中间人攻击(MITM)是一种 常见的网络安全攻击类型 that allows attackers to eavesdrop on the communication between two targets. 攻击发生在两个合法通信的主机之间, allowing the attacker to “listen” to a conversation they should normally not be able to listen to, 因此得名“中间人”.”
Here’s an analogy: Alice 和 Bob are having a conversation; Eve wants to eavesdrop on the conversation but also remain transparent. 伊芙可以告诉爱丽丝她是鲍勃,告诉鲍勃她是爱丽丝.
这会让Alice相信她在和Bob说话, 同时还向伊芙透露了她的部分谈话内容. 夏娃就可以从中收集信息, 改变响应, 并将信息传递给鲍勃(他认为他在和爱丽丝说话). 因此,伊芙就能够明显地劫持他们的对话.
Devices equipped with wireless cards will often try to auto-connect to the access point that is emitting the strongest signal. Attackers can set up their own wireless access point 和 trick nearby devices to join its domain. All of the victim’s network traffic can now be manipulated by the attacker. This is dangerous because the attacker does not even have to be on a trusted network to do this—the attacker simply needs a close enough physical proximity.
ARP是地址解析协议. It is used to resolve IP addresses to physical MAC (media access control) addresses in a 当地的 area network. 当主机需要与具有给定IP地址的主机通信时, 它引用ARP缓存将IP地址解析为MAC地址. 如果地址未知, a request is made asking for the MAC address of the device with the IP address.
An attacker wishing to pose as another host could respond to requests it should not be responding to with its own MAC address. With some precisely placed packets, an attacker can sniff the private traffic between two hosts. 可以从交通中提取有价值的信息, 比如会话令牌的交换, yielding full access to application accounts that the attacker should not be able to access.
组播DNS类似于DNS, 但它是在局域网(LAN)上使用像ARP这样的广播来完成的. 这使得它成为欺骗攻击的完美目标. The 当地的 name resolution system is supposed to make the configuration of network devices extremely simple. Users don’t have to know exactly which addresses their devices should be communicating with; they let the system resolve it for them.
电视等设备, 打印机, 和 entertainment systems make use of this protocol since they are typically on trusted networks. 当一个应用程序需要知道某个设备的地址时,比如电视.当地的, 攻击者可以很容易地用假数据响应该请求, 指示它解析到它所控制的地址. 因为设备保持地址的本地缓存, the victim will now see the attacker’s device as trusted for a duration of time.
类似于ARP在局域网中将IP地址解析为MAC地址的方式, DNS将域名解析为IP地址. 使用DNS欺骗攻击时, the attacker attempts to introduce corrupt DNS cache information to a host in an attempt to access another host using their domain name, 比如WWW.网上银行.com. This leads to the victim sending sensitive information to a malicious host, 他们相信自己是在向可信的来源发送信息. An attacker who has already spoofed an IP address could have a much easier time spoofing DNS simply by resolving the address of a DNS server to the attacker’s address.
攻击者利用抓包工具对报文进行低级检测. Using specific wireless devices that are allowed to be put into monitoring or promiscuous mode can allow an attacker to see packets that are not intended for it to see, 比如发往其他主机的数据包.
An attacker can also leverage their device’s monitoring mode to inject malicious packets into data communication streams. 数据包可以混入有效的数据通信流中, 似乎是交流的一部分, 但本质上是恶意的. Packet injection usually involves first sniffing to determine how 和 when to craft 和 send packets.
Most web applications use a login mechanism that generates a temporary session token to use for future requests to avoid requiring the user to type a password at every page. An attacker can sniff sensitive traffic to identify the session token for a user 和 use it to make requests as the user. 攻击者拥有会话令牌后不需要欺骗.
因为使用HTTPS是防止ARP或DNS欺骗的常见保护措施, attackers use SSL stripping to intercept packets 和 alter their HTTPS-based address requests to go to their HTTP equivalent endpoint, 强制主机向未加密的服务器发出请求. 敏感信息可以以纯文本形式泄露.
Detecting a Man-in-the-middle attack can be difficult without taking the proper steps. If you aren't actively searching to determine if your communications have been intercepted, a Man-in-the-middle attack can potentially go unnoticed until it's too late. Checking for proper page authentication 和 implementing some sort of tamper detection are typically the key methods to detect a possible attack, 但这些程序可能需要额外的事后法医分析.
It's important to take precautionary measures to prevent MITM attacks before they occur, 而不是试图在它们积极发生时发现它们. Being aware of your browsing practices 和 recognizing potentially harmful areas can be essential to maintaining a secure network. 下面, we have included five of the best practices to prevent MITM attacks from compromising your communications.
Having a strong encryption mechanism on wireless access points prevents unwanted users from joining your network just by being nearby. 弱加密机制可以允许攻击者 蛮力 他进入网络,开始中间人攻击. 加密实现越强,越安全.
确保你的默认路由器登录名被更改是很重要的. 不仅是你的Wi-Fi密码,还有你的路由器登录凭证. 如果攻击者发现您的路由器登录凭证, 他们可以把你的DNS服务器改成他们的恶意服务器. 更糟糕的是,用恶意软件感染你的路由器.
VPNs can be used to create a secure environment for sensitive information within a 当地的 area network. They use key-based encryption to create a subnet for secure communication. 这种方式, 即使攻击者碰巧进入了共享的网络, 他将无法破译VPN中的流量.
HTTPS can be used to securely communicate over HTTP using public-private key exchange. This prevents an attacker from having any use of the data he may be sniffing. 网站应该只使用HTTPS,而不提供HTTP替代方案. Users can install browser plugins to enforce always using HTTPS on requests.
Man-in-the-middle attacks typically involve spoofing something or another. Public key pair based authentication like RSA can be used in various layers of the stack to help ensure whether the things you are communicating with are actually the things you want to be communicating with.