Man in the middle attack

Table of Contents

What is a man in the middle attack?

A man-in-the-middle attack comes in many variants and forms, but they are always based on the same principle: that of "silent mail".

Communication between two participants is conducted via a third, unknown or supposedly trustworthy participant, who intercepts, forwards and changes the information sent between them if it is useful to him.

Based on this principle, proxies, VPNs and firewalls, which use deep packet inspection, also as a man in the middle – albeit here to protect users.

man of a thousand faces

A man-in-the-middle attack can take place in internal networks, the Internet, as well as all forms of wireless networks.

Man in the middle attacks are primarily time-based attacks. The longer they can be operated, the more successful and disastrous are their effects.

The targets of the attack

The most common goal is to obtain personal information, such as usernames, passwords, pins or hashes for access or identity theft. This information can also be obtained in the form of message histories or telephone transcripts. But the distribution of malware is also common.

How does a man in the middle attack work?

In internal networks, a man-in-the-middle attack can e.g. B. using NBTNS (NetBIOS Name Services) or LLMNR (Link-Local Multicast Name Resolution) by linking the MAC address of the attacker with the IP address of another host (so-called spoofing).

In the course of the increasing spread of IPv6, an attacker can also offer himself as a router based on IPv6 in a network that is actually only based on IPv4, and thus gain access to sensitive data.

An attacker could also manipulate the DNS cache (DNS poisining) in order to guide their victims to fake websites or via a proxy in order to then carry out clickjacking, for example.

Man in the Middle Attack on WiFi network

With WiFi networks, man-in-the-middle attacks can sometimes be carried out without much effort.

An attacker only has to set up a free WLAN hotspot and rely on the human factor or on the automatic connection function of the devices.

But even apart from the human factor and automatism, a man-in-the-middle attack can be carried out by an evil twin or rogue access point. By impersonating a legitimate access point by broadcasting the same SSID (Service Set Identifier), the attacker will dial up to devices for which its signal is the stronger one.

By flooding the devices or the legitimate access point with deauthentication frames, the attacker can get devices that are already dialed in at the other access point to log on to their evil twin.

Defense from an attack

There is no single defense against man-in-the-middle attacks, only various building blocks that administrators and users can put together to form a mosaic in order to offer the attack as little attack surface as possible and to set the effort for the attacker as high as possible .
Do you want to get started as a penetration tester?
Qualify for your dream job with our practice-oriented intensive course!
To the Junior Penetration Tester certificate course
Newsletter Form

Become a Cyber ​​Security Insider

Get early access and exclusive content!

By signing up, you agree to receive occasional marketing emails from us.
Please accept the cookies at the bottom of this page to be able to submit the form!

Table of Contents

NewsLetter Form Pop Up New

Become a Cyber ​​Security Insider

Subscribe to our knowledge base and get:

Early access to new blog posts
Exclusive content
Regular updates on industry trends and best practices

By signing up, you agree to receive occasional marketing emails from us.
Please accept the cookies at the bottom of this page to be able to submit the form!