CAPEC-94: Adversary in the Middle (AiTM)
Also known as: Man-in-the-Middle / MITM, Person-in-the-Middle / PiTM, Monkey-in-the-Middle, Monster-in-the-Middle, On-path Attacker
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.
Last updated
Overview
Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first flows through the adversary, who has the opportunity to observe or alter it, before being passed on to the intended recipient as if it was never observed. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for these attacks yields an implicit lack of trust in communication or identify between two components. These attacks differ from Sniffing Attacks (CAPEC-157) since these attacks often modify the communications prior to delivering it to the intended recipient.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Determine Communication Mechanism] The adversary determines the nature and mechanism of communication between two components, looking for opportunities to exploit.
- Perform a sniffing attack and observe communication to determine a communication protocol.
- Look for application documentation that might describe a communication mechanism used by a target.
- Step 2Experiment
[Position In Between Targets] The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components.
- Install spyware on a client that will intercept outgoing packets and route them to their destination as well as route incoming packets back to the client.