A man-in-the-middle (MitM) attack is a form of cyberattack where important data is intercepted by an attacker using a technique to interject themselves into the communication process. The attacker can be a passive listener in your conversation, silently stealing your secrets, or an active participant, altering the contents of your messages, or impersonating the person/system you think you’re talking to.
Think back to the 20th century, when your younger sibling would pick up the phone when you were talking to your crush. You didn’t know they were listening, and then they went and tattled on you. That’s a basic MitM attack.
How Does A Man-in-the-Middle Attack Work?
Download the full Netcat cheatsheet
Most MitM attacks follow a straightforward order of operations, regardless of the specific techniques used in the attack.
In this example, there are three entities, Alice, Bob, and Chuck (the attacker).
- Chuck covertly listens to a channel where Alice and Bob are communicating
- Alice sends a message to Bob
- Chuck intercepts and reads Alice’s message without Alice or Bob knowing
- Chuck alters messages between Alice and Bob, causing unwanted/damaging responses
MitM techniques are usually employed early in the cyber kill chain – during reconnaissance, intrusion, and exploitation. Attackers often use MitM to harvest credentials and gather intelligence about their targets.
Multi-factor authentication (MFA) can be an effective safeguard against stolen credentials. Even if your username and password are scooped up by a man-in-the-middle, they’d need your second factor to make use of them. Unfortunately, it’s possible to bypass MFA in some cases.
Here is a practical example of a real-world MiTM attack against Microsoft Office 365 where MFA was bypassed by the attacker:
- User clicks a phishing link that takes them to a fake Microsoft login page where they enter their username and password
- The fake webpage forwards the username and password to the attacker’s server
- The attacker forwards the login request to Microsoft, so they don’t raise suspicion
- Microsoft sends the two-factor authentication code to the user via SMS
- User enters the code into the fake webpage
- The fake page forwards 2FA code to the attacker’s server
- The attacker uses Evilginx to steal the session cookie
- The attacker forwards the user’s 2FA code to Microsoft, and now the attacker can log in to Office 365 as the compromised user by using the session cookie, and has access to sensitive data inside the enterprise
You can see this exact attack happen in a live environment during our weekly cyber-attack workshops.
MitM Attack Techniques and Types
Here are a few of the common techniques that attackers use to become a man-in-the-middle.
1. ARP Cache Poisoning
Address Resolution Protocol (ARP) is a low-level process that translates the machine address (MAC) to the IP address on the local network.
Attackers inject false information into this system to trick your computer to think the attacker’s computer is the network gateway. When you connect to the network, the attacker is receiving all of your network traffic (instead of your real network gateway) and passes the traffic along to its real destination. From your perspective, everything is normal. The attacker is able to see all of your packets.
- Chuck (our attacker) joins your network and runs a network sniffer
- Chuck inspects your network packets to attempt to predict the sequence numbers of your packets between you and the gateway
- Chuck sends a packet to your computer with the faked source address of the gateway and the correct ARP sequence to fool your computer into thinking the attacker’s computer is the gateway
- At the same time, Chuck floods the gateway with a Denial of Service (DoS) attack so you receive the fake ARP packet before the gateway is able to respond
- Chuck fooled your computer into thinking the attacker’s laptop is the real gateway, and the MitM attack is successful
2. DNS Cache Poisoning
DNS cache poisoning is when the attacker gives you a fake DNS entry that leads to a different website. It might look like Google, but it’s not Google, and the attacker captures whatever data – username and password, for example – you enter into the faked website.
- Chuck figures out that you use a certain DNS resolver.
- Chuck knows this resolver is vulnerable to exploits, like an older version of BIND.
- Chuck uses this exploit to tell the DNS resolver that www.example.com lives at an IP address that they own.
- You go to www.example.com from your computer, and the DNS resolver tells you that the IP address of that site is the attacker’s machine!
- Chuck completes the connection to the real website so you don’t realize there is anyone listening, but he is able to see all the packets that you (or anyone else that uses this DNS resolver to connect to www.example.com) are sending.
3. HTTPS Spoofing
HTTPS is one of the ways users know that their data is “safe.” The S stands for secure. At least that is what an attacker wants you to think. Attackers set up HTTPS websites that look like legitimate sites with valid authentication certificates, but the URL will be just a bit different. For example, they will register a website with a unicode character that looks like an ‘a’ but isn’t. Continuing with the “example.com” example, the URL might look like https://www.example.com, but the ‘a’ in “example” is a cyrillic “a”, which is a valid unicode character that appears just like an arabic “a” with a different unicode value.
- Chuck gets you to visit his website www.example.com with the Cyrillic “a” using some kind of attack, phishing for example.
- You download the CA certificate for the fake website.
- Chuck signs the certificate with his CA private key and sends it to you.
- You store the certificate in your trusted key store.
- Chuck relays the traffic to the real www.example.com, and he is now a real MitM listening to your traffic
4. Wi-Fi Eavesdropping
Attackers listen to traffic on public or unsecured Wi-Fi networks, or they create Wi-Fi networks with common names to trick people into connecting so they can steal credentials or credit card numbers or whatever other information users send on that network. Kody from SecurityFWD has several different videos that show how easy this is.
5. Session Hijacking
Session hijacking is a MitM attack where the attacker watches for you to log into a web page (banking account, email account, for example) and then steals your session cookie to log into that same account from their browser. This is the attack we demonstrate in our Live Cyber Attack workshop we mentioned previously.
Once the attacker has your active session cookie on their computer, they can do whatever you could do on that website. Our guy Chuck could transfer all of your savings to an offshore account, buy a bunch of goods with your saved credit card, or use the stolen session to infiltrate your company network and establish a stronger foothold on the corporate network.
Are MitM Attacks Common?
MitM attacks have been around for a long time, and while they’re not as common as phishing and malware or even ransomware, they are usually part of targeted attacks with specific intent. For example, an attacker who wants to steal a credit card number might snoop on a coffee shop Wi-Fi for that data. Another attacker might use MitM techniques as part of a larger plan to break into a large enterprise. Our MitM Cyber Attack Lab demonstrates how an attacker can use malware to intercept network traffic and gain entry into the enterprise email system.
How to Detect a Man-in-the-Middle Attack
MitM attacks can be difficult to catch, but their presence does create ripples in the otherwise regular network activity that cybersecurity professionals and end-users can notice. The conventional wisdom is more prevention than detection.
Signs to Look For
Here are some signs there may be extra listeners on your networks.
- Unexpected and/or repeated disconnections: Attackers forcefully disconnect users so they can intercept the username and password when the user tries to reconnect. By monitoring for unexpected or repeated disconnections, you can pinpoint this potentially risky behavior proactively.
- Strange addresses in your browser address bar: If anything in the address looks odd, even by a little, double-check it. It could be a DNS hijack. For example, you see https:\\www.go0gle.com instead of https:\\www.google.com
- You log into a public and/or unsecured Wi-Fi: Be very careful of what networks you connect to, and avoid public Wi-Fi if possible. Attackers create fake networks with known IDs like “local free wireless” or some other common name to trick people into connecting. If you connect to the attacker’s Wi-Fi, they can easily see everything you send on the network.
How to Prevent a Man-in-the-Middle Attack
Here are several best practices to protect you and your networks from MitM attacks. None of them are 100% fool-proof.
General Best Practices
Overall, good cybersecurity hygiene will help protect you from MitM attacks.
- Only connect to secured Wi-Fi routers or use your wireless carrier’s encrypted connection. Connect to routers that use WPA2 security. It’s not totally foolproof, but it’s much better than nothing.
- Add a VPN to encrypt traffic between end-points and the VPN server (either on the enterprise network or on the internet). If traffic is encrypted, it’s harder for a MiTM to steal or modify it.
- Use end-to-end encryption for your emails, chat, and video communication (Zoom, Teams, etc.)
- Keep the system patched and malware updated
- Use a password manager to protect your passwords and prevent reuse of passwords
- Only connect to HTTPS connections, use a browser plugin to enforce this rule
- Use multi-factor authentication wherever available
- Employ DNS over HTTPS, which is a new technology that protects you from DNS hijacking by encrypting your DNS requests
- Follow the zero-trust principles to build internal barriers around access to data, which prevent infiltrators from moving freely throughout the network if they were to get inside
- Monitor activity on the network to detect evidence (malicious network connections or abnormal user behavior, for example) of a compromise or MitM techniques in use
Why Encryption Can Protect You From MitM Attacks
End-to-end encryption can help prevent a MitM from reading your network messages. Encryption involves both the sender and the receiver using a shared key to encrypt and decrypt messages that they send and receive. Without that shared key, the messages are gobbledygook, so the MitM can’t read them.
Encryption makes it harder for an attacker to intercept and read the network data, but it isn’t impossible, and it’s not a guarantee against compromise, because attackers have developed techniques to work around encryption.
For example, in the MitM Cyber Attack Lab, we demonstrate how an attacker can steal the authentication token that contains the username, password, and MFA authentication data to log in to an email account. Once they hijack the session cookie, it doesn’t matter that the communication between the client and server is encrypted — the hacker simply logins as the end-user and can access everything the user can access.
Future of MitM Attacks
MitM attacks will continue to be a useful tool in attackers’ arsenals as long as they can continue to intercept important data like passwords and credit card numbers. It’s a perpetual arms race between software developers and network providers to close the vulnerabilities attackers exploit to execute MitM.
Take the massive proliferation of the Internet of Things (IoT) over the past few years. IoT devices don’t yet adhere to the same security standards or have the same capabilities as other devices, which makes them more vulnerable to MitM attacks. Attackers use them as a way into an organization’s network so they can move to other techniques. Who knew that a new fancy internet-capable thermostat was a security hole? Attackers do!
Wider adoption of wireless networking, 5G networks, for example, is another opportunity for attackers to use MitM to steal data and infiltrate organizations, as demonstrated at BlackHat 2019. It is incumbent on the wireless companies to fix vulnerabilities like the ones shown at BlackHat and provide a secure backbone for users and devices.
Overall, there are more devices connected to more networks, which means more opportunities for attackers to use MitM techniques. Knowing the telltale signs of a MitM attack and putting in place detection methods can help you spot attacks before they do damage.
Check out our Live Cyber Attack Workshop, where we demonstrate how an attacker can intercept a user’s authentication token using MitM to infiltrate and steal important data and show how Varonis can detect this attack.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.