Man-in-the-Middle Attacks are one of the most widely used attack types for today’s Cyber Attacks. It is also known as Eavesdropping (Snooping). In a Man-in-the-Middle Attack there are three players. These players are:
Man-in-the-Middle attacks are mainly used to steal valuable information about victims. This can be important passwords, bank details or any other secret information. They can also be carried out at different layers of the well-known OSI model.
Types of attack.
- Client (Victim)
- Server (The destination that the client are connecting)
- Attacker (The “Man” in the Middle)
Man-in-the-Middle attacks are mainly used to steal valuable information about victims. This can be important passwords, bank details or any other secret information. They can also be carried out at different layers of the well-known OSI model.
Types of attack.
- Passive Man-in-the-Middle attacks (passive MiTM): The attacker listens, captures and records the traffic between these two endpoints, but does not make any modifications to the packets. The packets are transferred unchanged between these two endpoints again, but with a big problem (the attacker knows all the communication between these two endpoints).
- Active Man-in-the-Middle attacks (active MiTM): the attacker re-listens, captures and records traffic between two endpoints. But here the integrity of the data is damaged, packets are manuplicated. The modified and changed packets are sent to each endpoint. The attacker makes any victim do what the attackers want with manipulated packets.
- Session hijacking: This attack involves taking over an existing connection between two parties. The attacker can do this by stealing the session ID or other authentication credentials from one of the parties. Once the attacker has control of the session, they can intercept and modify any data that is sent between the two parties.
- Replay attacks: This attack involves sending a previously captured message to a victim. The attacker can do this by capturing the message in transit or by stealing it from the victim's computer. When the attacker sends the message to the victim, it will appear to be coming from the original sender. This can be used to trick the victim into taking an action that they would not otherwise take.
- IP spoofing: This attack involves sending packets with a false IP address. The attacker can do this by changing the IP address in the packet header. When the victim receives the packet, they will believe that it came from the spoofed IP address. This can be used to trick the victim into connecting to a malicious server.
- ARP spoofing: This attack involves changing the ARP cache on a victim's computer. The attacker can do this by sending spoofed ARP replies. When the victim's computer receives the spoofed ARP replies, it will believe that the attacker's computer is the gateway. This can be used to intercept traffic that is meant for the gateway.
- DNS spoofing: This attack involves redirecting a victim's DNS queries to a malicious DNS server. The attacker can do this by poisoning the victim's DNS cache or by configuring their own DNS server to respond to DNS queries for the victim's domain. When the victim's computer sends a DNS query for a domain, it will receive a response from the malicious DNS server. The malicious DNS server can then redirect the victim to a malicious website.
- HTTPS spoofing: This attack involves creating a fake HTTPS website that looks like a legitimate website. The attacker can do this by obtaining a valid SSL/TLS certificate for the fake website. When the victim visits the fake website, their browser will believe that it is visiting the legitimate website. This can be used to trick the victim into entering their personal information or making a financial transaction.