This month, Certified CIO’s resident security expert, Shaun Miller, presented the how and why—and how to prepare defenses against—a “man-in-the-middle” attack, which is essentially a collection of data to later be used for exploitation. We encourage you to check out the corresponding video here!
In his demonstration, Shaun used two programs, EtterCap and Wireshark. EtterCap is a pass-through program that eavesdrops, a process called sniffing, on network communication. Wireshark then parses that traffic into usable data.
All actions taken were done in a controlled environment with consent from appropriate parties. Shaun presented this for demonstration only.
In our example, Shaun began by downloading a specific file from his target computer that contains encrypted keys. We’ll avoid specifics here as we don’t want to give the “keys to the castle” away, but it is important to note that this required access to the computer to do so and cannot be done with Ettercap alone. This is where the “human” firewall—as our friends at KnowBe4 like to say—comes in to play. Whether via social engineering, phishing, or any of the other tricks malicious actors like to use, it only takes a few minutes to acquire the information needed to really access the pertinent data EtterCap will collect.
Once the key file is acquired, Shaun needed access to the network. This could’ve been achieved via wired network that he’s plugged into or a wireless network that he has access to, whether by known or cracked password or an unprotected network. He scanned the network to determine the switch and target computer IP addresses. He then used EtterCap to impersonate each; the PC still thinks it is routing to the switch, and the switch still thinks it is routing to the PC, but both are incorrect. Shaun’s machine is in the middle—hence the name of the attack—listening to the traffic as it passes.
Shaun then used Wireshark to translate the information captured by Ettercap. By filtering by I.P., Shaun was able to cut down the massive data he needs to sift through. Shaun found the specific information he was trying to acquire, and can “follow” that information only via menu choices within the Wireshark program.
Upon opening the appropriate window within Wireshark, Shaun could now see information directly related to the IP and search terms he used to parse the extensive “noise” that makes up normal network traffic.
However, the information was a mix between encrypted and unencrypted information, which isn’t a lot of help for him. He needs more to steal username and password information. This is where the earlier stolen file comes in: by applying the encrypted logs, he would be able to unlock the logged information into “clear text” (i.e. non-encrypted).
To illustrate the power of the attack, Shaun reset the Wireshark logs, and again began to capture fresh data. He then switched to the role of the victim for a moment. Logging in to the machine being sniffed and using a demonstration site, Shaun entered a (fake) username and password.
Indeed, after again searching the logs, the username and password were both available to him. Had he been a malicious actor, this information could be used to access confidential information or be put on the web for sale.
A few takeaways to help defend against attacks like this:
- Always be on the lookout for oddities. Many times malicious actors will take advantage of a person’s desire to be nice. For example, asking for a locked door to be held open due to a “forgotten” key card or asking for the company WiFi password “just for a minute”. This could be just what the bad actor needs to grab the key file or gain access to company networks.
- Use a VPN whenever connecting in to work resources from a public WiFi, which often have no or very little encryption.
- Control who has access to the internal network. Create a guest network with internet access only for those who should not have access to greater company resources.
- The human firewall is key. As always, be very mindful of clicking bad links in emails and disclosing username and password information on lookalike websites.
- Utilizing multi-factor authentication for sensitive logins provides another important layer of cybersecurity when passwords are compromised.
As we can see, it is not difficult for a person with bad intentions to get in to places he or she should not be. Make sure your cyberdefenses are up-to-speed and up-to-date! If you’re not sure, give us a call or CONTACT US!