TransWikia.com

Is the perfect MITM attack possible?

Information Security Asked by user238715 on October 28, 2021

Let’s imagine a data link layer level MITM attack. Is it possible to fulfill all of the following points?

  • you completely hide your identity by forging your own MAC address
  • you create malformed packets, so the router doesn’t even know you are exist
  • you intercept every packet from the victim, and repeat it to the default gateway (and vice versa), replacing crucial informations such as SSL/TLS public key

Is there a way to accomplish this? How can I detect this kind of activity? I’m afraid the attacker can do basically anything without leaving any fingerprints, if it goes deep enough in the OSI model.

One Answer

Shenanigans at layer 2 are fairly trivial. Many devices (especially mobile devices) are automatically spoofing their MAC addresses; it is simple to do so on most desktop platforms. By default, if you are sending any traffic on the network, the router may know you are there. By definition, if you are connecting to a wireless network that requires authentication, the access point will definitely know you are there. Whether it knows who or what you are is a different story. The only way to be truly undetectable from a network perspective would be to sniff wireless traffic passively.

replacing crucial informations such as SSL/TLS public key

There are several classic attacks that can be launched from a MitM standpoint; notably, SSLStrip. However, for any service that is already connected to using TLS, you're going to have a hard time. You cannot simply replace certificate information from the server without triggering a security warning on the client, unless it is a poorly written application (e.g. modern browsers are out). That is the nature of TLS; it authenticates the server and prevents an active MitM attacker from being able to do much besides DoS.

There are technologies to detect and prevent ARP spoofing attacks, and these functions are largely implemented in enterprise networking hardware (e.g. Cisco whitepaper). The general concept is that the device uses prior knowledge (previous addresses, DHCP snooping) and looks for suspicious changes in the proposed MAC address mappings or gratuitous ARP packets being sent. If this activity is detected, the packets are ignored and no changes are made to the ARP table. There are also endpoint tools that may be able to work similarly.

If you can't afford to risk ARP spoofing attacks, there's always the option of disabling ARP altogether and using static ARP entries. But in general, properly configured TLS will thwart most risks. Of course, any non-encrypted traffic is fair game to be viewed and modified by an attacker.

Answered by multithr3at3d on October 28, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP