T 5.143 Man-in-the-middle attack

The goal of a man-in-the-middle attack is to slip into the communication between two or more partners without being noticed, for example to read or manipulate information. Within the framework of such an attack, the attacker places himself "in the middle" of communications by pretending to be the recipient to the sender and to be the sender to the recipient. First, the attacker redirects a request to establish a connection from the sender to himself. In the next step, the attacker opens a connection to the actual recipient of the message. If the attacker is able to do this, he may be able to read or manipulate all information sent by the sender to the supposed recipient before forwarding it to the correct recipient. In turn, the attacker may be able to intercept the reply from the recipient if the corresponding protection mechanisms are not in effect.

The most difficult part of a man-in-the-middle attack for the attacker is usually redirecting the request to establish a connection to himself. This part of the attack can be initiated using corresponding methods, for example spoofing or DNS manipulations.

Even encrypted connections cannot always provide protection against man-in-the-middle attacks. If the identity of the communication partner is not checked or is falsified, an encrypted connection could be established between the sender and the attacker and between the attacker and the recipient. Since the attacker is at one end of each of the two connections, he would be able in this case to decrypt the information, read it, and then change it before re-encrypting and forwarding the information.

Examples:

• An attacker is able to manipulate some name servers using DNS spoofing in such a way that, instead of the IP address of a certain bank, the IP address of his own computer is returned within the framework of DNS queries. A user subsequently wants to establish a connection to the web server of the bank for the purpose of home banking. To determine the IP address of the bank's web server and establish the connection, the user's computer sends a query with the name of the bank's computer to the DNS server, which then replies with the falsified IP address of the attacker. The user then establishes an https connection to the computer of the attacker using the falsified IP address. The browser displays a warning that the SSL certificate is invalid, but the user ignores this warning because he does not understand why the warning appears. As a result, the user is redirected to the web server of the attacker. The attacker then opens an encrypted https connection to the bank. The attacker can then read and manipulate all transactions performed by the user in the subsequent web session.
• To perform man-in-the-middle attacks in a WLAN, an attacker could smuggle additional access points into the WLAN (referred to as "clones" or "evil twins"). If such an access point provides a nearby WLAN client with a stronger transmission capacity than the legitimate access point, the client will use this access point as its base station if mutual authentication is not used in the WLAN.