Man in the Middle attack (MITM) is an extremely dangerous hacking and can happen anywhere. This can occur whether on a website, mobile phone, or in conventional communication tool such as correspondence. Therefore, it’s important to discuss MITM attack regardless of anything and wherever its technical implementation.
What is Man in the Middle Attack?
Man In The Middle attack is a hacking technique where hackers put themselves in the middle of two devices that communicate with each other. As in this type of hacking an attacker is overtaking in the middle of a communication, the attacker can read, hear, modify, or block the communication packet that is going to be sent or received in both devices.
The most severe outcome of a Man in the Middle attack hacking technique is that the hacker is wiretapping the information and steal passwords. This kind of attack is really effective, more dangerous and harder to avoid that how to avoid phishing.
MITM Isn’t Just Sniffing
Perhaps, many people think that the aim of a Man in the Middle attack is to do wiretapping into a confidential data communication like a sniffing practice. Sniffing is a passive attack as the sniffing attacker doesn’t do anything, but monitor the passing data. Definitely, an attacker would be able to wiretap a communication between two parties using “Man in the Middle Attack” technique. But actually, the greatest strength of the MITM attack is not its sniffing ability. The MITM main ability is to intercept and alter the communication. So, the Man in the Middle Attack is also called as an active attack.
How MITM Works
MITM works by exploiting ARP (Address Resolution Protocol). ARP is a protocol that is in charge of translating the IP address to the MAC Address.
Basically, the lowest communication network is using a Mac Address as an identity between two devices. So, if an ARP table is modified by hackers, they can manipulate the data transmission for wrong purposes.
If you are using Windows computer, you can check the ARP table by typing “arp – a” in your command prompt (cmd). There you can find an IP address record line and Mac Address of all connected computers.
Let’s late a look at the picture below to consider the difference between data delivery routes before a MITM attack.
The client device will send and receive data directly from the wifi router without an intermediary when in an under normal condition. The normal condition here means before MITM attack. But after the MITM attacks the client device, the hacker is wiretapping the communication where the router works as you can see in the picture below.
Hackers can wiretap a communication as an ARP has two exploitable weaknesses, namely:
- Every ARP Request or ARP Response is always Trusted;
- Clients may receive a response even if they don’t send a request.
Every device that freshly connects to a network always tries to find which one is the right router. Then the router will respond. Along with that, the router records the IP and Mac Address in the ARP Table.
To create a Man In The Middle condition, the hacker can send a response to a client computer by taking over as the router “if the client computer doesn’t verify” whether or not a connecting router is the right one. To illustrate this scheme, take a look at the following illustration.
For every request and response is always trusted, the client device will believe that the right router is that hacker device. Over here, the hacker also managed to deceive the client device in wiretapping as a router. Next, the hacker will also masquerades as the right client to the router as explained at the picture below.
The router will originally deem that the hacker is the client and the client deems that the hacker is the router. That way, the hacker device is in the middle between the client and router. Every requested and received package done by the client device will be passing through the hacker’s device first. This is why such wiretapping is called as Man in the Middle attack.
Tools That are Used by Hackers to Do MITM Attack
Hackers require a Kali Linux operating system to do a MITM attack. They are also able to use Kali Linux on Windows using a virtual box or one of the best Kali Linux emulators for Windows.
One of the most popular MITM tools is MITMf (Man in the Middle Framework), which is a complete one with features for wiretapping. But when a hacker wants to practice a MITM attack, must first be in the same network with the target victim.
The following is the hacking command in MITMf:
mitmf -arp -spoof -gateway [target router ip] -targets [ target client ip]
That command will deceive both target router and client at once. Then the hacker enables an IP forward by editing file/proc/sys/net/ipv4 /ip_forward which initially 0 (inactive) becomes 1 (active). This is done so that packets which are not addressed to the hacker’s device can be forwarded to the target client’s device.
When the hacker runs MITMf, it will automatically perform an attack as described above (deceive the client and its router) as well as running sniffing packet. A bugged package will be listed directly in the terminal.
All sensitive information such as username and password will be visible in a bare text (without encryption) if the accessed site does not use SSL (https).
For example, in a Google Chrome browser, the victim is accessing a login page on a membership site and fills his credentials to the login form. Because the site doesn’t use https, the username and password will be sent without encryption. Then, the package containing that username and password is going through the hacker’s tool first and can be read on the hacker’s device.
Most large websites use SSL for security. The main function of SSL is to encrypt all data so it cannot be tapped. Remarkably, MITMf runs an SSLstrip program automatically. SSLstrip is a program that can downgrade https to http. Even so, large sites like Facebook, Google, Twitter, etc. use another security that forces their users to keep using https.
But what happens when a target uses a “remember me” feature?. Using the “remember me” feature allows us to automatically log in using cookies on the browser. Such condition, the password and username are not sent to the server so Hackers cannot read the password.
Login using cookies on browsers is still dangerous as it still can be stolen. Instead of tapping passwords, hackers can also steal cookies and then use them on their browsers. This way, hackers can log in without knowing the targets’ username and password. Stealing cookies is more practical in wiretapping.
So, hackers need MITMf for Man in the Middle, Farred for stealing cookies, and Hamsters for injecting cookies to Linux Kali’s browser. Hacking techniques vary as there are many hacking tools with similar functions.
However, here we are not giving a deeper tutorial on how to hack using MITM. But at least knowing how such tools work would be useful for you to avoid hacking attacks.
The Bad Things Caused by Man in the Middle Attack
Given that in a Man in the Middle attack a hacker is wiretapping a communication path, the sent or received information can be changed, removed, or faked. Hackers can do such bad things by using a Man in the Middle techniques.
Whatever you write on blogs or other types of websites, including super sensitive information like “password”, will be passing through hacker’s tool first. So, the hacker can peep your password and other credentials. MITM can also integrate with the Wireshark. This integration is useful for hackers in doing wiretapping activities as through Wireshark hackers can better record and display the stolen data.
Every time you type a website address, actually you are going to access to a web server in the form of IP address. So, hackers can apply a fake DNS using the Man in the Middle technique. For example, when you type Google, the opened site is a fake Google. Even that you are pretty sure you are typing a correct address. By using a DNS spoofing, Hackers can change a site to an IP address such as to a local website that resides in a hacker’s computer.
Your browser stores your login data to cookies. It’s why can directly login to Facebook without filling your username and password when you simply type in facebook address. That’s one of the functions of cookies. The bad thing is that using a MITM technique, hackers can steal your cookies.
How to Avoid MITM Attack
Therefore, when you suspicious enough, immediately check the ARP table by typing arp –a at the command prompt (cmd). Make sure there are no two different IPs with the same network using same Mac Address.
Now you should be knowing how dangerous it is when you are on the same network with a hacker. Therefore, increase your internet security, always double checking site addresses that use https. When it turns automatically to http, you should have been suspicious. If you have to access the site, change the address into https by typing it manually. Finally, do not use the “remember me” feature even though it really simplifies you.