Man-in-the-middle attacks (MITM) are a type of cybersecurity attack in which an attacker eavesdrops on communication between two other parties without being detected. Assume, for example that Alice and Bob are communicating, while Eve is conducting a MITM attack. Eve poses as Alice to Bob and as Bob to Alice by modifying the communications between them. In this way, Eve can gather information from Alice and Bob by transparently hijacking the communication session.
Specific types of MITM attacks include rogue access point attacks, ARP spoofing, mDNS spoofing and DNS spoofing.
Wireless devices generally attempt to connect to the wireless access point (WAP) with the strongest signal, automatically. During a rogue access point attack, an attacker creates an access point in an attempt to lure nearby devices into connecting to it. This type of MITM attack is effective because it only requires physical proximity to the targets.
Address Resolution Protocol (ARP) allows discovery of the Media Access Control (MAC) with each IP address in a local area network (LAN). When one host needs to communicate with another host with a given IP address, it must first reference the ARP cache to resolve the IP address to a MAC address. An attacker performing ARP spoofing responds to these requests with its own MAC address. By intercepting traffic intended for legitimate users or services, an attacker can gain access to information like session tokens that allow them to hijack the session.
Multicast Domain Name Service (mDNS) uses broadcast protocols like ARP to resolve domain names to IP addresses on a LAN. The simplicity of this DNS system makes it an attractive target for spoofing attacks because whenever a local device makes a request to resolve an IP address, the attacker can easily respond to that request with the IP address of a host that the attacker controls. The victim will then treat that host as trusted for the duration of the session.
DNS spoofing (a.k.a. DNS cache poisoning) is conceptually similar to mDNS spoofing, although it’s typically more challenging to execute. The attacker must provide the target host with false information with the intention of poisoning the host’s DNS cache. The poisoned cache will cause the target to access the attacker’s host, rather than the legitimate host. The victim of a DNS spoofing attack may then provide sensitive information under the assumption that it’s communicating with a trusted host.
MITM attacks use a variety of techniques including sniffing, packet injection, session hijacking, and SSL stripping.
Packet sniffing is the process of capturing a packet and inspecting it at a low level. An MITM attacker uses this technique to access packets addressed to other hosts, generally by placing network devices in monitoring or promiscuous mode.
MITM attackers also place wireless devices in monitoring mode to inject their own packets into a data stream between hosts. These packets appear to be part of their normal communications but have malicious intent like extracting important data from the target hosts. Packet injection usually requires the attacker to first perform packet sniffing to determine how to inject packets.
Administrators can easily overlook a MITM attack for a prolonged period if they aren’t actively looking for one. The best methods of detecting this type of attack include logging and monitoring access to sensitive resources, including failed login attempts and successful logins that follow.