Home > CAPEC List > CAPEC-94: Man in the Middle Attack (Version 2.11)  

CAPEC-94: Man in the Middle Attack

Man in the Middle Attack
Definition in a New Window Definition in a New Window
Attack Pattern ID: 94
Abstraction: Standard
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.

+ Attack Steps
  1. The attacker probes to determine the nature and mechanism of communication between two components looking for opportunities to exploit.

  1. The attacker inserts himself into the communication channel initially acting as a routing proxy between the two targeted components. The attacker may or may not have to use cryptography.

  1. The attacker observes, filters or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for his own purposes.

+ Attack Prerequisites
  • There are two components communicating with each other.

  • An attacker is able to identify the nature and mechanism of communication between the two target components.

  • An attacker can eavesdrop on the communication between the target components.

  • Strong mutual authentication is not used between the two target components yielding opportunity for attacker interposition.

  • The communication occurs in clear (not encrypted) or with insufficient and spoofable encryption.

+ Typical Severity

Very High

+ Typical Likelihood of Exploit

Likelihood: Very High

+ Methods of Attack
  • Spoofing
  • Analysis
  • Modification of Resources
+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

This attack can get sophisticated since the attack may use cryptography.

+ Probing Techniques

The attacker can try to get the public-keys of the victims.

There are free software tool to perform man in the middle attack (packet analysis, etc.)

+ Solutions and Mitigations

Get your Public Key signed by a Certificate Authority

Encrypt your communication using cryptography (SSL,...)

Use Strong mutual authentication to always fully authenticate both ends of any communications channel.

Exchange public keys using a secure channel

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Modify application data
Gain privileges / assume identity
Read application data
+ Injection Vector

The captured or modified data in transit

+ Payload

The new value of the data or the replay of the same data (e.g. credential)

+ Activation Zone

The messages exchanged between the two target hosts.

+ Payload Activation Impact

Privilege escalation. modification of resource, information leakage, etc.

+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
+ References
[R.94.1] [REF-3] "Common Weakness Enumeration (CWE)". CWE-300 - Man-in-the-middle (MITM). Draft. The MITRE Corporation. 2007. <http://cwe.mitre.org/data/definitions/300.html>.
[R.94.2] M. Bishop. "Computer Security: Art and Science". Addison-Wesley. 2003.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Examples-Instances, Related_VulnerabilitiesInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017