-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > what is a MiM attack I have never seen this acronym before?
I apologize for my cryptic abbreviations. MiM is short for "Man-in-the-Middle". This is attack involves the attacker putting himself between you and whatever you're communicating with. It's particularly useful in attacking encrypted connections that involve a key negotiation step and lack a method to verify that the system you're talking to really is what you think it is. Normally, communication between A and B looks something like this.. A <----> B In a MiM attack, the communication between A and B looks like this.. A <--->(B) H (A)<---> B A is really communicating with H, however A believes H is really B.. And the same goes for B. So H can view all of the traffic between A and B, because H is basically proxying it. If A and B normally use some hybrid crypto system to communicate, and H is in the middle during the key negotiation step.. H can negotiate two separate keys.. One to communicate encrypted with A (keyA) and one to communicate encrypted with B (keyB). Both A and B believe they are communicating securely with each other, when in actuality, they are each separately communicate securely with H, which is just decrypting, looking at, re-encrypting, and relaying traffic. In addition, since H basically controls the communication stream between A and B, H can actually modify traffic between the two.. Or inject traffic to one side.. Or just block selective traffic.. This is why certificates and SSH fingerprints and other measures of authenticity exist. So.. Anyway.. That's basically what a MiM attack is. The explanation of the aforementioned ARP poisoning version of it, requires a little bit of networking knowledge.. Which I'll try to cover really quickly.. Using A, B, and H again.. When system A wants to talk to system B over Ethernet, it needs to send traffic to the Hardware address or the MAC address of the Ethernet interface. So if you're on machine A and you want to ping 192.168.0.77 (machine B), A needs to know which hardware address has the IP of 192.168.0.77 In order for A to figure this out, it sends out a broadcast message called an ARP Request. This message basically says "Hey, I'm machine A, my IP is 192.168.0.5, my hardware address is 00:00:00:C0:FF:EE, and I'm looking for the hardware address of 192.168.0.77. Who has it?". This message goes out to every machine on that network segment (and actually even some machines that aren't.. But that doesn't matter), and if the machine doesn't have the IP of 192.168.0.77, it ignores it. But if the machine does have IP 192.168.0.77, it responds with an ARP reply. This is sent directly to machine A, at IP 192.168.0.5 and hardware address 00:00:00:C0:FF:EE, with a message that says something like "Hey, I'm IP 192.168.0.77, and my hardware address is 00:00:DE:AD:BE:EF". Machine A remembers this IP-hardware address pairing in an ARP cache and B does the same, respectively. So then whenever A wants to talk to 192.168.0.77 again, it can look in it's ARP cache.. And if there is an entry there, it just uses the paired hardware address, instead of having to ask around again. Whew.. Again, that was the short and dirty version.. So, the deal is.. Machines will normally accept an ARP reply, even if they haven't sent out an ARP request. So.. Let's say machine H is at 192.168.0.42 with hardware address 00:00:00:FA:CA:DE. And let's say A (IP: 192.168.0.5 HW: 00:00:00:C0:FF:EE) is your machine, and B (IP: 192.168.0.77 HW: 00:00:DE:AD:BE:EF) is your default gateway. If H sends an ARP reply to machine A, telling it that IP 192.168.0.77 is at HW 00:00:00:FA:CA:DE and H send an ARP reply to machine B, telling it that IP 192.168.0.5 is at HW 00:00:00:FA:CA:DE All of A's traffic to B will be routed to H, and all of B's traffic to A will be routed to H. If H has IP forwarding enabled, or some way to pass the traffic through.. Neither A nor B will really know the difference, and all of the traffic between A and B will flow through H. Now.. For the wireless part. 802.11b is still ethernet. If someone associates to your WAP, it's just like they're plugging in an ethernet cable into that network segment. So, again.. Let's say B is one of those all-in-one WAP/router/firewalls, and A is a wired desktop machine.. And let's throw in W.. Which is a laptop that uses VPN to communicate to B over wireless.. Because the owner of the network is paranoid about people sniffing his wireless traffic. If H can associate to B, H can poison ARP cashes in B and A, sending all of A's _WIRED_ traffic over the wireless, down to H's wireless card, back out again through H's wireless card, back into B, and finally out to it's final destination. This attack could be done to any system that's on the same network segment as the WAP.. Connected over wireless or 10-T cable. Which is why.. I recommend segmenting off your wireless networks... A lot of people are quick to encrypt their wireless traffic, thinking that's a total solution... But your _wired_ machines on that segment are still vulnerable to attacks over wireless. Many people don't realize that. Hope this helps... - -- Jon Erickson Cryptologist and Security Designer Caspian 415.974.7081 D49B 4561 1078 0A72 DDF3 7250 8EF4 4681 587E 41DD 1728748 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPIZusI70RoFYfkHdEQIGMgCguKmnVcOuVxzKKNDeGpVUNIGstQkAoJP+ g18vQ3h4PvcJN0ctlfPea3uU =RN1E -----END PGP SIGNATURE-----
