Guide | How To Protect Yourself Against MITM Attacks

The associated guide may contain user-generated or external content.
D

Deleted member 178

Thread author
ok, everybody here knows about malwares, Avs , etc... but there is an area we don't talk enough , datas protection.

One well known attack is called MITM aka Man In The Middle Attack:

In cryptography and computer security, a man-in-the-middle attack (often abbreviated MitM, MiM attack, MitMA or the same using all capital letters) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. A man-in-the-middle attack can be used against many cryptographic protocols.[1] One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. This is straightforward in many circumstances; for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point can insert himself as a man-in-the-middle.[2]

As an attack that aims at circumventing mutual authentication, or lack thereof, a man-in-the-middle attack can succeed only when the attacker can impersonate each endpoint to their satisfaction as expected from the legitimate other end. Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, TLS can authenticate one or both parties using a mutually trusted certificate authority.[3]

Man-in-the-middle attack - Wikipedia

so what to do to counter it ?

basically you have to secure the transmission via encryption , for this we use the DNScrypt protocol:

DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered with.

DNSCrypt - Official Project Home Page

There is a simple apps called Simple DnsCrypt that will automatize and really simplify the implementation of this protocol

Simple DNSCrypt - Official Project Home Page

We will then choose from the list a DNS provider using DNSSEC.

DNSSEC is a technology that was developed to, among other things, protect against such attacks by digitally 'signing' data so you can be assured it is valid. However, in order to eliminate the vulnerability from the Internet, it must be deployed at each step in the lookup from root zone to final domain name (e.g., www.icann.org). Signing the root (deploying DNSSEC on the root zone) is a necessary step in this overall processii. Importantly it does not encrypt data. It just attests to the validity of the address of the site you visit.

DNSSEC – What Is It and Why Is It Important? - ICANN


Simple as that ;)

Thanks for reading.
 

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
Happy user for some time :D

Clipboard01.jpg
 
D

Deleted member 178

Thread author
@shmu26 let me explain simply.

Whatever you do on your computer , when you access internet you send packets of datas, which will pass between routers/relays/networks until they reach the destination you want (server/website/computer). Then you will get a response, from the destination.

Now let say i want to know what/where/who you are communicating, all i have to do is to take over one of the relay between you and the destination, since you have no access to those relays , you can't protect it. Now that i have access to the relay i can reconstruct the datas and read (Eavesdropping) what you are communicating, i can even modify the content to my needs.

you have a good example here: Man-in-the-middle attack - Wikipedia
 
Last edited by a moderator:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
@shmu26 let me explain simply.

Whatever you do on your computer , when you access internet you send packets of datas, which will pass between routers/relays/networks until they reach the destination you want (server/website/computer). Then you will get a response, from the destination.

Now let say i want to know what/where/who you are communicating, all i have to do is to take over one of the relay between you and the destination, since you have no access to those relays , you can't protect it. Now that i have access to the relay i can reconstruct the datas and read (Eavesdropping) what you are communicating, i can even modify the content to my needs.

you have a good example here: Man-in-the-middle attack - Wikipedia
thanks, Umbra!
 

RedTeam

Level 1
Verified
Oct 28, 2016
19
Sadly DNScrypt will save you from MiTM attacks. What it does do is give more privacy from your ISP.

MiTM attacks are very hard to defend against because the attacker is most likely using stolen certificates and has control over fiber backbones.

Using a browser that has good security can help. Firefox and Chrome will alert you on stolen and forged certificates.
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
How do I know if DNSCrypt through Simple DSNCrypt is working? I think it's already enabled, but I'm not sure if it's really working.

Edit:
Nevermind. I just found out that my DNS server changed to 127.0.0.1, instead of the default.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
Very informative, I presume this tool can be used together with other software like MBAM or ZAL with their real time protection enabled without conflicts.
The only problem is ZAM/ZAL detecting the change as a DNS hijack. But simply excluding that detection after a scan is enough.
 

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,140
How do I know if DNSCrypt through Simple DSNCrypt is working? I think it's already enabled, but I'm not sure if it's really working.

Edit:
Nevermind. I just found out that my DNS server changed to 127.0.0.1, instead of the default.
Same as mine. Is pointing to 127.0.0.1 correct or is there something wrong?

Thanks
 
  • Like
Reactions: Polygon and AtlBo

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,140
That is correct. If you use DNSCrypt, your DNS should change to that. :)
Hi

I understand that the server will change its settings to 127.0.0.1 and 127.0.0.2 which is expected

So, if I want to use another DNS server will Simple DNSCrypt reverts the DNS server's settings to 127.0.0.1 and 127.0.0.2? If yes, then how to go about in resolving this?

Thanks
 
  • Like
Reactions: Polygon and AtlBo

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
Hi

I understand that the server will change its settings to 127.0.0.1 and 127.0.0.2 which is expected

So, if I want to use another DNS server will Simple DNSCrypt reverts the DNS server's settings to 127.0.0.1 and 127.0.0.2? If yes, then how to go about in resolving this?

Thanks
I'm not sure, actually, as I don't use it anymore. @Umbra might be able to help.
 
  • Like
Reactions: Polygon and AtlBo

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top