The man-in-the-middle (MITM) attack is a popular form of attack where the attacker intercepts network packets from systems and either directly responds to them or relays them after stealing or manipulating the content. Some of the popular protocols using broadcast/multicast that are vulnerable to MITM attacks include Net BIOS (basic input output system) Name Service (NBNS) traffic, Link-Local Multicast Name Resolution (LLMNR) traffic, and Multicast Domain Name System (mDNS) traffic. Other vulnerable protocols include address resolution protocol (ARP) and dynamic host configuration protocol (DHCP).
NBNS, LLMNR, and mDNS are protocols used to do name resolution of resources within a network. They are used as a fallback mechanism when DNS (domain name service) resolution fails. NBNS and LLMNR are used in WINDOWS while mDNS is used in OS X. NBNS uses UDP (user datagram protocol) broadcast while LLMNR and mDNS use UDP multicast. The UDP messages are easy to spoof and an attacker can easily perform man-in-the-middle attacks. Popular attacks exploiting these protocols are WPAD (web proxy autodiscovery protocol) poisoning and SMB (server message block) relay attacks that use MITM for credential harvesting.
WPAD is a mechanism used by Windows to get the proxy settings. On a corporate network, a DNS entry for “WPAD” should point to a proxy server that hosts a “wpad.dat” file. If DNS fails, the client resorts to NBNS broadcast to resolve “WPAD.” An attacker computer on the same broadcast network can respond for the “WPAD” queries and force all HTTP traffic to pass through the attacker computer. An attacker can also force authentication when a client tries to fetch the WPAD.dat file using which the attacker can capture the credentials.
ARP poisoning is another common technique used by attackers to do MITM attack for unicast protocols. ARP poisoning can be done in multiple ways. The attacker identifies the default gateway in the subnet the attacker is in and responds with the attacker's MAC (machine access code) address when the attacker sees ARP requests to the gateway. This poisons the ARP cache on end hosts and packets are sent to the attacker instead of the gateway. Another technique is to send unsolicited ARP replies to the target using spoofed IP addresses. If the target has an entry in the ARP cache for the spoofed IP address, it is poisoned with the attacker's MAC address. The attacker can then do man-in-the-middle interception to steal information of interest like credentials, PII (personally identifiable information), and the like. The attacker can either directly respond to them or relay them after consuming and/or modifying the content. ARP poisoning can also be done by sending fake gratuitous ARP packets. The attacker can send a gratuitous ARP packet indicating that the gateway MAC has been changed to the attacker's MAC address. End hosts that have an entry for the default gateway update their ARP table with the attacker's MAC for the default gateway.
By installing a rogue DHCP server in the network, an attacker can control the almost all network activity. The rogue DHCP server can be configured with the attacker machine as the default gateway and the DNS server. This will force all network traffic from end hosts which obtain IP from the rogue DHCP server to pass through the attacker or use the attacker for DNS resolutions.
Other protocols that are susceptible to man-in-the-middle attacks are SLP (service location protocol) and SSDP (simple service discovery protocol) which can be exploited by attackers to steal information.
All the above mentioned attacks can be exploited at subnet (VLAN) and cannot be detected if security devices are deployed at perimeter (e.g. by a Firewall or internet provider security (IPS)).
The systems and methods disclosed herein provide an improved approach for detecting MITM attacks using the above mentioned protocols.