18 replies to this topic

[Sundance]

 Anything can be done from this position, from spying to adding malicious code.  

To even stealing your cookies ;D

[0xFACEB004]

Perhaps KJGino should make a tutorial on what MITM attacks are and how to avoid them? 

 

The only money-back guaranteed, absolute surefire way to avoid MITM attacks:

Step 1. Stay off of the internet

Step 2. Repeat step 1

[BlackRabbit]

Lol, not that bad, but, you can do it, but at another level, by not relying in the message only, but in the low-level TCP layers. The middle man will always leave a signature down there, in the dark of the TCP layers.

 

And other thing, fingerprint is good when you use for alerts, for example, you can set gmail to tell you when someone logs into your mail account from a computer who has not your fingerprint.

[0xFACEB004]

But if you use a proxy server (e.g. Hidemyass, or even a TOR relay node), how can you detect that that signature is from the legitimate proxy itself and not the middle man, BR?

[BlackRabbit]

Easy, a proxy is not a hop, so it will add one extra layer in the TCP/IP.

You just need to establish how many hops you have between you and your destination.

Let's say, an easy case, you and I work in two different branches of the same company, and a communication between us, for network topology, has only two routers, your local, and mine. If TCP/IP layers shows one more than that, then someone has been manipulating messages in the middle

And that someone, is someone inside   which is the typical MITM MO.

Edited by BlackRabbit, 26 April 2014 - 11:47 AM.

[BlackRabbit]

It's a pity this one  knowledge is one I didn't exercise in years, because it's a very nice subject to talk about but even when I remember how it works from point to point, I don't remember all the technical words to properly talk about it.

 

Just let me tell you TCP/IP layers register every step on its way because it needs to track itself back, if packet from A to B, passes by C and D. in the TCP/IP layer you'll have A C D B signed (because the packet must be able to come back in case of error) so the packet will be: Message (your data) plus tracking layers ( A C D B ). When whatever program, device, etc, touches the message, it got registered down there. You'll tell me, hey Tor wipes that out, or rewrite it. Well to do so, you need to do it, (or used to need to do it) by rewriting a routing device code. What TOR does, I GUESS, is taking your layer out of the message, as if they were originators, and saving it themselves logically, re adding it back when the answer to the package comes back. That takes serious programing and processing, and probably they did by reprograming a routing device, or even rewriting the tcp layer of their O.S.

 

I wish I've been working with this lately so I could have better context in my head, but it will come back as I remember more exactly the things I used to check/do years ago.

[0xFACEB004]

This subject fascinates me too (even though I was bored out of my mind in my networking class lol)!

 

But I never thought about it on the TCP layer, so I will look into that. But what about the different forms of MITM...how would the TCP signature be affected by something like DNS spoofing? How could it detect that?

 

Here are some of the attacks I am referring to: https://www.blackhat...-03-valleri.pdf