A man-in-the-middle (MITM) attack is when a bad actor interrupts an established network conversation or data transfer. The attacker sits in the middle of the transfer path and then pretends or act as a legitimate participant in the conversation.
In practice, the attackers position themselves between incoming requests and outgoing responses. As a user, you will continue believing that you are talking directly to the legitimate destination server or web application, such as Facebook, Twitter, online bank, and others. However, in reality, you will be sending requests to the man-in-the-middle, who then talks to your bank or app on your behalf.
As such, the man in the middle will see everything, including all your requests and responses you get from the destination or target server. Besides viewing all the conversation, the man in the middle can modify your requests and responses, steal your credentials, direct you to a server they control, or perform other cybercrimes.
Generally, the attacker can intercept the communications stream or data from either party in the conversation. The attacker can then modify the information or send malicious links or responses to both legitimate participants. In most cases, this can go undetected for some time, until later after a lot of damage.
Common man-in-the-middle attack techniques
Packet sniffing: – The attacker uses various tools to inspect the network packets at a low level. The sniffing allows attackers to see data packets they are not authorized to access.
Packet injection: – where attackers inject malicious packets into the data communication channels. Before injection, the criminals will first use sniffing to identify how and when to send the malicious packets. After injection, the bad packets blend with the valid ones in the communication stream.
Session hijacking: In most web applications, the log-in process creates a temporary session token so that the user does not have to keep on typing the password for every page or any future request. Unfortunately, an attacker using various sniffing tools may identify and use the session token, which they can now use to make requests pretending to be the legitimate user.
SSL stripping: Attackers can use the SSL tripping technique to intercept the legitimate packets, modify the HTTPS-based requests and direct them to the insecure HTTP equivalent destination. Consequently, the host will start making an unencrypted request to the server, hence expose sensitive data as plain text that is easy to steal.
Consequences of MITM attacks
MITM attacks are dangerous to any organization and since they can result in financial and reputation losses.
Usually, the criminals can obtain and misuse the organization’s sensitive and private information. For example, they can steal credentials such as usernames and passwords, credit card details and use them to transfer funds or make unauthorized purchases. They can also use stolen credentials to install malware or steal other sensitive information – which they can use to blackmail the company.
For this reason, it is critical to protect the users and digital systems to minimize the risks of MITM attacks.
MITM attack tools for security teams
Besides using reliable security solutions and practices, you need to use the necessary tools to check your systems and identify vulnerabilities that attackers can exploit. To help you make the right choice, here are some of the HTTP MITM attack tools for security researchers.
Hetty is a fast open-source HTTP toolkit with powerful features to support security researchers, teams, and the bug bounty community. The lightweight tool with an embedded Next.js web interface comprises an HTTP man in the middle proxy.
- Enables you to perform a full-text search
- It has a sender module that allows you to send HTTP requests manually based on either the off requests from the proxy log or by creating them from scratch.
- An attacker module that allows you to send HTTP requests automatically
- Simple installation and easy to use interface
- Manually send the HTTP requests by either starting from scratch, crafting the request, or by simply copying from the Proxy log.
Bettercap is a comprehensive and scalable network reconnaissance and attack tool.
The easy-to-use solution provides the reverse engineers, security experts, and red teams with all the features to test or attack Wi-Fi, IP4, IP6 networks, Bluetooth Low Energy (BLE) devices, and wireless HID devices. Additionally, the tool has network monitoring capabilities and other features such as fake access point creation, password sniffer, DNS spoofer, handshake capture, etc.
- A powerful inbuilt network sniffer for identifying authentication data and harvesting credentials
- powerful, extensible
- Actively and passively probe and test IP network hosts for potential MITM vulnerabilities.
- Easy to use and interactive web-based user interface that allows you to conduct a wide range of MITM attacks, sniff credentials, control HTTP and HTTP traffic, etc.
- Extract all the data it gathers such as POP, IMAP, SMTP, and FTP credentials, visited URLs and HTTPS hosts, HTTP cookies, HTTP posted data, and more. It then presents it in an external file.
- Manipulate or modify the TCP, HTTP, and HTTPS traffic in real-time.
Proxy.py is a lightweight open-source WebSockets, HTTP, HTTPS, and HTTP2 proxy server. Available in a single python file, the fast tool enables researchers to inspect web traffic, including TLS encrypted apps, while consuming minimal resources.
- It is a fast and scalable tool that can handle tens of thousands of connections per second.
- Programmable features such as a built-in web server, proxy, and HTTP routing customization, etc
- It has a lightweight design that uses 5-20MB RAM. Also, it relies on the standard Python libraries and does not require any external dependencies.
- A real-time customizable dashboard that you can extend using plugins. It also gives you the option to inspect, monitor, configure and control the proxy.py at runtime.
- The secure tool uses TLS to provide end-to-end encryption between the proxy.py and the client.
The mitmproxy is an easy-to-use, open-source HTTPS proxy solution.
Generally, the easy-to-install tool works as an SSL man-in-the-middle HTTP proxy and has a console interface that allows you to inspect and modify the traffic flow on the fly. You can use the command-line-based tool as an HTTP or HTTPS proxy to record all network traffic, see what users are requesting and replay them. Usually, mitmproxy refers to a set of three powerful tools; the mitmproxy (console interface), mitmweb (web-based interface), and mitmdump (command-line version).
- Interactive and reliable HTTP traffic analysis and modification tool
- A flexible, stable, reliable, easy to install and use tool
- Allows you to intercept and modify the HTTP and HTTPS requests and responses on the fly
- Record and save the HTTP client-side and server-side conversations, then replay and analyze them in the future
- Generate the SSL/TLS certificates to intercept on the fly
- Reverse proxy features allow you to forward the network traffic to a different server.
Burp is an automated and scalable vulnerability scanning tool. The tool is a good choice for many security professionals. Generally, it enables the researchers to test web applications and identify vulnerabilities that criminals can exploit and launch MITM attacks.
It uses a user-driven workflow to provide a direct view of the target application and how it works. Operating as a web proxy server, Burp sits as the man-in-the-middle between the web browser and the destination servers. Consequently, this allows you to intercept, analyze and modify the request and response traffic.
- Intercept and inspect the raw network traffic in both directions between the web browser and server
- Breaks the TLS connection in HTTPS traffic between the browser and destination server hence allowing the attacker to view and modify encrypted data
- Choice of using the Burps embedded browser or the external standard web browser
- Automated, fast, and scalable vulnerability scanning solution, It allows you to scan and test web applications faster and efficiently, thus identify a wide range of vulnerabilities
- Display individual intercepted HTTP requests and responses
- Manually review the intercepted traffic to understand the details of an attack.
Ettercap is an open-source network traffic analyzer and interceptor.
The comprehensive MITM attacks tool allows researchers to dissect and analyze a wide range of network protocols and hosts. It can also register the network packets on a LAN and other environments. Further, the multi-purpose network traffic analyzer can detect and stop man-in-the-middle attacks.
- Intercept network traffic and capture credentials such as passwords. Also, it can decrypt encrypted data and extract credentials such as usernames and passwords.
- Suitable for deep packet sniffing, testing, monitoring network traffic, and providing real-time content filtering.
- Supports active and passive eavesdropping, dissecting, and analyses of networks protocols, including those with encryption
- Analyze a network topology and establish the operating systems installed.
- User-friendly graphical user interface with interactive and non-interactive GUI operation options
- utilizes analysis techniques such as ARP interception, IP and MAC filtering, and others to intercept and analyze traffic
Preventing MITM attacks
Identifying MITM attacks is not very easy since it happens away from the users, and it is hard to detect since attackers make everything look normal. However, there are several security practices that organizations can use to prevent man-in-the-middle attacks. These include;
- Secure the internet connections at work or home networks such as by using effective security solutions and tools on your servers and computers, reliable authentication solutions
- Enforcing strong WEP/WAP encryption for the access points
- Ensuring that all the websites you visit are secure and have HTTPS in the URL.
- Avoid clicking suspicious emails messages and links
- Enforce HTTPS and disable insecure TLS/SSL protocols.
- Use Virtual Private Networks where possible.
- Using the above tools and other HTTP solutions to identify and address all man-in-the-middle vulnerabilities that attackers can exploit.