Fair warning: This is somewhat technical.
I recently wondered how hard it is to perform a man-in-the-middle attack. The login forms for Facebook, Twitter, Pandora and countless others submit login credentials using HTTPS, however, the forms themselves are served using HTTP (by default, anyway—many web sites allow users to choose an HTTPS login form).
The theoretical danger with a man-in-the-middle attack is that a malicious user could alter the content of web pages as they’re sent down to your computer. Login forms could be changed to submit credentials insecurely, thereby exposing your username and password. But just how feasible is it?
Step 1 – Trick the Victim’s Computer Into Routing Traffic Through Your Computer
This turned out to be much easier than I was expecting. I used a program called Ettercap1, but there are other options. It has a GUI. I scanned my local network, picked out the IP of some poor sod (actually just another one of my computers), and chose the ARP poisoning option. Boom, all of poor sod’s internet traffic was being routed through my computer.
Step 2 – Serve the Victim An Altered Login Page
One way to accomplish this is to use DNS spoofing to make the victim think the attacker’s computer is “www.example.com”2. Then run a web server on the attacker’s computer that serves content that looks like www.example.com, but behaves maliciously. Ettercap has a plugin that makes DNS spoofing easy. I played around with it and it works quite well. However, I didn’t want to bother with installing a web server on my computer or recreating www.example.com.
I wanted to do something a bit more elegant. I wanted to alter the web page on the fly, as it transferred through my computer on the way to the victim’s computer. Again, Ettercap makes this easy. It supports simple, text-based filters that allow you to search and replace any data on any port. I wrote a filter that 1) changes the login page of www.example.com so that the form is POSTed over HTTP and 2) saves the form submission to a text file3.
I cleared the web browser cache on the victim’s computer (to ensure I was using the altered login page), browsed to http://www.example.com/, logged in, checked the attacker’s computer, and indeed, my username and password were captured to a text file. Harrowing!
There’s been a fair amount of hubbub recently about Firesheep. It’s a point and click interface for session hijacking popular websites. It uses passive listening to capture network traffic from other computers on the network. It looks for session information for various websites, displays a list of discovered identities, and allows the user to impersonate a discovered identity by double-clicking on the victim’s name.
So that’s scary, but mostly just an annoyance. The potential for a criminal to benefit from Firesheep is limited—web sites that matter, like banks, tend to be more responsible and use HTTPS for all traffic. Want to know what really scares me?
Point and click Man-in-the-Middle
It’s easy for me to imagine a program that sits quietly on a network, performing man-in-the-middle attacks on users who visit websites for banks, investment firms, webmail. It could proxy all web pages, rewriting HTTPS links to HTTP. If the user wasn’t watching for the “HTTPS” indicator on their browser’s address bar, they’d be none the wiser. I don’t think it would take long for someone to collect credentials for a few hundred bank or email accounts.
Then what? I don’t know. Maybe ACH transfer money to a single account and withdraw? They’d track down the account owner. You’d have to run and hide. An entertaining prank might be to transfer a ton of money to a single account (not yours). They’d certainly have a hard time explaining that one.
I think it’s only a matter of time before this happens. Protect yourself: always look for the green or blue HTTPS indicators on your browser’s address bar anytime you’re doing something sensitive.
- Due to a bad patch in Ubuntu’s build of Ettercap, I had to build it myself (without the patch).
- example.com isn’t a real domain, of course. I don’t want to divulge the domain I actually used.
- The filter was actually more complicated than that, but I refrain from giving out information that could aid people with bad intentions.