To prevent a security breach and loss of critical business data, security teams must be diligent in defining, identifying, and classifying security gaps in their organization’s network. Many security teams conduct pentesting as a way to assess and mitigate any potential gaps.  As a consulting engineer for Cisco Security Services, I’ve observed a deeper understanding of certain vulnerabilities can lead to improved mitigation techniques.  A good example is Man in The Middle (MiTM) attacks.

MiTM attacks allow attackers to eavesdrop and potentially modify network traffic. Every security expert has heard of these types of attacks and may have even run ARP-spoofing or other kinds of MiTM attack. However, these types of attacks are often not particularly detailed, do not classify attacks well nor do they accurately represent ways an attack could benefit an adversary

Additionally, the kinds of MiTM attacks vary widely, including those against servers, clients, application layer, TCP layer, IP layer, Data Link layer, and physical layer. To provide an effective security solution against MiTM attacks, we must understand how such attacks work.

In my work performing security-testing, I have found that security organizations rarely try to exploit vulnerabilities, resulting only with the conjecture that a MiTM attack is possible without realistic metrics of what a supposed attacker can really do. For example, as a pentester, I have found routers with vulnerable RIP configurations, MPLS networks with iBGP with vulnerable routers and the almost omnipresent issues with internal SSL services

To help bring awareness to this issue, I created a hands-on training course which I will present at the 2016 Black Hat conference. Every student will have the opportunity to practice with techniques that aren’t easily utilized without a dedicated laboratory. The first part of this training is designed to perform a MiTM attack on the following scenarios:

  • TCP/IP and IPv6
  • MiTM with routing protocols
  • Man on the side and 1-way MiTM

Once the pentester has the traffic passing through his/her system, normal security assessments and pentesting activities usually stop here.  However, for advanced services, such as Red Team exercises, the attack simulation goes further than an announced assessment.  Exploitation must pass under the radar of the company’s security team.

The second part of the lab will focus on what can be achieved with a MiTM attack.  This portion includes coverage of approaches I found inside the leaked documents of companies like Hacking Team and Gamma Group, which provide MiTM systems to their clients:

  • Exploiting MiTM
  • Advanced HTTP MiTM
  • Infecting files on-the-fly
  • ‘Rogue’ attacks

In this lab participants will code their own tools to ensure a deep understanding of the attacks. They will also see mitigations that currently exist and their weaknesses.

With this coursework, I hope to educate security teams no only in how to mitigate MiTM attacks, as well as how to improve the overall security of their networks.

The complete syllabus of the training can be found here.  More information on the penetration testing work we do for our client can be found here.


Leonardo Nve

Senior Penetration Tester

Portcullis, a Part of Cisco Advisory Services