Man in the attacks. Technical FAQ

You can almost always achieve the desired result in several ways. This also applies to the field of information security. Sometimes, to achieve the goal, you can brute, independently look for holes and develop sploits, or listen to what is transmitted over the network. The latter option is often the best one. That is why today we will talk about tools that will help to catch valuable information for us from network traffic, using MITM attacks for this.

MITMf

Let's start with one of the more interesting candidates. This is a whole framework for man-in-the-middle attacks, built on top of sergio-proxy. Recently included in Kali Linux. To install it yourself, just clone the repository and run a couple of commands:

# setup.sh # pip install -r requirements.txt

It has an architecture that can be extended by plug-ins. Among the main ones are the following:

Spoof - allows you to redirect traffic using ARP / DHCP spoofing, ICMP redirects and modify DNS queries;
Sniffer - this plugin monitors login attempts for various protocols;
BeEFAutorun - allows you to automatically run BeEF modules based on the type of OS and client browser;
AppCachePoison - performs a cache poisoning attack;
SessionHijacking - hijacks sessions and saves received cookies in the firelis profile;
BrowserProfiler - tries to get a list of plugins used by the browser;
FilePwn - allows you to replace files sent over HTTP using Backdoor Factory and BDFProxy;
Inject - injects arbitrary content into an HTML page;
jskeylogger - Injects a JavaScript keylogger into client pages.

If this functionality is not enough for you, then you can always add your own by implementing the appropriate extension.

putty rider

Another noteworthy utility. True, unlike all the other tools considered today, it is very narrowly specialized. As the author of the project himself says, he was inspired to create such a utility by the fact that during penetration tests the most important data was located on Linux / UNIX servers, to which admins connected via SSH / Telnet / rlogin. And in most cases, accessing the administrators' machine was much easier than accessing the target server. Having penetrated the system administrator's machine, all that remains is to make sure that PuTTY is running and use this tool to build a reverse bridge to the attacker.

The utility allows not only sniffing "communication" between the admin and a remote server (including passwords), but also executing arbitrary shell commands within a given session. And all this will happen absolutely transparently for the user (administrator). If you are interested in technical details, for example, how the implementation of the PuTTY process is implemented, I recommend that you read the author's presentation.

A rather old utility that was born more than eight years ago. Designed to clone sessions by stealing cookies. For session hijacking, he has basic skills in detecting hosts (in case of connecting to an open wireless network or hub) and performing ARP poisoning. The only problem is that today, unlike eight years ago, almost all large companies like Yahoo or Facebook use SSL encryption, which makes this tool completely useless. Despite this, there are still enough resources on the Web that do not use SSL, so it's too early to write off the utility. Its advantages include the fact that it automatically integrates into Firefox and creates a separate profile for each intercepted session. The source code is available in the repository, and you can build it yourself using the following sequence of commands:

# apt-get install build-essential libwxgtk2.8-dev libgtk2.0-dev libpcap-dev # g++ $(wx-config --cppflags --libs) -lpcap -o sessionthief *.cpp # setcap cap_net_raw,cap_net_admin=eip sessionthief

Proxy Fuzz

ProzyFuzz has nothing to do directly with MITM attacks. As you can guess from the name, the tool is designed for fuzzing. This is a small non-deterministic network fuzzer implemented in python that randomly changes the contents of network traffic packets. Supports TCP and UDP protocols. Can be configured to fuzz only one side. Useful when you need to quickly test some network application (or protocol) and develop a PoC. Usage example:

Python proxyfuzz -l -r -p

The list of options includes:

w - sets the number of requests sent before fuzzing starts;
c - fuzz only the client (otherwise both sides);
s - fuzz only the server (otherwise both sides);
u - UDP protocol (otherwise TCP is used).

The Middler

Presented at the DEF CON conference, a utility for carrying out MITM attacks on various protocols. The alpha version supported the HTTP protocol and had three cool plugins in its arsenal:

plugin-beef.py - injects the Browser Exploitation Framework (BeEF) into any HTTP request coming from the local network;
plugin-metasploit.py - injects into unencrypted (HTTP) requests an IFRAME that loads browser exploits from Metasploit;
plugin-keylogger.py - Injects a JavaScript onKeyPress event handler for all text fields that will be sent over HTTPS, causing the browser to send the user's password character-by-character to the attacker's server before the entire form is submitted.

The Middler not only automatically analyzes network traffic and finds cookies in it, but also independently requests them from the client, that is, the process is automated to the maximum. The program guarantees the collection of all unprotected accounts in the computer network (or public hotspot), to the traffic of which it has access. For the program to work correctly, the following packages must be installed on the system: Scapy, libpcap, readline, libdnet, python-netfilter. Unfortunately, the repository has not been updated for a long time, so you will have to add new functionality yourself.

A console utility that allows you to interactively examine and modify HTTP traffic. Thanks to such skills, the utility is used not only by penetration testers / hackers, but also by ordinary developers who use it, for example, to debug web applications. It can be used to get detailed information about what requests the application makes and what responses it receives. Also, mitmproxy can help you learn how some REST APIs work, especially poorly documented ones.

Installation is extremely simple:

$ sudo aptitude install mitmproxy

$ pip install mitmproxy

$ easy_install mitmproxy

It is worth noting that mitmproxy also allows you to intercept HTTPS traffic by issuing a self-signed certificate to the client. A good example of how to configure traffic interception and modification can be found.

Intercepter-NG

It would be strange if this legendary instrument was not included in our review. Even if you've never used it, you've probably heard of it (and you just have to get to know it better) - it's quite common on the pages of the magazine. I will not fully describe its functionality - firstly, we are interested in MITM, and secondly, such a description will take up the entire article.

Continued available to members only

Option 1. Join the "site" community to read all the materials on the site

Membership in the community during the specified period will give you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score rating!

A man-in-the-middle attack is a generic name for various techniques aimed at gaining access to traffic as an intermediary. Due to the wide variety of these techniques, it is problematic to implement a single tool for detecting these attacks that would work for all possible situations. For example, in a man-in-the-middle attack on a local network, ARP spoofing (poisoning) is commonly used. And many man-in-the-middle attack detection tools watch for Ethernet address pair changes / or report suspicious ARP activity by passive monitoring of ARP requests/responses. But if this attack is used on a maliciously configured proxy server, VPN, or other options when ARP poisoning is not used, then such tools are helpless.

The purpose of this section is to look at some techniques for detecting man-in-the-middle attacks, as well as some tools designed to determine if you are under a MitM attack. Due to the variety of methodologies and implementation scenarios, 100% detection cannot be guaranteed.

1. Traffic modification detection

As already mentioned, ARP spoofing is not always used in man-in-the-middle attacks. Therefore, while ARP level activity detection is the most popular detection method, traffic modification detection is a more general method. The mitmcanary program can help us with this.

The principle of the program is that it makes "control" requests and saves the received answers. After that, it repeats the same requests at certain intervals and compares the responses received. The program is quite intelligent and, to avoid false positives, it detects dynamic elements in responses and processes them correctly. As soon as the program has recorded traces of the activity of tools for MitM attacks, it reports about it.

Examples of how some tools can "inherit":

MITMf , by default changes all HTTPS URLs in HTML code to HTTP. Detected by comparing HTTP content.
Zarp + MITMProxy , MITMProxy has a feature that allows you to clear HTTP compression, this is used for the transparency of transmitted traffic, this bundle is detected by the disappearance of previously present compression
Responder , detected by sudden changes in mDNS response translation: unexpected response; the response is internal, but external is expected; response is different than expected IP

MITMCanary vs MITMF:

MITMCanary vs Responder:

MITMCanary vs Zarp + MITMProxy:

sudo pip install Cython sudo apt-get install python-kivy python-dbus sudo pip install plyer uuid urlopen analysis request simplejson datetime git clone https://github.com/CylanceSPEAR/mitmcanary.git cd mitmcanary/

As already mentioned, the work of mitmcanary must be started with control requests. To do this, go to the directory

cd service/

And run the file setup_test_persistence.py:

Python2 setup_test_persistence.py

This will take some time - wait until the end. No error messages should be displayed (if so, then you are missing some dependencies).

Something like this will be output:

Mial@HackWare:~/bin/mitmcanary/service$ python2 setup_test_persistence.py Older configuration version detected (0 instead of 14) Upgrading configuration in progress. Purge log fired. Analyzing... Purge finished! Record log in /home/mial/.kivy/logs/kivy_16-11-01_0.txt v1.9.1 v2.7.12+ (default, Sep 1 2016, 20:27:38)

After finishing this process, in the same directory, execute (this will start a background process):

Python2 main.py

After that, open a new terminal window and change to the root directory with mitmcanary. My directory is bin/mitmcanary/, so I enter

cd bin/mitmcanary/

and execute there:

Python2 main.py

The first window will display something like:

Mial@HackWare:~/bin/mitmcanary/service$ python2 main.py Record log in /home/mial/.kivy/logs/kivy_16-11-01_1.txt v1.9.1 v2.7.12+ (default, Sep 1 2016, 20:27:38) using for socket listening for Tuio on 127.0.0.1:3000 Sleeping for 60 seconds Sleeping for 60 seconds Sleeping for 60 seconds Sleeping for 60 seconds Sleeping for 60 seconds Sleeping for 60 seconds

Those. the program makes control requests once a minute and looks for signs of a man-in-the-middle attack in them.

In the second window there is also an output + a dark window opens, the authors of the program call this window a “graphical interface”:

You can wait a while, surf the Internet to make sure that the program does not make any false alerts.

Let's try the classic Ettercap program.

I'm running a regular MitM attack with ARP spoofing. mitmcanary does not react to etching itself. The mitmcanary tool generates traffic itself, i.e. no user action is required. After some time, one single warning appears, which is not confirmed during subsequent next checks. But the same warning appears after a few minutes. Without additional analysis, I find it difficult to say whether this is an example of a false positive - it is very similar to this. It is quite possible that this warning is caused by a connection failure due to the need for traffic to go through additional routes, or by the peculiarities of my poor Internet connection.

Since the result is not obvious (rather "no" than "yes"), then let's try the Bettercap program, which has a variety of modules. I have no doubt that when using various Ettercap plugins and / or additional programs to extend functionality, we would also “light up” for mitmcanary.

For the purity of the experiment, I restart the equipment, run mitmcanary on the attacked machine and Bettercap on the attacking one. At the same time, it is not necessary to make control requests again on the attacked machine - they are saved in a file inside the directory with the program. Those. it is enough to start the service and the graphical interface.

And in the attacking machine, we will run Bettercap with parsers enabled:

Sudocap -X

Separate warnings appear, which also look more like false positives.

But running this command:

sudo bettercap -X --proxy

On the attacked machine, it causes a large number of warnings about a possible man-in-the-middle attack:

So, the more functional the man-in-the-middle attack tool, the more traces it leaves in traffic. For the practical use of mitmcanary, the following conditions must be met:

make initial requests in a trusted network when you are sure that there is no intermediary in the transmission of traffic;
edit the resources to which verification requests are made, since a professional attacker can add default resources to exceptions, which will make him invisible to this tool.

2. Detection of ARP spoofing (arp cache poisoning)

Very often, a man-in-the-middle attack on a local network starts with ARP poisoning. That is why many tools designed to detect MitM attacks are based on a mechanism for tracking changes in the ARP cache, in which correspondences between Ethernet (MAC addresses) and IP addresses are assigned.

Examples of such programs include arpwatch , arpalert and a large number of new programs. The ArpON program not only monitors ARP cache changes, but also protects it from them.

As an example, let's run arpwatch in debug mode, without creating forks in the background and sending messages by mail. Instead, messages are sent to stderr (standard error output).

sudo /usr/sbin/arpwatch -d

On the attacking machine, run Ettercap and start ARP spoofing. On the attacked machine we observe:

The arpwatch program will help you quickly find out about new devices connected to your local network, as well as changes to the ARP cache.

Another tool for detecting real-time ARP spoofing is a plugin by Ettercap itself called arp_cop. On the attacked machine, run Ettercap as follows:

sudo ettercap -TQP arp_cop ///

And on the attacker, let's start ARP-etching. Warnings immediately begin to appear on the attacked machine:

3. DNS Spoofing Detection

DNS spoofing indicates that there is an intermediary between you and the destination that can modify your traffic. How can you detect that DNS records have been spoofed? The easiest way to do this is to compare against the responses of a nameserver you trust. But after all, the entries in the response sent to your request can also be substituted ...

Those. you need to check either through an encrypted channel (for example, via Tor), or use non-standard settings (another port, TCP instead of UDP). The sans program from XiaoxiaoPu is intended for this approximately (at least, as I understand it). I managed to use this program to redirect DNS queries through Tor and through non-standard settings to my DNS server. But I was never able to get her to show me messages about DNS response spoofing. And without this, the meaning of the program is lost.

I couldn't find better alternatives.

In principle, given that DNS spoofers usually monitor only port 53, and only UDP protocol, even manually it is enough to simply check the fact of DNS spoofing, although this requires your own DNS server with a non-standard configuration. For example, on the attacking machine, I created the file dns.conf with the following content:

Local mi-al.ru

Those. when requesting a DNS record for the site mi-al.ru, instead of the real IP, the IP of the attacker's machine will be sent.

I run on the attacking machine:

sudo bettercap --dns dns.conf

And on the attacked I do two checks:

Dig mi-al.ru # and dig mi-al.ru -p 4560 @185.117.153.79

Results:

Mial@HackWare:~$ dig mi-al.ru ;<<>> DiG 9.10.3-P4-Debian<<>> mi-al.ru ;; global options: +cmd ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51993 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mi-al.ru. IN A ;; ANSWER SECTION: mi-al.ru. 86400 IN A 192.168.1.48 ;; Query time: 2 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Nov 02 09:25:20 MSK 2016 ;; MSG SIZE rcvd: 42 mial@HackWare:~$ dig mi-al.ru -p 4560 @185.117.153.79 ; <<>> DiG 9.10.3-P4-Debian<<>> mi-al.ru -p 4560 @185.117.153.79 ;; global options: +cmd ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 401 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;mi-al.ru. IN A ;; ANSWER SECTION: mi-al.ru. 3799 IN A 185.26.122.50 ;; Query time: 304 msec ;; SERVER: 185.117.153.79#4560(185.117.153.79) ;; WHEN: Wed Nov 02 09:25:27 MSK 2016 ;; MSG SIZE rcvd: 53

It can be seen that for a “normal” DNS query, the local IP 192.168.1.48 was sent, and when querying DNS on an atypical port, the correct server IP is sent.

If the server were configured to work with TCP (rather than UDP), then the command would look like this:

Dig mi-al.ru -p 4560 +tcp @185.117.153.79

Obviously, there is a lack of a tool that would track DNS responses in traffic itself, double-check them against an alternative source, and raise an alarm in case of spoofing.

To avoid setting up your own remote DNS, you can query the nameserver via Tor. Since all Tor traffic is encrypted, the DNS responses received in this way are too tough for an intermediary. If Tor is not already installed, then install it.

sudo apt-get install tor

Sudo pacman -S tor

Start the service:

sudo systemctl start tor

If you need it, add this service to startup:

sudo systemctl enable tor

Open file /etc/tor/torrc and add the following lines there:

DNSPort 530 AutomapHostsOnResolve 1 AutomapHostsSuffixes .exit, .onion

Pay attention to the number 530. This is the port number, instead of 530, you can specify any other (unoccupied) port. Most importantly, remember it.

Again we check:

Dig mi-al.ru # and dig mi-al.ru -p 530 @localhost

Now we specify as the server localhost, and write the port number as specified in the /etc/tor/torrc.

As you can see from the following screenshot, a DNS spoofing attack is being carried out against the machine on which the check was made:

4. Search for network interfaces in promiscuous mode

If your local network has (and especially if it suddenly appeared) equipment in promiscuous mode, this is very suspicious, although it does not clearly indicate a man-in-the-middle attack.

In this mode, the network card allows you to receive all packets, regardless of who they are addressed to.

In the normal state, the Ethernet interface uses link layer packet filtering, and if the MAC address in the destination header of the received packet does not match the MAC address of the current network interface and is not broadcast, then the packet is discarded. In promiscuous mode, filtering on the network interface is disabled and all packets, including those not destined for the current host, are allowed into the system.

Most operating systems require administrator rights to enable promiscuous mode. Those. putting a network card into promiscuous mode is a conscious act that may serve the purpose of sniffing.

To search for network interfaces in promiscuous mode, there is an Ettercap plugin called search_promisc.

Plugin launch example:

sudo ettercap -TQP search_promisc ///

Plugin operation is not completely reliable, there may be errors in determining the network interface mode.

Conclusion

Some man-in-the-middle attack methods leave a lot of traces, and some (for example, passively looking for credentials on a proxy) are impossible or almost impossible to detect.

Attack "man in the middle" (Eng. Man in the middle, MitM-attack) - a term in cryptography, denoting a situation where an attacker is able to read and modify messages exchanged by correspondents at will, and none of the latter can guess about his presence in the channel.

A method of compromising a communication channel, in which an attacker, having connected to a channel between counterparties, actively intervenes in the transmission protocol, deleting, distorting information or imposing false information.

Attack principle:

Let's say object "A" plans to send some information to object "B". Object "C" has knowledge about the structure and properties of the data transfer method used, as well as the fact of the planned transmission of the actual information that "C" plans to intercept.
To perform an attack, "C" is "represented" to object "A" as "B", and to object "B" as "A". Object "A", mistakenly believing that it is sending information to "B", sends it to object "C".
Object "C", having received the information, and having performed some actions with it (for example, copying or modifying for its own purposes) sends the data to the recipient itself - "B"; object "B", in turn, believes that the information was received by him directly from "A".

An example of a MitM attack:

Suppose Alice is in financial trouble and using an instant messaging program decides to ask John for a sum of money by sending a message:
Alice: John, hi!
Alice: Please send the encryption key, there is a small request!
John: Hello! Wait a second!

But, at this time, Mr. X, who, while analyzing traffic with a sniffer, noticed this message, and the words "encryption key", aroused curiosity. That's why he decided to intercept the following messages and replace them with the data he needed, and when he received the following message:
John: Here is my key: 1111_D

He changed John's key to his own, and sent a message to Alice:
John: Here is my key: 6666_M

Alice, unaware and thinking it is John's key, using the private key 6666_M, sends encrypted messages to John:
Alice: John, I'm in trouble and I need money urgently, please transfer $300 to my account: Z12345. Thank you. p.s. My key: 2222_A

Having received the message, Mister X decrypts it using his key, reads it, and rejoicing, changes Alice's account number and encryption key to his own, encrypts the message with the key 1111_D, and sends John a message:
Alice: John, I have problems and I urgently need money, please transfer $300 to my account: Z67890. Thank you. p.s. My key: 6666_A

After receiving the message, John decrypts it using the key. 1111_D, and without even a doubt, will transfer money to the account Z67890...
And so Mr. X made $300 using the man-in-the-middle attack, but Alice now has to explain that she didn't get the money... And John? John has to prove to Alice that he sent them...

Implementation:

A similar type of attack is used in some software products for listening to the network, for example:
NetStumbler- a program with which you can collect a lot of useful data about a wireless network and solve some problems associated with its operation. NetStumbler allows you to determine the range of the network and help you accurately direct the antenna for communication over long distances. For each found access point, you can find out the MAC address, signal-to-noise ratio, the name of the service and the degree of its security. If the traffic is not encrypted, then the ability of the program to detect unauthorized connections will be useful.
dsniff- is a set of programs for network audit and penetration checks, provides passive network monitoring to search for data of interest (passwords, e-mail addresses, files, etc.), interception of network traffic that is normally inaccessible for analysis (for example, on a switched network), as well as the possibility of organizing MITM attacks to intercept SSH and HTTPS sessions by exploiting the shortcomings of PKI.
Cain & Abel- a free program that allows you to recover lost passwords for operating systems of the Windows family. Several recovery modes are supported: brute-force brute-force cracking, dictionary selection, viewing passwords hidden by asterisks, etc. There are also options for password detection by intercepting information packets and their subsequent analysis, recording network conversations, cache analysis, and others.
Ettercap- is a sniffer, packet interceptor and registrar for local Ethernet networks, which supports active and passive analysis of many protocols, as well as "tossing" own data into an existing connection and filtering "on the fly" without disturbing the synchronization of the connection. The program allows you to intercept SSH1, HTTPS and other secure protocols and provides the ability to decrypt passwords for the following protocols: TELNET, ftp, POP, RLOGIN, SSH1, icq, SMB, Mysql, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG.
KARMA- a set of utilities for assessing the security of wireless clients, is a wireless sniffer that, by passively listening to 802.11 Probe Request frames, allows you to discover clients and their preferred / trusted networks. A fake access point can then be created for one of the requested networks, to which it can be automatically connected. High-level fake services can be used to steal personal data or exploit client-side vulnerabilities on the host.
airjack is a software package that, according to WiFi hacking experts, is the best tool for generating various 802.11 frames. AirJack includes a number of utilities designed to detect a hidden ESSID, send session termination frames with a fake MAC, perform MitM attacks and modify it.
Opposition:
To avoid attacks of this type, it is enough for subscribers "A" and "B" to transfer digital signatures of public encryption keys to each other using a reliable channel. Then, when comparing key signatures in encryption sessions, it will be possible to establish with which key the data was encrypted, and whether the keys have been spoofed.

10/18/2016 | Vladimir Khazov

The plans of the FSB, the Ministry of Telecom and Mass Communications and the Ministry of Industry and Trade to implement the provisions of the Yarovaya Law in terms of intercepting and decrypting the correspondence of Russians are no longer just plans, but are already beginning to be put into action by an order to prepare an expert opinion on the possibility of intercepting WhatsApp, Viber, Facebook Messenger, Telegram, Skype messages using MITM attacks and demonstration of a prototype of such a tool.

We wrote about the scheme for organizing a "legitimate" MITM attack in a previous article. Today we will dwell in more detail on the very principle of such an attack and how to implement it.

What is a MITM attack

Man In The Middle (MITM) translates as "man in the middle." This term refers to a network attack, when an attacker is between an Internet user and the application that he accesses. Not physically, of course, but with the help of special software. It is presented to the user by the requested application (it can be a website or an Internet service), imitates work with it, does it in such a way that it gives the impression of normal operation and information exchange.

The target of the attack is the user's personal data, such as login credentials to various systems, bank details and card numbers, personal correspondence and other confidential information. In most cases, financial applications (bank clients, online banks, payment and money transfer services), company SaaS services, e-commerce sites (online stores) and other sites where authorization is required to enter the system are attacked.

Information obtained by an attacker can be used for various purposes, including illegal money transfers, account switching, interception of personal correspondence, purchases at someone else's expense, compromise and blackmail.

In addition, after stealing credentials and hacking the system, criminals can install malicious software on the corporate network to organize the theft of intellectual property (patents, designs, databases) and cause economic damage by deleting important data.

A MITM attack can be compared to a postman who, during the delivery of your correspondence, opens the letter, rewrites its contents for personal use, or even, by forging handwriting, adds something of his own, and then seals the envelope and delivers it to the addressee as if nothing had happened . Moreover, if you encrypted the text of the letter, and you want to personally inform the addressee of the decryption code, the postman will introduce himself as the addressee so that you will not even notice the substitution.

How a MITM attack is carried out

The execution of a MITM attack consists of two phases: interception and decryption.

Interception

The first stage of the attack is to intercept traffic from the user to the intended target and direct it to the attacker's network.

The most common and easiest way to intercept is a passive attack, when an attacker creates Wi-Fi points with free access (without password and authorization). At the moment when a user connects to such a point, the attacker has access to all traffic passing through it, and can extract any data from it for interception.

The second method is active interception, which can be carried out by one of the following options:

IP spoofing– substitution of the target IP address in the packet header with the address of the attacker. As a result, users, instead of going to the requested URL, end up on the attacker's site.

ARP spoofing– substitution of the host's real MAC address for the address of the attacker in the victim's ARP table. As a result, the data sent by the user to the IP address of the required node gets to the address of the attacker.

DNS spoofing - infecting the DNS cache, infiltrating the DNS server, and spoofing the match record of the website address. As a result, the user tries to access the requested site, but receives the attacker's site address from the DNS server.

Decryption

After interception, two-way SSL traffic must be decrypted, and this must be done in such a way that the user and the resource requested by him do not notice the interference.

There are several methods for this:

HTTPS spoofing– a fake certificate is sent to the victim's browser when a connection to the site is established via the HTTPS protocol. This certificate contains the digital signature of the compromised application, which causes the browser to accept the connection with the attacker as trusted. Once such a connection is established, the attacker has access to any data entered by the victim before it is passed to the application.

SSL BEAST(browser exploit against SSL/TLS) – the attack exploits an SSL vulnerability in TLS versions 1.0 and 1.2. The victim's computer is infected with malicious JavaScript that intercepts encrypted cookies sent to the web application. This compromises the "ciphertext block chaining" encryption mode in such a way that the attacker gets the decrypted cookies and authentication keys.

SSL hijacking– transmission of fake authentication keys to the user and application at the time of the start of the TCP session. This gives the appearance of a secure connection, when in fact the "man in the middle" is in control of the session.

SSL stripping- Downgrades the connection from secure HTTPS to plain HTTP by intercepting the TLS authentication sent by the application to the user. The attacker provides the user with unencrypted access to the site, while he himself maintains a secure session with the application, gaining the opportunity to see the transmitted data of the victim.\

Protection against MITM attacks

Reliable protection against MITM attacks is possible when the user takes several preventive actions and uses a combination of encryption and authentication methods by web application developers.

User actions:

Avoid connecting to Wi-Fi hotspots that do not have password protection. Turn off the automatic connection to known access points - an attacker can disguise your Wi-Fi as legitimate.
Pay attention to the browser notification about the transition to an insecure site. Such a message may indicate that you have been taken to a fake site of an attacker or that there are problems with the protection of a legitimate site.
End the session with the application (logout) if it is not in use.
Do not use public networks (cafe, park, hotel, etc.) for confidential transactions (business correspondence, financial transactions, purchases in online stores, etc.).
Use an up-to-date antivirus on your computer or laptop, it will help protect against attacks using malicious software.

Developers of web applications and websites should use the secure protocols TLS and HTTPS, which greatly complicate spoofing attacks by encrypting the transmitted data. Also, their use prevents interception of traffic in order to obtain authorization parameters and access keys.

It is considered good practice to protect TLS and HTTPS not only for authorization pages, but also for all other sections of the site. This reduces the chance of an attacker stealing a user's cookies while navigating through insecure pages after logging in.

Protection against MITM attacks is the responsibility of the user and telecom operator. For the user, the most important thing is not to lose vigilance, use only proven methods of accessing the Internet, and choose sites with HTTPS encryption to transfer personal data. Telecom operators can be recommended to use Deep Packet Inspection (DPI) systems to detect anomalies in data networks and prevent spoofing attacks.

Government agencies plan to use the MITM attack to protect citizens, and not to cause damage, unlike attackers. The interception of personal messages and other user traffic is carried out within the framework of the current legislation, is carried out by the decision of the judicial authorities to combat terrorism, drug trafficking and other prohibited activities. For ordinary users, "legitimate" MITM attacks are not dangerous.

MTProto uses an original method in order to achieve reliability in the now vulnerable mobile connection and speed in the delivery of large files (for example, photos, videos and documents up to 1 GB in size). This document is intended to explain the details of our system and to cover elements that are difficult to understand at first glance.

Detailed protocol documentation is available on this page. If you have any questions - write to Twitter.

Note: Each message encrypted with MTProto always contains the following data, which will be checked during decryption in order to make the system secure against known issues:

session identifier - session id;
message length - message length;

Note 2: See additional comments about the use of , and modified scheme .

Why don't you use X [your choice]

While other ways to achieve the same cryptographic goals undoubtedly exist, we believe the current solution is both secure and succeeds in our secondary goal of outperforming insecure messengers in terms of delivery speed and stability.

Why do you rely on classical cryptoalgorithms?

We prefer to use well-known algorithms from the days when throughput and processing power were rare to pair. It is these algorithms that have a significant impact on today's development of applications for mobile devices, forcing their authors to get rid of known shortcomings. The weaknesses of such algorithms are also well known and have been exploited by attackers for decades. We use these algorithms in this implementation because, as we believe, they lead any known attack to failure. However, we would be happy to see any evidence to the contrary (so far there have been no such cases) in order to improve our system.

I am a security expert and I believe your protocol is insecure.

You can take part in our contest: Pavel Durov is offering $200,000 in bitcoins to the first person to hack MTProto. You can read the announcement and the Contest FAQ. If you have any other comments, we would love to hear them on [email protected].

Protection against known attacks

Known-Plaintext Attacks

According to the definition, a plaintext attack is a type of cryptanalytic attack in which the attacker has both versions of the text: encrypted and original. The AES IGE used in MTProto is resistant to such attacks. In addition, plain text in MTProto always contains the server salt and session ID.

Adaptive Plaintext Attack

According to the definition, an adaptively chosen plaintext attack is a type of attack in cryptanalysis that assumes that the cryptanalyst can choose the plaintext and obtain the corresponding ciphertext. MTProto uses AES in IGE mode which is secure against such attacks. IGE is known to be vulnerable to blockwise-adaptive attacks, but MTProto fixes this in the following way. Each plaintext message to be encrypted contains the following data, which is checked during decryption:

server salt (64-bit) - server salt (64-Bit);
message sequence number - message sequence number;
message sending time - time.

On top of that, to replace the plaintext, you also need to use the correct AES key and initialization vector dependent on auth_key . This makes MTProto resistant against adaptive-plaintext attacks.

Chosen ciphertext attacks

By definition, a ciphertext attack is a cryptographic attack in which a cryptanalyst gathers information about a cipher by guessing the ciphertext and decrypting it with an unknown key. In such an attack, an attacker can enter one or more known ciphertexts into the system and obtain plaintexts. With this data, an attacker can try to recover the key used for decryption. In MTProto, each time a message is decrypted, a check is made to see if the msg_key matches the SHA-1 of the decrypted data. The plaintext (decrypted data) also always contains information about the length of the message, its sequence number, and the server's salt. This nullifies ciphertext attacks.

Replay attacks

Replay attacks are impossible because each plaintext message contains a server salt, a unique message ID, and a sequence number.

Attack "Man in the middle" (MitM)

Telegram has two communication modes: regular chats using client-server encryption, and secret chats using end-to-end encryption and protected from man-in-the-middle attacks. The data transfer between the client and the server is protected from such attacks during Diffie-Hellman key generation thanks to the RSA public key algorithm that is built into Telegram clients. After that, if the clients of the interlocutors trust the server software, secret chats between them are protected by the server from man-in-the-middle attacks. Especially for those who Not trusts the server, a comparison of secret codes is available in the application. Keys are rendered as images. By comparing the rendered keys, users can verify that a man-in-the-middle attack has not taken place.

Encryption

Are you using IGE? He's been hacked!

Yes, we use IGE, but in our implementation everything is fine with it. The fact that we do not use IGE along with other elements of our system in the same way that MAC does, makes it pointless to try to hack IGE. IGE, just like the common ciphertext block chaining (CBC) mode, is subject to blockwise-adaptive attacks. But adaptive attacks are only a threat when the same key is used in multiple messages (which is not the case).

Adaptive attacks are not even theoretically possible in MTProto, because in order to decrypt messages, they must first be fully typed, since the key of the message depends on its content. As for maladaptive CPA attacks, IGE is protected from them, as is CBC.