Information Security Asked by user238715 on October 28, 2021
Let’s imagine a data link layer level MITM attack. Is it possible to fulfill all of the following points?
Is there a way to accomplish this? How can I detect this kind of activity? I’m afraid the attacker can do basically anything without leaving any fingerprints, if it goes deep enough in the OSI model.
Shenanigans at layer 2 are fairly trivial. Many devices (especially mobile devices) are automatically spoofing their MAC addresses; it is simple to do so on most desktop platforms. By default, if you are sending any traffic on the network, the router may know you are there. By definition, if you are connecting to a wireless network that requires authentication, the access point will definitely know you are there. Whether it knows who or what you are is a different story. The only way to be truly undetectable from a network perspective would be to sniff wireless traffic passively.
replacing crucial informations such as SSL/TLS public key
There are several classic attacks that can be launched from a MitM standpoint; notably, SSLStrip. However, for any service that is already connected to using TLS, you're going to have a hard time. You cannot simply replace certificate information from the server without triggering a security warning on the client, unless it is a poorly written application (e.g. modern browsers are out). That is the nature of TLS; it authenticates the server and prevents an active MitM attacker from being able to do much besides DoS.
There are technologies to detect and prevent ARP spoofing attacks, and these functions are largely implemented in enterprise networking hardware (e.g. Cisco whitepaper). The general concept is that the device uses prior knowledge (previous addresses, DHCP snooping) and looks for suspicious changes in the proposed MAC address mappings or gratuitous ARP packets being sent. If this activity is detected, the packets are ignored and no changes are made to the ARP table. There are also endpoint tools that may be able to work similarly.
If you can't afford to risk ARP spoofing attacks, there's always the option of disabling ARP altogether and using static ARP entries. But in general, properly configured TLS will thwart most risks. Of course, any non-encrypted traffic is fair game to be viewed and modified by an attacker.
Answered by multithr3at3d on October 28, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP