Anatomy of a Man-In-The-Middle Attack

This month, Certified CIO’s resident security expert, Shaun Miller, presented the how and why—and how to prepare defenses against—a “man-in-the-middle” attack, which is essentially a collection of data to later be used for exploitation. We encourage you to check out the corresponding video here!

In his demonstration, Shaun used two programs, EtterCap and Wireshark. EtterCap is a pass-through program that eavesdrops, a process called sniffing, on network communication. Wireshark then parses that traffic into usable data.

Disclaimer:

All actions taken were done in a controlled environment with consent from appropriate parties. Shaun presented this for demonstration only.

In our example, Shaun began by downloading a specific file from his target computer that contains encrypted keys. We’ll avoid specifics here as we don’t want to give the “keys to the castle” away, but it is important to note that this required access to the computer to do so and cannot be done with Ettercap alone. This is where the “human” firewall—as our friends at KnowBe4 like to say—comes in to play. Whether via social engineering, phishing, or any of the other tricks malicious actors like to use, it only takes a few minutes to acquire the information needed to really access the pertinent data EtterCap will collect.

Once the key file is acquired, Shaun needed access to the network. This could’ve been achieved via wired network that he’s plugged into or a wireless network that he has access to, whether by known or cracked password or an unprotected network. He scanned the network to determine the switch and target computer IP addresses. He then used EtterCap to impersonate each; the PC still thinks it is routing to the switch, and the switch still thinks it is routing to the PC, but both are incorrect. Shaun’s machine is in the middle—hence the name of the attack—listening to the traffic as it passes.

Shaun then used Wireshark to translate the information captured by Ettercap. By filtering by I.P., Shaun was able to cut down the massive data he needs to sift through. Shaun found the specific information he was trying to acquire, and can “follow” that information only via menu choices within the Wireshark program.

Upon opening the appropriate window within Wireshark, Shaun could now see information directly related to the IP and search terms he used to parse the extensive “noise” that makes up normal network traffic.

However, the information was a mix between encrypted and unencrypted information, which isn’t a lot of help for him. He needs more to steal username and password information. This is where the earlier stolen file comes in: by applying the encrypted logs, he would be able to unlock the logged information into “clear text” (i.e. non-encrypted).

To illustrate the power of the attack, Shaun reset the Wireshark logs, and again began to capture fresh data. He then switched to the role of the victim for a moment. Logging in to the machine being sniffed and using a demonstration site, Shaun entered a (fake) username and password.

Indeed, after again searching the logs, the username and password were both available to him. Had he been a malicious actor, this information could be used to access confidential information or be put on the web for sale.

A few takeaways to help defend against attacks like this:

Always be on the lookout for oddities. Many times malicious actors will take advantage of a person’s desire to be nice. For example, asking for a locked door to be held open due to a “forgotten” key card or asking for the company WiFi password “just for a minute”. This could be just what the bad actor needs to grab the key file or gain access to company networks.
Use a VPN whenever connecting in to work resources from a public WiFi, which often have no or very little encryption.
Control who has access to the internal network. Create a guest network with internet access only for those who should not have access to greater company resources.
The human firewall is key. As always, be very mindful of clicking bad links in emails and disclosing username and password information on lookalike websites.
Utilizing multi-factor authentication for sensitive logins provides another important layer of cybersecurity when passwords are compromised.

As we can see, it is not difficult for a person with bad intentions to get in to places he or she should not be. Make sure your cyberdefenses are up-to-speed and up-to-date! If you’re not sure, give us a call or CONTACT US!

Tabbie Coulter

great professional service and very timely!! would highly recommend for your IT needs.

Jessie Palma

I love this company. They have soo much talent there and they always fix it so quickly! They are very professional and courteous! I've gotten to know some of them because we treat each other like human beings :) It's like having an extended family.

Fernando Perez

Awesome management! Great company.

Joseph Silbaugh

I needed to add an older laptop to the business account for my use on the road. CIO did everything remotely for me. It made the task so easy. They updated everything, added my office 365, my 3 emails and checked everything. Great job, quick and efficiently no stress. I recommend them highly

Kay Westerhold

Always a quick response. Issue solved and can continue on with the task every time. Great job CCIO!!

Bill Fissell

The service was prompt, friendly and knowledgeable. Could not ask for more than that.

Kevin Slack

Upgraded our router with Comcast. It did not go smoothly until Steve Plumlee got involved and got everything working well. When Steve is working on our IT issues, they get resolved. Amen.

Hickory Falls Family Entertainment Center

Thanks for going more in-depth with your engineers and investigating solutions and resolving some of our email challenges.

Bill Moorman

Certified CIO is a smart, professional and friendly team of engineers to work with. I am a bright person but computers can make me feel incompetent. The team at Certified CIO never allows you to feel awkward even asking the most basic questions. You have been a lifeline many times. Thanks for your support.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Better IT for Business. Call Today! (717) 340-6000 (443) 283-0666

Anatomy of a Man-In-The-Middle Attack

Share This Story, Choose Your Platform!

Better IT for Business. Call Today!
(717) 340-6000
(443) 283-0666