CAPEC - CAPEC-94: Man in the Middle Attack (Release 1.4)

Home > CAPEC List > CAPEC-94: Man in the Middle Attack (Release 1.4)

CAPEC List
Full CAPEC Dictionary
Methods of Attack View

About CAPEC
Documents
Resources

Community
Related Activities
Collaboration List

News & Events
Calendar
Free Newsletter

Contact Us
Search the Site

CAPEC-94: Man in the Middle Attack

Man in the Middle Attack

Attack Pattern ID: 94 (Standard Attack Pattern Completeness: Complete)

Typical Severity: Very High

Status: Draft

Description

Summary

This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakeage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.

Attack Execution Flow

The attacker probes to determine the nature and mechanism of communication between two components looking for opportunities to exploit.
The attacker inserts himself into the communication channel initially acting as a routing proxy between the two targeted components. The attacker may or may not have to use cryptography.
The attacker observes, filters or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for his own purposes.

Attack Prerequisites

There are two components communicating with each other.

An attacker is able to identify the nature and mechanism of communication between the two target components.

An attacker can eavesdrop on the communication between the target components.

Strong mutual authentication is not used between the two target components yielding opportunity for attacker interposition.

The communication occurs in clear (not encrypted) or with insufficient and spoofable encryption.

Typical Likelihood of Exploit

Likelihood: Very High

Methods of Attack

Spoofing
Analysis
Modification of Resources

Examples-Instances

Description

Symantec Scan Engine 5.0.0.24, and possibly other versions before 5.1.0.7, uses the same private DSA key for each installation, which allows remote attackers to conduct man-in-the-middle attacks and decrypt communications.

Related Vulnerabilities

CVE-2006-0231

Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

This attack can get sophisticated since the attack may use cryptography.

Probing Techniques

The attacker can try to get the public-keys of the victims.

There are free software tool to perform man in the middle attack (packet anlaysis, etc.)

Solutions and Mitigations

Get your Public Key signed by a Certificate Authority

Encrypt your communication using cryptography (SSL,...)

Use Strong mutual authentication to always fully authenticate both ends of any communications channel.

Exchange public keys using a secure channel

Attack Motivation-Consequences

Data Modification
Privilege Escalation
Information Leakage

Injection Vector

The captured or modified data in transit

Payload

The new value of the data or the replay of the same data (e.g. credential)

Activation Zone

The messages exchanged between the two target hosts.

Payload Activation Impact

Privilege escalation. modification of resource, information leakage, etc.

Related Weaknesses

CWE-ID	Weakness Name	Weakness Relationship Type
300	Channel Accessible by Non-Endpoint (aka 'Man-in-the-Middle')	Targeted
290	Authentication Bypass by Spoofing	Secondary
593	Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created	Secondary
287	Improper Authentication	Targeted
294	Authentication Bypass by Capture-replay	Secondary
724	OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management	Secondary

Related Attack Patterns

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Attack Pattern	151	Identity Spoofing (Impersonation)	Mechanism of Attack (primary)1000
ChildOf	Attack Pattern	22	Exploiting Trust in Client (aka Make the Client Invisible)	Mechanism of Attack (primary)1000
ParentOf	Attack Pattern	57	Utilizing REST's Trust in the System Resource to Register Man in the Middle	Mechanism of Attack (primary)1000
ParentOf	Attack Pattern	219	XML Routing Detour Attacks	Mechanism of Attack (primary)1000

Purposes

Exploitation

CIA Impact

Confidentiality Impact: High

Integrity Impact: High

Availability Impact: High

Technical Context

Architectural Paradigms	All
Frameworks	All
Platforms	All
Languages	All

References

CWE - Man-in-the-middle (MITM)

M. Bishop. Computer Security: Art and Science. Addison-Wesley, 2003.

Content History

Submissions
Submitter	Organization	Date	Comments
Sean Barnum	Cigital, Inc.	2007-03-25	Identified priority for pattern creation

Modifications
Modifier	Organization	Date	Comments
Eric Dalci	Cigital, Inc.	2007-03-25	Fleshed out content for pattern
Sean Barnum	Cigital, Inc	2007-04-16	Review and revise

Page Last Updated: September 23, 2009


	CAPEC is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. Vision and Technical Leadership provided by Cigital, Inc. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation. Contact capec@mitre.org for more information.	Privacy policy Terms of use Contact us