0

I too feel that this is a stupid question but I'm unsure if capturing traffic will work if the host is offline? I was actually discussing about Man-in-The-Middle attacks and just thought lets suppose https://example.com is offline (down or blocked on a network) and someone made a request to http://example.com/example-category/example so will an attacker be able to capture this complete GET request in a local network?

I think yes because the request will anyhow be sent from the client to host and there it should be captured. If that is the case then can HTTPS traffic be also captured (talking only GET based) if the host is offline or blocked intentionally on a local network?

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
GeekyNoob
  • 1
  • 1

2 Answers2

1

If the man in the middle is located in the network before the host is found unreachable (for example in the local network before the router), then yes, the request would go to the MITM.

Yet the MITM might be in a bit of a situation if he finds destination host unreachable from his network, too.

If the router/gateway that is blocking the request is before the MITM, the request will be blocked and not received by the MITM.

If there is no MITM, but just traffic monitoring, there will be no connection made and thus no request transmitted to be monitored.

As to HTTPS: If the MITM cannot provide a valid certificate for the domain name (usually, MITM cannot), the connection would fail on the TLS part.

Tobi Nary
  • 4,566
  • 4
  • 30
  • 50
  • Thank you for your explanation but there is one thing left uncleared, lets suppose I want to do a MITM attack and the host is offline, all I want to know is the URL being used to connect to the host and there is a user on network who tries to connect to the host using the special url, this all over plain HTTP and no HTTPS. Is it possible for me to know that GET request which was trasmitted exactly ? Wil – GeekyNoob Mar 10 '16 at 02:17
  • Yes, if it is MITM (first paragraph of my answer). No if it is only traffic monitoring (fourth paragraph) – Tobi Nary Mar 10 '16 at 07:12
0

No. Before the http request itself can be sent, the initial TCP connection has to be established. And if the host is offline, then the TCP connection CANNOT be established.

No connection, no request, therefore nothing to sniff. The only thing that COULD be sniffed/intercepted would therefore be the initial TCP SYN packet, and that by itself is essentially useless.

It's like dialing a phone number that doesn't exist - the attempt to dial can be monitored, but since the call can never be established, there's no voice chatter to intercept.

Marc B
  • 356,200
  • 43
  • 426
  • 500
  • 1
    You may want to reconsider that: with a MITM, the connection gets established with the man in the middle, not the destination host. If the man in the middle is reachable but the destination host is not, a connection will be established. – Tobi Nary Mar 09 '16 at 16:36
  • True enough, but then all bets are off, because the mitm has control of the network anyways. – Marc B Mar 09 '16 at 16:38
  • Not on all parts; I understood OP as if the MITM controls (and is part of) only part of the network and another part with the destination is unreachable from that part. – Tobi Nary Mar 09 '16 at 16:40