Man-in-the-middle ?

Printable View

March 24th, 2005, 09:59 PM
kautilya

Man-in-the-middle ?

I read the below description for man-in-the-middle attack -

"The client (Bob) initiates a connection with the server (Alice). Unknown to both Bob and Alice, an attacker (Eve) is waiting to intercept their connection negotiation. Eve receives Bob's request for a connection and authenticates herself as Alice. Eve then initiates a connection with Alice posing as Bob and authenticates herself. Two secure SSH sessions are now in place with Eve reading all of the data being passed between Bob and Alice in clear text."

How does Eve get the connection from Bob when Alice is supposed to get the request ?
March 24th, 2005, 10:06 PM
Tiger Shark

Eve is acting as a router. She intercepts the initial connection, (thus Bob never speaks directly to Alice), and then pretends to be Bob when talking to Alice. Anything Alice sends to Bob goes to Eve first who then passes it on to Bob so that Bob doesn't know he isn't talking to Alice....

Clear as Mud?
March 24th, 2005, 10:20 PM
(V)/\><

damn you Eve, always thwarting Alice and Bobs attempts at secure communication.

Eve can "get the connection" by being connected to the same LAN or WLAN as Alice and Bob, with a NIC in promiscious mode. Normally the card will check the MAC address, see someone elses address and drop the frame. However, in promiscious mode, all packets will be accepted and passed to the higher layer protocols.

actually, i read your thing wrong. the above example would allow Eve to pick up what the real Alice and Bob are saying to each other. this is still considered a man-in-the-middle attack. from your example, Eve is actually posing as Alice and Bob to Bob and Alice, respectively. Eve could "get the connection" in a number of ways, messing with DNS, address spoofing, perhaps Eve is working for the local ISP and has been tempted by "the Dark Side" (tm).

Note that in the above example, Eve is able to authenticate as Bob or Alice. how is this possible? (rhetorical) Eve would need to know Alice and Bobs private keys to accomplish this, if a public-key crypto system was used.
March 24th, 2005, 11:05 PM
kautilya

Thanks. Clear.
March 25th, 2005, 12:20 AM
ByTeWrangler

Greeting's

I have two question's about Man-In-The-Middle (MITM) attacks.

1. Lets say I type hotmail.com in the address bar of my internet browser. Then I log-on to hotmail. Now right here at the type is it possible for amyone to watch and listen to the authentication request. What I mean is some what like sniffing but I want to know if this is possible without creating something that alerts me. (AFAIK there is something know as ARP storms but I do not know how they occur).

2. I have successfully logged into hotmail and I am reading my mail at this point is it possible to read the mails to and send me wrong data (something other that what's the content of the mail). I also know that it is possible to inject commands in a present connection but this creats again, ARP storms (I have not a clue how they occur, I mean for what reasone).

One more thing that I dont understand is how MITM can act as hotmail server (I above situation's) because would I know it from the active connections shown by lets say Netstat or Fport due the Mismatch of IP of Hotmail and the IP of MITM.
March 25th, 2005, 02:52 AM
Maestr0

1. Unless your are using HTTPS (encrypted) then YES. HTTP is a plain text protocol. Your authentication between you and hotmail is sent naked as a jaybird down the wire. (This can easily be accomplished by anyone sniffing the traffic, no MITM is required)
2. Unless you are using HTTPS, then YES. This could be accomplished several ways. If the attacker was situated in your route he could act as a transparent proxy between you and your web requests, or the traditional ARP posioning (if on your segment) could be used to route all your traffic through himself, just to name two ways.

Could you tell? Maybe. If your ARP cache was poisoned and you actually knew what device the attacker was masquerading as, and what its IP should be then yes. If he were just acting as a transparent proxy along the route, then probably not, injecting data into the requests or the returns would be trivial. Of course if you suspected this was happening there are ways to tell, but I dont think it would be immediately apparent if you weren't looking.

-Maestr0
March 25th, 2005, 03:18 AM
Relyt

A Man-in-the-Middle Attack!

Oh no! Say it isn’t so Mister Wizard. How is this possible?? Yes Tudor Turtle it is true. And a classic example is in the using of asymmetric encryption. Drunken Alice and Bobbling Bob went to all the trouble to create their keys and the algorithm was strong, but yet they didn’t secure the keys to their kingdom. They exchanged the keys in a non-secure method and Evil Evetress intercepted them. Now that evil vixen can modify, decrypt, and reencypt all of Alice’s and Bobs most private conversations! What can be done now Mister Wizard? Young Tudor, they must stop using the existing keys and make a new set. And of utmost importance is to pass them over a trusted channel. Even if the Evil Evetress can intercept their conversations as long as she does not get the keys, and Alice and Bob change them frequently, their secrets will be safe. Oh Mister Wizard, I want to come home!

"Drizzle drazzle drozzle drome-- Time for this one to come home!"

(Characters are from the “Tudor Turtle Show”)

:)
April 21st, 2005, 09:03 AM
moonlight_x

I am not sure the details on how to do it. But i have seen some domain (DNS) hijack incident that victim's yahoo.com actually pointing a different site and everything he enter there is being log down and re-transmited to the real yahoo.com. And the real respond from yahoo.com forwarded back to victims workstation. Hence all the login account, password (in clear text) is being capture.

It could have come from a trojan itself.

(Just my two cents worth, correct me if i am wrong)