CAPEC-94 Adversary in the Middle (AiTM)

CAPEC ID: 94

CAPEC-94 Metadata

Likelihood of Attack

High

Typical Severity

Very High

Overview

Summary

An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.

Prerequisites

There are two components communicating with each other. An attacker is able to identify the nature and mechanism of communication between the two target components. An attacker can eavesdrop on the communication between the target components. Strong mutual authentication is not used between the two target components yielding opportunity for attacker interposition. The communication occurs in clear (not encrypted) or with insufficient and spoofable encryption.

Execution Flow

Step Phase Description Techniques
1 Explore [Determine Communication Mechanism] The adversary determines the nature and mechanism of communication between two components, looking for opportunities to exploit.
  • Perform a sniffing attack and observe communication to determine a communication protocol.
  • Look for application documentation that might describe a communication mechanism used by a target.
2 Experiment [Position In Between Targets] The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components.
  • Install spyware on a client that will intercept outgoing packets and route them to their destination as well as route incoming packets back to the client.
  • Exploit a weakness in an encrypted communication mechanism to gain access to traffic. Look for outdated mechanisms such as SSL.
3 Exploit [Use Intercepted Data Maliciously] The adversary observes, filters, or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.
  • Prevent some messages from reaching their destination, causing a denial of service.

Potential Solutions / Mitigations

Ensure Public Keys are signed by a Certificate Authority Encrypt communications using cryptography (e.g., SSL/TLS) Use Strong mutual authentication to always fully authenticate both ends of any communications channel. Exchange public keys using a secure channel

Related Weaknesses (CWE)

CWE ID Description
CWE-287 Improper Authentication
CWE-290 Authentication Bypass by Spoofing
CWE-294 Authentication Bypass by Capture-replay
CWE-300 Channel Accessible by Non-Endpoint
CWE-593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created

Related CAPECs

CAPEC ID Description
CAPEC-151 Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.
CAPEC-668 An adversary can exploit a flaw in Bluetooth key negotiation allowing them to decrypt information sent between two devices communicating via Bluetooth. The adversary uses an Adversary in the Middle setup to modify packets sent between the two devices during the authentication process, specifically the entropy bits. Knowledge of the number of entropy bits will allow the attacker to easily decrypt information passing over the line of communication.

Taxonomy Mappings

Taxonomy: ATTACK

Entry ID Entry Name
1557 Adversary-in-the-Middle

Taxonomy: OWASP Attacks

Entry ID Entry Name
Link Man-in-the-middle attack

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.