What is a man-in-the-middle attack (MITM)?
A man-in-the-middle attack (MITM) is a form of eavesdropping in which communication between two users is monitored and modified by an unauthorized party. Generally, by intercepting a public key message exchange, the attacker is actively eavesdropping and retransmitting the message while replacing the requested key with his own.
In this process, the two original parties appear to be communicating normally. The message sender does not recognize that the recipient is an unknown attacker who is trying to access or modify the message before it is resent to the recipient. The attacker thus controls the entire communication. This term is also known as the Janus attack or the fire department attack.
MITM is named after a ball game in which two people catch while a third person in the middle tries to catch the ball. MITM is also known as Fire Brigade Attack, a term derived from the emergency process of handing over water buckets to put out a fire.
The MITM intercepts the communication between two systems and is executed when the attacker has control of a router along the normal traffic point. In almost all cases, the attacker is in the same broadcast domain as the victim. For example, in an HTTP transaction, there is a TCP connection between client and server.
The attacker splits the TCP connection into two connections - one between the victim and the attacker and the other between the attacker and the server. When the TCP connection is intercepted, the attacker acts as a proxy, reads in data, and changes and inserts data into intercepted communications. The session cookie that reads the HTTP header can easily be captured by the intruder.
In an HTTPS connection, two independent SSL connections are established over each TCP connection. An MITM attack takes advantage of the weakness of the network communication protocol and convinces the victim to route traffic through the attacker instead of the normal router, and is commonly referred to as ARP spoofing.