Hi all, I am working on a study project around mitigation strategies to protect against man in the middle attacks and would like some advice around how FireFox deals with… (funda kabanzi)
I am working on a study project around mitigation strategies to protect against man in the middle attacks and would like some advice around how FireFox deals with detecting a new network adapter and an update of routes on the local host whilst FireFox is running.
My study project involves connecting a small (malicious) device that configures ethernet over USB, this device also runs a web server, a DHCP server and a DNS server to essentially perform a man in the middle attack. When the device is connected a DHCP address is issued to the ethernet over USB device and the subnet mask on the victim is set to route all ipv4 addresses to the malicious device, the device also spoofs all DNS queries on the fly to route to the device this ensures that all traffic is routed to the device.
This ultimately provides a method for any HTTP request from the browser to hit the device, the device responds with html content containing a malicious script. Many websites frequently make HTTP requests without intervention, such as an advert, and so this attack can run automatically.
I have tested this on 2 x Macbooks and Windows 7 (testing only :-)) and Windows 10 and have the same result.
To try and resolve I have turned off DNS prefetch and also looked at the network settings and changed each proxy option, currently I have it set to no proxy. I also searched for similar articles and read this article, which is seemingly relevant but did not solve my specific use case. https://daniel.haxx.se/blog/2014/09/26/changing-networks-with-firefox-running/
I am not interested in a fix, but I am interested to understand why this happens and if this is actually a specific feature within FireFox and any other useful information around this specific scenario.
Thanks a lot for reading