11

Suposing an attacker that has gained access to the router. Is there a way, for the victim, to notice that is being attacked?

I think one of my friends is a victim of this kind of attack. How can I be sure that this is the attack that is being performed over him?

More details: Someone is changing constantly his passwords of facebook etc.

schroeder
  • 125,553
  • 55
  • 289
  • 326
eversor
  • 924
  • 4
  • 8
  • 22

5 Answers5

4

There are multiple 'tells' your friend might pick up on if he is a victim of a mitm vector.

Is your friends connection slower then usual? Is the facebook page exactly like the one he sees at work, school, etc?(compare source) Ettercap has a few modes designed to detect a mitm attack that your friend can make use of.

None of the above methods are fool proof, but together they build a picture of possible side effects. Your friend can bypass a dns_spoof by navigating to facebook by its ip (66.220.149.88) and us a vpn tunnel (tor is free but slow)

Having said all this, it is unlikely that your friend is a victim to a mitm attack. It is extremely probable their machine is infected with keyloggers. Have your friend run a virus scan, clean them out and then check all facebook security settings.

Also, if your friend uses yahoo have them switch to gmail.

November
  • 505
  • 1
  • 5
  • 12
3

In general, no. There is no reliable way to detect that you are the victim of a man-in-the-middle attack.

There are some things you can do to detect imperfect attacks -- primary amongst them is to try to use SSL (https) whereever possible, and to check the browser address bar to confirm that SSL is in use (e.g., there is a green or blue glow behind the address). If you are using SSL, and if you avoid clicking through certificate warnings, you should be relatively safe from a man-in-the-middle attack. But there is little you can do to detect a man-in-the-middle attack when you are using http.

That said, I'm skeptical that your friend is being hacked by a man-in-the-middle attack. It's more likely that his password or account has been compromised. I suggest the following measures to recover:

  • Scan his computer for malware/spyware using Malware Bytes or some other good malware scanner. Remove all detected malware/spyware.

  • Change his password and his administrator password on his computer.

  • Turn on anti-virus (e.g., Microsoft Security Essentials, Avast, etc.).

  • Turn on Windows Update. Run Windows Update to update the OS. Update his browser, if it is not running the latest browser.

  • If he uses Firefox, ask him to install HTTPS Everywhere.

  • Configure Facebook to use SSL (HTTPS) for all connections.

  • Now, have him change his email password (e.g., his Gmail password) and his Facebook password. Also, have him remove/uninstall all Facebook apps. Malicious Facebook apps are a common way for people that people get attacked. Make sure the new password is long and strong.

  • If the problem goes away, you are good!

D.W.
  • 98,860
  • 33
  • 271
  • 588
2

Yes, you can detect a man-in-the-middle attack on https in the browser by checking the https connection fingerprint is correct.

For example if you wish to check https://www.facebook.com is not MiTM attacked in Internet Explorer 11 (uses two different windows, because the View Certificates dialog is modal):

  1. Open https://www.grc.com/fingerprints.htm in IE11 on the desktop
  2. Open a new IE window (ctrl-N on desktop) and go to https://www.facebook.com
  3. Click on the lock next to the address, click on the View Certificates button, and a modal dialog pops up.
  4. On the General Tab, check that the "Issued to" is *.facebook.com
  5. On the Details Tab, scroll to the bottom, click on the fingerprint, and check that the numbers and letters of the fingerprint match those displayed on https://www.grc.com/fingerprints.htm for *.facebook.com (when comparing fingerprints ignore uppercase/lowercase differences, and ignore spaces/colons).

If you wish to check any other browser, follow the instructions much further down the page under the heading "How to display this page's (or any page's) SSL certificate fingerprint:" on https://www.grc.com/fingerprints.htm . If you wish to check any other domain, under the "Custom Site Fingerprinting" heading near the top of the page you can request the official Certificate Name and Fingerprint for any domain.

This is a fairly robust way to detect man-in-the-middle proxy attacks (for proxies on the machine or the network). It won't detect any viruses etc that have infected the browser (so called man-in-the-browser attacks).

robocat
  • 141
  • 3
0

My two cents: If ur friend is on a *nix system, he can first note the MAC address of the router from the router web panel, and then run the following command:

arp -a

He can verfiy the MAC address that the router is at in the ARP table. If the MAC address of the router is different than what it should be, that is one indication.

Secondly, You can verify the DNS resolutions for say facebook.com by running:

nslookup facebook.com

, if the address returned is a local address say, 192.168.0.105 or something, this should indicate that ur DNS resolutions are being hijacked.

Easier yet at the application layer i.e in the browser, whenever ur browsing a website which uses credentials or anything sensitive, check the URL bar to determine if the communication is happening over HTTPS. Even if the traffic is being sniffed say by a LAN connection to a switch, your traffic would be unreadable to the attacker due to HTTPS.

Community
  • 1
racec0ndition
  • 581
  • 4
  • 10
-1

A common technique is arp spoofing. So watch for changes of the arp table (there are tools like arpwatch). Also, watch for multiple responses to your arp requests.

Bender
  • 1
  • 1
    Arp is certainly one technique that may help detect network mitm. Perhaps you can develop on this to include more information and make a better answer? – adric Oct 12 '12 at 14:33