Photo by Soner Eker on Unsplash

Detecting and analyzing man-in-the-middle attacks

Cuckoo's Egg

Article from ADMIN 67/2022

By Thomas Joos

Wireshark and a combination of tools comprehensively analyze your security architecture.

In man-in-the-middle (MITM) attacks, attackers place themselves between the victim and the targeted resources, putting them in a position to intercept, read, and possibly even manipulate communications. In doing so, the attacker does not have to redirect the traffic completely or impersonate the data target. Instead, they can sniff the data on the network and then let it continue to the intended target without interference. In other words, the attacker is in the middle of the data flow.

As a result, many users and administrators do not identify these attacks until it is too late, because in most cases, network services are not disrupted by the attack. Services continue to run normally while the attacker accesses the traffic between the client and the server. Identity theft, faked transactions, or stealing intellectual property are just a few possible results.

These attacks can just as easily be performed on cable-based networks as on WiFi, although they are particularly common on WiFi networks because public WiFi is often virtually unprotected.

Before I look at possible defense mechanisms and tools such as Wireshark, I'll first look into how an MITM attack takes place, with techniques such as Address Resolution Protocol (ARP) poisoning, and how you can detect and analyze attacks, which in turn can help you protect your own network against MITM attacks and optimize your internal security structure accordingly.

ARP Gateway

MITM attacks often rely on the ARP cache, which is the local cache with IP to MAC address assignments. Its content can be displayed at the Windows command line by typing