Man-in-the-middle attacks (MITM) are a common type of cybersecurity attack 这使得攻击者可以窃听两个目标之间的通信. The attack takes place in between two legitimately communicating hosts, 允许攻击者“收听”他们通常无法收听的对话, hence the name “man-in-the-middle.”
Here’s an analogy: Alice 和 Bob are having a conversation; Eve wants to eavesdrop on the conversation but also remain transparent. Eve could tell Alice that she was Bob 和 tell Bob that she was Alice.
This would lead Alice to believe she’s speaking to Bob, while actually revealing her part of the conversation to Eve. Eve could then gather information from this, 改变响应, 和 pass the message along to Bob (who thinks he’s talking to Alice). As a result, Eve is able to transparently hijack their conversation.
配备无线网卡的设备通常会尝试自动连接到发出最强信号的接入点. 攻击者可以建立自己的无线接入点,并欺骗附近的设备加入其域. 所有受害者的网络流量现在都可以被攻击者操纵. 这很危险,因为攻击者甚至不必在受信任的网络上进行攻击—攻击者只需要足够近的物理距离即可.
ARP is the Address Resolution Protocol. 用于在局域网中将IP地址解析为物理MAC(媒体访问控制)地址. When a host needs to talk to a host with a given IP address, it references the ARP cache to resolve the IP address to a MAC address. 如果地址未知, 发出请求,要求获得具有IP地址的设备的MAC地址.
希望冒充另一台主机的攻击者可以用自己的MAC地址响应不应该响应的请求. 使用一些精确放置的数据包,攻击者可以嗅探两台主机之间的私有通信. Valuable information can be extracted from the traffic, such as the exchange of session tokens, 产生对应用程序帐户的完全访问权限,而攻击者不应该能够访问这些帐户.
组播DNS类似于DNS, but it’s done on a 当地的 area network (LAN) using broadcast like ARP. This makes it a perfect target for spoofing attacks. 本地名称解析系统应该使网络设备的配置非常简单. Users don’t have to know exactly which addresses their devices should be communicating with; they let the system resolve it for them.
电视等设备, 打印机, 娱乐系统使用这个协议,因为它们通常在可信的网络上. When an app needs to know the address of a certain device, such as tv.当地的, an attacker can easily respond to that request with fake data, instructing it to resolve to an address it has control over. Since devices keep a 当地的 cache of addresses, 受害者现在将看到攻击者的设备在一段时间内被信任.
Similar to the way ARP resolves IP addresses to MAC addresses on a LAN, DNS resolves domain names to IP addresses. 使用DNS欺骗攻击时, 攻击者试图将损坏的DNS缓存信息引入主机,试图使用其域名访问另一台主机, 比如WWW.网上银行.com. 这将导致受害者向恶意主机发送敏感信息, with the belief they are sending information to a trusted source. 已经欺骗了IP地址的攻击者可以通过将DNS服务器的地址解析为攻击者的地址来更容易地欺骗DNS.
Attackers use packet capture tools to inspect packets at a low level. 使用允许进入监视或混杂模式的特定无线设备可以允许攻击者看到不打算让它看到的数据包, such as packets addressed to other hosts.
攻击者还可以利用其设备的监控模式将恶意数据包注入数据通信流. The packets can blend in with valid data communication streams, appearing to be part of the communication, 但本质上是恶意的. 数据包注入通常首先进行嗅探,以确定如何以及何时制作和发送数据包.
大多数web应用程序使用一种登录机制,生成一个临时会话令牌,用于将来的请求,以避免要求用户在每个页面输入密码. 攻击者可以嗅探敏感流量,以识别用户的会话令牌,并使用它作为用户发出请求. The attacker does not need to spoof once he has a session token.
Since using HTTPS is a common safeguard against ARP or DNS spoofing, 攻击者使用SSL剥离来拦截数据包,并将基于http的地址请求更改为到达HTTP对等端点, forcing the host to make requests to the server unencrypted. Sensitive information can be leaked in plain text.
如果不采取适当的步骤,检测中间人攻击可能会很困难. 如果你没有主动搜索你的通讯是否被拦截, 中间人攻击可能会被忽视,直到为时已晚. 检查正确的页面身份验证和实现某种类型的篡改检测通常是检测可能的攻击的关键方法, but these procedures might require extra forensic analysis after-the-fact.
在MITM攻击发生之前采取预防措施是很重要的, rather than attempting to detect them while they are actively occurring. 了解您的浏览习惯并识别潜在的有害区域对于维护安全网络至关重要. 下面, 我们列出了防止MITM攻击危及通信的五个最佳实践.
在无线接入点上使用强大的加密机制可以防止不需要的用户仅仅因为在附近就加入您的网络. A weak encryption mechanism can allow an attacker to 蛮力 his way into a network 和 begin man-in-the-middle attacking. The stronger the encryption implementation, the safer.
It’s essential to make sure your default router login is changed. Not just your Wi-Fi password, but your router login credentials. If an attacker finds your router login credentials, they can change your DNS servers to their malicious servers. Or even worse, infect your router with malicious software.
vpn可以为局域网内的敏感信息创建一个安全的环境. 它们使用基于密钥的加密来创建一个子网,用于安全通信. 这种方式, even if an attacker happens to get on a network that is shared, he will not be able to decipher the traffic in the VPN.
HTTPS可用于使用公私密钥交换在HTTP上进行安全通信. 这可以防止攻击者使用他可能正在嗅探的数据. Websites should only use HTTPS 和 not provide HTTP alternatives. 用户可以安装浏览器插件来强制请求始终使用HTTPS.
中间人攻击通常包括欺骗某些东西. 像RSA这样基于公钥对的身份验证可以在堆栈的各个层中使用,以帮助确保您正在与之通信的对象是否确实是您想要与之通信的对象.