CN is the same of the original web site.
 
The MITM attack could also be done over https connection by using the same technique, the only difference consists  in  the establishment of two independent SSL sessions, one over each TCP connection. The browser sets  a SSL connection with attacker and the attacker establishes  another SSL connection with the web server. In general the browser warns  the user that the digital certificate used is not valid, but sometimes the user could ignore the warning because he doesn’t understand the threat.. In some specific contexts it’s possible that the warn doesn’t appear, as for example, when the Server certificate is compromised by the attacker or when the attacker certificate is signed by a trusted CA and the CN is the same of the original web site.
  
 
The MITM it’s not only an attack technique but it’s also usually used during a development step of a web application or still used for Web Vulnerability assessments.
 
The MITM it’s not only an attack technique but it’s also usually used during a development step of a web application or still used for Web Vulnerability assessments.
 
==Tools ==
 
  
 
===MITM Attack tools===
 
===MITM Attack tools===
Line 38: Line 29:
 
* Cain e Abel
 
* Cain e Abel
  
===MITM Proxy only tools:===
+
===MITM Proxy only tools===
 
Proxy tools only permits interact with all the parts of the HTTP protocol like the header and the body of a transaction, but have not the capability to intercept the TCP connection between client and server. To intercept the communication it’s necessary to use other network attack tools or configure the browser  
 
Proxy tools only permits interact with all the parts of the HTTP protocol like the header and the body of a transaction, but have not the capability to intercept the TCP connection between client and server. To intercept the communication it’s necessary to use other network attack tools or configure the browser  
  
Line 47: Line 38:
 
* Odysseus Proxy
 
* Odysseus Proxy
  
 +
==Severity==
 +
High
 +
 +
==Likelihood of exploitation==
 +
Medium
  
 
==External References==
 
==External References==
Line 52: Line 48:
 
* http://cwe.mitre.org/data/definitions/300.html
 
* http://cwe.mitre.org/data/definitions/300.html
 
*http://en.wikipedia.org/wiki/Mitm
 
*http://en.wikipedia.org/wiki/Mitm
 
  
 
==Related Threats==
 
==Related Threats==
 
 
[[:Category:Authentication]]
 
[[:Category:Authentication]]
 
 
[[:Category:Client-side Attacks]]
 
[[:Category:Client-side Attacks]]
 
  
 
==Related Attacks==
 
==Related Attacks==
 
 
*[http://www.sans.org/reading_room/whitepapers/threats/480.php  SSL man-in-the-middle attack]
 
*[http://www.sans.org/reading_room/whitepapers/threats/480.php  SSL man-in-the-middle attack]
 
  
 
==Related Vulnerabilities==
 
==Related Vulnerabilities==
 
 
[[:Category:Session Management Vulnerability]]
 
[[:Category:Session Management Vulnerability]]
 
  
 
==Related Countermeasures==
 
==Related Countermeasures==
 
 
*[http://cwe.mitre.org/data/definitions/295.html  Digital Certificate]
 
*[http://cwe.mitre.org/data/definitions/295.html  Digital Certificate]
 
*[[Session Management]]
 
*[[Session Management]]
  
 
+
[[Category:Spoofing]]
==Categories==
+
[[Category:Attack]]
[[:Category:Session Management]]
+

Revision as of 11:59, 5 November 2007

This is an Attack. To view all attacks, please see the Attack Category page.


Description

The man-in-the middle attack acts intercepting a communication between two systems, for example, in the http transaction the target is the TCP connection between client and server. Using different techniques the attacker splits the original TCP connection in 2 new connections, one between the client and the attacker and the other between the attacker and the server, as shown in figure 1. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication.

Main the middle.JPG Figure 1. Illustration of man-in-the-middle attack

In the web context the MITM attack is very effective because of the nature of the http protocol and the data transfer which are all ASCII based. This way, it’s possible to view and interview within the http protocol and also in the data transferred. So, for example, it’s possible to capture a session cookie reading the http header, but it’s also possible to change an amount of money transaction inside the application context, as shown in figure 2.

Request.JPG

Figure 2. Illustration of a HTTP Packet intercepted with Paros Proxy.

The MITM attack could also be done over https connection by using the same technique, the only difference consists in the establishment of two independent SSL sessions, one over each TCP connection. The browser sets a SSL connection with attacker and the attacker establishes another SSL connection with the web server. In general the browser warns the user that the digital certificate used is not valid, but sometimes the user could ignore the warning because he doesn’t understand the threat.. In some specific contexts it’s possible that the warn doesn’t appear, as for example, when the Server certificate is compromised by the attacker or when the attacker certificate is signed by a trusted CA and the CN is the same of the original web site.

The MITM it’s not only an attack technique but it’s also usually used during a development step of a web application or still used for Web Vulnerability assessments.

MITM Attack tools

There are several tools to realize MITM attack. These tools are particularly efficient in LAN networks environments because implements extra functionalities like the arp spoof capabilities that permits intercept the communication between hosts.

  • PacketCreator
  • Ettercap
  • Dsniff
  • Cain e Abel

MITM Proxy only tools

Proxy tools only permits interact with all the parts of the HTTP protocol like the header and the body of a transaction, but have not the capability to intercept the TCP connection between client and server. To intercept the communication it’s necessary to use other network attack tools or configure the browser

  • OWASP WebScarab
  • Paros Proxy
  • Burp Proxy
  • ProxyFuzz
  • Odysseus Proxy

Severity

High

Likelihood of exploitation

Medium

External References

Related Threats

Category:Authentication Category:Client-side Attacks

Related Attacks

Related Vulnerabilities

Category:Session Management Vulnerability

Related Countermeasures