Based on this question here: Are "man in the middle" attacks extremely rare?
Is it possible to detect man-in-the-middle attacks, and if so, how would one go about it?
In addition, what if the attack is taking place via connecting into the local network, such as phone lines? Is there any way to detect it?
While browsing, you can check every time if the certificate that is presented to you by the website is issued by a legitimate CA or its a fake certificate issued by some CA that your browser trusts. Obviously it is not possible do it manually. So, there are tools that do it for you.
Cert Patrol and Perspective are browser plugins that do essentially that. They keep a note of which domainnames are issues by which CAs (eg. Google=>Thwate, etc.) and many other parameters related to the certificates and will alarm the user if either the CA changes OR if the public key in the cert changes.
These are obviously not detection of MITM, they are more like prevention schemes by detecting that something is odd about the certificate presented by the website.
Also while connecting to a SSH server, it asks for the server fingerprint. I'd be alarmed if my ssh client presents me a new fingerprint after I've previously connected to a server. The server host key gets saved to the known_hosts file after first connection, the only reason the client is asking me to validate the fingerprint again is because either the SSH server has restarted/updated OR I am being MITMed.
Absolute paranoia demands you to call the system admin on phone and confirm the fingerprint by making him speak the key.
Can you detect a MitM attack? Depends on the type of system being attacked and the type of attack.
Say some sophisticated attacker has gotten control of a router upstream between you and the internet in general and redirects your traffic to fake servers under their control for a MitM (e.g., captures DNS requests and gives phony replies to their servers, or uses Network Address Translation (NAT)).
Now let's say you go to http://www.facebook.com and get directed to a http login page under the attackers control. Foreseeably the attacker could throw up a page that mimics facebook's login page, captures your authentication information, and uses that information to connect to the real facebook, and then directs the content from the real facebook to your browser. This could be done near seemlessly with the exception of the hidden form post action not being https on the initial login page. Let's say instead your settings are to always use https for facebook, and you went to https://www.facebook.com. The MitM attack would send red flags to the browser, as the attacker will not have a trusted certificate for facebook.com. Granted, many users would ignore these browser warnings (as sometimes they occur for benign reasons like an expired key or an intranet site not using a self-signed key). This all assumed that the attacker has not additionally managed to hack into facebook and get their private certificates OR compromise a CA (certificate authority) to be able to generate phony certificates trusted by most web browsers OR previously alter your web browser so it trusts/doesn't warn about invalid certificates.
In general with http it is near impossible to detect MitM attacks, but with https your browser should automatically detect and warn you about, unless the attacker has already compromised your system or the system at the other end (including the CA as a system at the other end).
Next example: ssh. Again, uses private-public server keypairs to authenticate computers. So if I frequently ssh into my work machine from my home computer, my home computer has recorded and trusted the public key of my work machine (which is kept in a file ~/.ssh/known_hosts). If a MitM attack was attempted when I am connecting from my home machine, ssh would immediately notice that the MitM machine did not have the private key of my work machine and would not let me login (unless I specifically removed the public key from my known_hosts list; which I would only do if say I upgraded to a new machine or changed the server key). Again, MitM attacks over ssh are very easy to detect unless the attacker either already broke into my work machine as root and copied the private key to a his host OR already broke into my home machine and changed the public key for my work machine recorded in ~/.ssh/known_hosts OR its my first time connecting to the server (and I do not have the server in my known_hosts or recognize its host fingerprint).
Detection of MitM scheme are the basic goal of any authentication protocol. For that to work you need :
The server should do the same with the client. With an symmetric scheme, it should be done easily. When using asymmetric protocols like SSL, you have to :
No, you cannot, there are many ways to do this.
Many answers here will tell you how to check for specific MITM attacks, which I believe is not the point.
A MITM doesn't mean the attacker will try to decipher your data stream and present you with a different key/fingerprint. He is just a node between you and your destination host.
There are many ways to get into a MITM situation, each can be prevented by proper network administration, all the nodes between you and your destination host should be secured. Each network should be designed to resist to every MITM possible, including abusing routing protocols, ARP spoofing, DNS spoofing, simply installing a physical bridge, etc.
In order to achieve security, being caught in a MITM attack should not matter, you cannot rely on trust and luck and you cannot control the internet, you have to assume you are on a hostile environment unless proven secure by a proper audit. Using secure protocols like TLS, SSH and potentially IPSec, can make your network more secure, authenticate and crypt your data. However it's always vulnerable at some point and most of the time it comes from either a misconfiguration or a flaw in the protocol/implementation itself.
In short, don't detect MITM, but instead:
Detecting MITM is possible but it's related to what you use, port security for CISCO IOS or just using SNORT on any Unix box. You can't possibly get an exhaustive list, it just match a given situation and besides, attackers are always creative enough to find something you didn't think about, so refer to my 2 above advices.
You can check your ARP table. Or you can look at the good website MITM TUTORIALs [https://toschprod.wordpress.com/2012/03/04/mitm-8-countermeasures/] which explains in depth what is a man in the middle and how to avoid them. I guess reading its tutorial will give you an excellent idea about what is happening and how to prevent it, as well as how to detect them.
Go to the CMD and type arp -a. If the router MAC address is the same as any other node(device) then that devise is the "MAN in the middle". That simple.
