A man in the middle attack occurs in many variants and forms, but they are always based on the same principle: that of the “silent post”.
Communication between two participants is carried out via a third, unknown or supposedly trustworthy participant who intercepts, forwards and changes the information sent between them, if it is of use.
Based on this principle, proxies, VPNs and firewalls that use deep packet inspection also function as man in the middle – even if here to protect the user.
Man of a thousand faces
A man in the middle attack can take place in internal networks, the Internet, as well as all forms of radio networks.
Man in the middle attacks are primarily time-based attacks. The longer they can be operated, the more successful and disastrous are their effects.
The most common goal is to obtain personal information such as user names, passwords, pins or hashes for access or identity theft. This information can also be obtained in the form of message histories or telephone recordings. But malware distribution is also common.
In internal networks, a man in the middle attack can e.g. B. using NBTNS (NetBIOS Name Services) or LLMNR (Link-Local Multicast Name Resolution) by linking the attacker’s MAC address with the IP address of another host (so-called spoofing).
In the course of the advancing spread of IPv6, an attacker can also offer himself to other devices as a router based on IPv6 in a network that is actually only IPv4 based and thus gain access to sensitive data.
An attacker could also manipulate the DNS cache (DNS poisining) in order to direct its victims to fake websites or via a proxy to then do clickjacking.
In WiFi networks, man in the middle attacks can sometimes be carried out with little effort.
An attacker only has to set up a free WiFi hotspot and rely on the human factor or the automatic connection function of the devices.
But apart from the human factor and automatism, a man in the middle attack can also be carried out by an evil twin or rogue access point. If the attacker imitates a legitimate access point by broadcasting the same SSID (Service Set Identifier), devices for which his signal is stronger will dial into him.
Devices that are already dialed into the other access point can be tricked into logging into their Evil Twin by flooding the devices or the legitimate access point with deauthentication frames.
There is no single defense against man in the middle attacks, only various building blocks that administrators and users can put together in a mosaic in order to offer the attack as little attack surface as possible and to set the attacker as much effort as possible .