MITM Attack Progression
In two distinct phases, MITM execution will be successful, which are decryption and interception. In interception, the attacker stays in between the data stream, ready to capture the data, collect the received data, sell or reuse the data. In decryption, data is sent by an attacker, analyzes the used encryption techniques like HTTPS, etc. try to decrypt the data and reuse it.
In the first step, we use the attacker's network and intercept user traffic before reaching its desired location. For doing this, the passive attack is the simplest and most common. In this attack, attackers create malicious Wi-Fi hotspots that are freely available to the public, which means they are not password protected. The name of this type of Wi-Fi generally corresponds to their location. When such hotspots are connected by any user or victim, the attackers gain full access to online data exchange. A more active approach is taken by attackers to interception may launch any of the following attacks:
An IP address is contained by all the system which is connected to the network. An IP address is also provided by many corporate internal networks to the system. In IP spoofing, attackers alter the header of a package in an IP address and disguise themselves as an application. As a result, the URL connected to the application tries to access by the users and send to the attacker's website. In this case, DOS may be used by an attacker to perform MITM attacks, where the attacker acts between two systems as a middleware.
ARP means Address Resolution Protocol. It is used in a local area network to resolve the IP address to corresponding MAC addresses. To locate the device in a network and to identify the device's MAC address, an IP address is used. In an ARP poisoning attack, attackers link their MAC address to the legitimate user's IP. Then to establish a connection to the attacker system, it sends a constant series of ARP messages. As a result, data is transmitted to the attacker, which the user sends to the host IP address.
DNS means Domain name system. DNS is used to resolve the IP address to its domain names like "javatpoint.com" and vice versa. In this attack, the DNS cache of the target device is corrupted by the attacker and rewriting it. Attacker alters the DNS recodes and redirects to the vulnerability server. As a result, an altered DNS record is sent to the attacker's site, and the users try to access this site. Where, 184.108.40.206 port number resolves the www.stupidonlinebank.com. The DNS cache is poisoned by the attacker, and it redirects the user to "220.127.116.11'. In this port, a fake phishing site is deployed by an attacker, and that site is ready to collect the entered details.
Now without alerting the application or user, decryption is needed on two-way SSL traffic. To achieve this, various methods are as follows:
When the initial connection is made to a protected site, the victim's browser receives a fake certificate from the attacker. The certificate holds the thumbprint, and a compromised application is associated with it. The thumbprint is verified by the browser-based on an existing list of trusted sites leaving the attacker to access any data which is entered by the user before it is passed to the application.
SSL hijacking occurs during the TCP (transmission control protocol) handshakes when an attacker passes forged authentication keys to both the application and the user. It is used to compromise social media accounts. Most websites of social media store session browser cookies on the user's system. When the browser hijacks and malware is injected on the user's machine, this type of attack mainly occurs. It will also occur when session cookies are stolen by the attacker. When the entire session is controlled by a man in the middle, this sets up what appears to be a secure connection.
In 100% of websites, around 70% of websites are still working on the insecure and generic HTTP ports. This provides the backward capability and extensive availability of the application to the users. Using this, the secure HTTPS connection can be downgraded to a basic HTTP connection. An attacker can use the HTTP connection to sniff the packets, read them. Now the users are browsing an unencrypted website, so the attacker can also alter the packet on the spot.