Man-in-the-Middle Detection Writeup

Overview

Learn what MITM attack is, and how to identify the footprints of this attack in the network traffic. This TryHackMe room focuses on detecting various Man-in-the-Middle attack techniques through packet-level network traffic analysis using Wireshark.

MITM Attack Types Covered

This room explores three main categories of MITM attacks:

• ARP Spoofing/Poisoning - Manipulating Address Resolution Protocol to intercept Layer 2 traffic
• DNS Spoofing - Forging Domain Name System responses to redirect victims to malicious servers
• SSL/TLS Stripping - Downgrading HTTPS connections to HTTP to capture sensitive data

1. ARP Analysis - ARP Spoofing Detection

1.1 How many ARP packets from the gateway MAC Address were observed?

To detect ARP spoofing, we analyze ARP packets in the packet capture. The legitimate gateway MAC address should only send announcements when necessary.

1.2 What MAC address was used by the attacker to impersonate the gateway?

ARP spoofing involves an attacker sending fake ARP replies claiming to be the gateway. We identify the attacker's MAC address by looking for duplicate ARP replies for the gateway IP.

1.3 How many Gratuitous ARP replies were observed for 192.168.10.1?

Gratuitous ARP packets are unsolicited ARP announcements used in spoofing attacks to update other hosts' ARP caches with fake mappings.

1.4 How many unique MAC addresses claimed the same IP (192.168.10.1)?

This question reveals how many different devices claimed ownership of the gateway IP address, indicating a spoofing attack.

1.5 How many ARP spoofing packets were observed in total from the attacker?

Count all ARP packets (replies and gratuitous) sent by the attacker to maintain the spoofing attack.

2. DNS Analysis - DNS Spoofing Detection

2.1 How many DNS responses were observed for the domain corp-login.acme-corp.local?

Multiple DNS responses for the same domain can indicate spoofing attempts. DNS spoofing involves sending fake DNS replies before the legitimate resolver.

2.2 How many DNS requests were observed from the IPs other than 8.8.8.8?

This helps identify unusual DNS traffic patterns. Legitimate DNS requests should primarily go to configured DNS servers.

2.3 What IP did the attacker's forged DNS response return for the domain?

The attacker redirects the victim to a malicious IP address controlled by them, allowing interception of traffic.

3. HTTP/HTTPS Analysis - SSL Stripping Detection

3.1 How many POST requests were observed for our domain corp-login.acme-corp.local?

SSL stripping involves downgrading HTTPS to HTTP, allowing the attacker to capture login credentials in plain text.

3.2 What's the password of the victim found in the plaintext after successful SSL stripping attack?

Once HTTPS is downgraded to HTTP, all data including passwords are sent in clear text and can be easily captured by the MITM attacker.

What is a Man-in-the-Middle Attack?

A Man-in-the-Middle (MITM) attack occurs when an attacker secretly intercepts and possibly alters the communication between two parties who believe they are directly communicating with each other.

MITM Attack Characteristics:

• Interception: Attacker positions themselves between victim and legitimate destination
• Transparency: Both ends believe they are communicating directly with each other
• Silent: Attack happens without the knowledge of communicating parties
• Modification: Attacker can alter data packets in transit

Common MITM Attack Vectors

Layer 2 Attacks

• ARP Spoofing (Gratuitous ARP): Exploits Address Resolution Protocol vulnerabilities
• ICMP Redirect: Misleads traffic routing on local networks
• Port Stealing: Exploits switch CAM table limitations

DNS-Based Attacks

• DNS Spoofing: Fake DNS responses redirect victims to malicious sites
• DNS Cache Poisoning: Corruption of DNS resolver caches
• DNS Hijacking: Router-level DNS server changes

Transport Layer Attacks

• SSL/TLS Downgrade: Forces use of weaker encryption protocols
• SSL Stripping: Removes SSL/TLS protection from HTTPS connections
• Heartbleed: Exploites OpenSSL vulnerabilities

Application Layer Attacks

• Session Hijacking: Steals authenticated session tokens
• HTTP Parameter Pollution: Manipulates HTTP parameters
• Web Application Proxy: Intercepts web traffic

Detection Techniques

ARP Anomaly Detection

• Multiple MAC addresses for the same IP
• Unusual number of ARP announcements
• ARP replies without corresponding requests
• Modified interface link-layer addresses

DNS Anomaly Detection

• Multiple DNS responses for same query
• DNS responses without requests
• Unusual DNS server IPs
• Short response times (local spoofing)

SSL/TLS Detection

• HTTP traffic on known HTTPS ports
• Host header mismatches
• Missing certificate warnings
• SSL version downgrades

General Indicators

• Slow or intermittent connections
• Unexpected certificate errors
• Frequent disconnections
• Unusual pop-ups or redirects

Wireshark Analysis Techniques

ARP Analysis Filters

arp                    # All ARP traffic
arp.opcode == 2       # ARP replies only
arp.src.proto_ipv4    # ARP announcements
arp.duplicate-address-detected  # Built-in duplicate detection

DNS Analysis Filters

dns                    # All DNS traffic
dns.flags.response    # DNS responses only
dns.qry.name contains # Domain-specific filtering
dns.time > 0.1        # Slow responses (may indicate spoofing)

HTTP Analysis Filters

http                   # All HTTP traffic
http.request.method == POST  # POST requests
http.host contains   # Host header filtering
http.user_agent      # User agent analysis

SSL/TLS Analysis

tls                    # TLS traffic
tls.alert_message    # TLS alerts
tls.handshake        # Handshake analysis
ssl.record.version == 0x0301  # Older SSL versions

Prevention and Mitigation

Network Level

• Port Security: Limit MAC addresses per switch port
• DHCP Snooping: Prevent rogue DHCP servers
• Dynamic ARP Inspection (DAI): Validates ARP packets
• VLAN Segmentation: Isolate sensitive traffic

Application Level

• HSTS (HTTP Strict Transport Security): Forces HTTPS
• Certificate Pinning: Prevents certificate substitution
• Mutual TLS: Client certificate authentication
• Traffic Encryption: End-to-end encryption

DNS Security

• DNSSEC: Cryptographically signed DNS records
• DNS over HTTPS (DoH): Encrypted DNS queries
• DNS over TLS (DoT): DNS over secure transport

Monitoring Solutions

• Network IDS/IPS: Real-time threat detection
• Certificate Transparency: Monitor certificate issuance
• ARP Monitoring: Automated ARP table monitoring
• TLS Inspection: Decrypt and inspect encrypted traffic

Tools for MITM Detection and Analysis

• Wireshark: Primary packet analysis tool
• tcpdump: Command-line packet capture
• ettercap: MITM attack tool and detector
• dsniff: Network auditing and penetration
• arpspoof: ARP spoofing detection
• sslstrip: SSL stripping attack simulation
• dnsspoof: DNS spoofing detection
• NetworkMiner: Network traffic forensics
• Bettercap: Comprehensive MITM framework

Lessons Learned

• MITM attacks can occur at multiple network layers
• Trafic analysis reveals attack patterns and indicators
• ARP spoofing is fundamental to many LAN-based MITM attacks
• DNS manipulation enables sophisticated phishing attacks
• SSL stripping defeats encryption protection mechanisms
• Multiple attack vectors can be combined for greater impact
• Prevention requires layered security controls
• Regular network monitoring is essential for early detection
• Understanding protocol vulnerabilities helps in attack recognition

Real-World Impact

MITM attacks are responsible for significant data breaches and financial losses worldwide:

• Financial Impact: Billions in losses from stolen credentials and data
• Target Industries: Banking, e-commerce, healthcare, government
• Attack Vectors: Public WiFi hotspots are prime attack surfaces
• Regulatory Compliance: GDPR, PCI-DSS require protection against MITM attacks

Advanced MITM Concepts

HTTPS Downgrade Attacks

• SSLStrip: Removes HTTPS protection entirely
• SSLsplit: Splits and proxies TLS connections
• CRIME/BREACH: Compression-based attacks on encrypted data

WPA Enterprise Attacks

• Evil Twin: Fake access points to intercept connections
• PEAP Downgrade: Forces weaker EAP methods
• CERT Validation Bypass: Ignores certificate warnings

Mobile Network Attacks

• IMSI Catcher (Stingray): Fake base station interception
• Voice Interception: SMS and call manipulation
• Near Field Communication (NFC): Contactless card attacks