08-10-2012, 12:08 PM
Man in the middle attacks
Man in the middle.ppt (Size: 1 MB / Downloads: 33)
Sniffing
It is the easiest attack to launch since all the packets transit through the attacker.
All the “plain text” protocols are compromised (the attacker can sniff user and password of many widely used protocol such as telnet, ftp, http)
Injecting
Possibility to add packets to an already established connection (only possible in full-duplex mitm)
The attacker can modify the sequence numbers and keep the connection synchronized while injecting packets.
If the mitm attack is a “proxy attack” it is even easier to inject (there are two distinct connections)
Filtering
The attacker can modify the payload of the packets by recalculating the checksum
He/she can create filters on the fly
The length of the payload can also be changed but only in full-duplex (in this case the seq has to be adjusted)
Local Attacks (1)ARP poisoning
ARP is stateless (we all knows how it works and what the problems are)
Some operating systems do not update an entry if it is not already in the cache, others accept only the first received reply (e.g solaris)
The attacker can forge a spoofed ICMP packets to force the host to make an ARP request. Immediately after the ICMP it sends the fake ARP replay
Request attack against linux (IDS evasion)
Useful to sniff on switched LANs
The switch works at layer 2 and it is not aware of the poisoning in the hosts’ ARP cache (unless some ARP inspection)