Man-in-the-Middle Attack (On-Path)
A man-in-the-middle (MITM) attack is where a threat actor compromises the connection between two hosts and transparently intercepts and relays all communications between them.
- aka on-path or impersonation attacks
- is a specific type of spoofing attack
- may modify the traffic before relaying it
- attacker inserts himself between the client and the server
- accomplished via several methods
- most common:
- ARP spoofing
- DNS spoofing
- most common:
- to defend, use encrypted communications
- e.g., HTTPS or VPN
How It Works
- A user
wants to receive encrypted messages from user - user
sends his/her public key to - attacker intercepts
‘s public key and instead sends his/her public key to is misled, thinking he/she is communicated with - user
encrypts messages with attacker’s public key - attacker intercepts and reads any message sent to
and can encrypt the received plaintexts with ‘s public key, or relay fake messages - digital certificates prevent this attack
Types
- MAC Spoofing and IP Spoofing
- ARP Spoofing and ARP Poisoning
- Packet Sniffing
- is where the attacker intercepts the data as it is traveling to or from the victim’s device
- including authentication credentials
- is where the attacker intercepts the data as it is traveling to or from the victim’s device
- adversary-in-the-middle (AitM)
- an on-path host presents a workstation with a spoofed website form to try to capture the user credential