What is Man in The Middle (MITM) Attack?
A man in the middle (MITM) attack is a general term for when a machine positions itself in between a connection between a client/user and the server/internet — either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is underway. This is nicely depicted in the diagram below.
The MiTM attacker will be able to place himself/herself between the user and the internet server to see what is happening. We will be using an ARP spoofing attack to achieve this. Before starting let’s know what is ARP protocol and how we are going to exploit it to become the man-in-the-middle.
What is ARP?
ARP stands for Address Resolution Protocol. It links the IP addresses to the device MAC addresses. Each computer in a network will have a table storing IP addresses of the device in a network with their MAC addresses. So whenever data is sent in a network, it will be sent to the device having the MAC address associated with the destination IP of the packet. We can see this ARP table by running the following command.
$ arp -a
For me, this is the output:
Result of `arp-a`
ARP Spoofing can be achieved by telling the router that the user’s IP corresponds to our MAC address. We will also tell the user that the router’s IP address corresponds to my MAC address. And guess what !!! all the traffic between the user and router will now flow through our machine.
The reason that this exploit is possible is because the ARP protocol is not secure, the client machines will accept responses even if they didn’t send requests and the client machines won’t even verify before updating their ARP table. You can look at the image below for a graphical representation of what we will be achieving.
Image Credits: ZSecurity
As mentioned, we will be using an ARP spoofing attack to be the Man-In-The-Middle. ARP Spoofing will redirect the flow of packets. So instead of packets flowing directly between the client and access point, it would redirect through our system. This means that we will be able to see all the websites, usernames, passwords, images that the user is browsing.
Let’s practically see how this would work. I am using Ubuntu 20.04 for executing all the below commands. The commands will remain the same for any Debian-based Linux Machine. Kali Linux is preferred since it will have most of the tools pre-installed. The tool I will be using is bettercap . It’s an open-source tool. Let’s download it and install it by running the following commands in your terminal :
$ wget "https://github.com`curl -s https://github.com/bettercap/bettercap/releases | grep -E -o '/bettercap/bettercap/releases/download/v[0-9.]+/bettercap_linux_amd64_(|v)[0-9.]+zip' | head -n 1`"
$ unzip bettercap_linux_amd64_*zip $ sudo mv bettercap /usr/local/bin/ $ rm bettercap_linux_amd64_*
Run bettercap -h to see that the installation is proper
$ bettercap -h
Note : There’s an optional step. If you want you can change your MAC address. This is a way to hide your identity on the network. To do this, you can follow the steps here: How to change MAC Address?
Being the Man In The Middle
1. Get the interface name by running ‘ifconfig' in the terminal
Output for `ifconfig`
As you can see I have 2 interfaces, wlan0 and wlxb0a7b9b32df2 . I will choose wlxb0a7b9b32df2 interface and use it in further commands. You can choose any of them.
2. Get inside the bettercap tool by running the following command.
<interface-name> is the name we fetched in the above step.
$ bettercap -iface <interface-name>
Hereafter we will write all the commands inside this shell.
ProTip : You can type help inside this shell to get a list of all the cool stuff you can do using bettercap
3. Getting the list of device IPs connected with the router
We require a list of devices connected to the router so that we can select a target device on which we will perform the attack.
To do this we will start the net.probe module. This module will keep probing for new hosts on the network by sending dummy UDP packets to every possible IP on the subnet. To turn net.probe on, execute the below command
bettercap-shell> net.probe on
Turning it on will also trigger the net.recon module on which will read the ARP cache in order to monitor for new hosts on the network and create a nice list out of it.
To view this list run the following command
The output should look something like this:
Output for `net.show`
Note down the IP of the target device on which we want to perform ARP spoofing. For my case, it is the device with the name infinee.local and target IP is 192.168.29.65 .
4. ARP spoofing attack on the target IP
Now we will run the ARP spoofing attack on the target device. This will place us in between the user and the router. So we can intercept the data and see all the URLs and the websites the target device is visiting, and anything the user posts. We will use the arp.spoof module provided by berttercap.
If you wish you can run help arp.spoof to see the list of options provided by this module. We will need to set the arp.spoof.fullduplex option to true. Doing this will spoof both the target device and the router and we will be in the middle of the connection. We will do this by running the following command.
bettercap-shell> set arp.spoof.fullduplex true
Next, we should set the target using the below command. <target_ip> for me here is 192.168.29.65 . And turn it on by typing arp.spoof on
bettercap-shell> set arp.spoof.targets <target_ip> bettercap-shell> arp.spoof on
arp.spoof on will do 3 things:
Tell the router that I am the user at target_ip
Tell the machine at target_ip that I am the router
Enable port forwarding so that my machine can seamlessly transfer data between these two
Kudos!!! We are now Man-in-The-Middle. We can now capture packets using a program of our own or use Wireshark. For this blog, we will use a tool provided by bettercap. Once you are man-in-the-middle, there will be a small lag on the page load time on the target machine.
5. Packet Sniffing
We have to tell bettercap to capture all the data that flows through this computer and analyze it for me. To do this we will use the net.sniff module provided by bettercap . Simply run the following command to start sniffing.
bettercap-shell> net.sniff on
Output for `net.sniff on`
As you can see, we are able to see the API requests and the request bodies transferred between the client machine and the internet.
We had to write so many bettercap commands for ARP-spoofing. We can write all these commands in a *.cap file where * is any file name and execute them through bettercap. For this, I will create a file called arp-spoof.cap with the following contents
net.probe on set arp.spoof.fullduplex true set arp.spoof.targets <target_ip> arp.spoof on net.sniff on
We call this a caplet. To execute it, run the following command in the terminal:
$ bettercap -iface <interface_name> -caplet arp-spoof.cap
where <interface-name> is the name of our adapter which we got in the 1st step.
arp spoofing using caplets
Sniff packets using WireShark
Alternatively, we can use a sniffing tool called Wireshark to sniff these packets. We will still need to do arp spoofing using bettercap. Wireshark is just a replacement of the net.sniff module of bettercap.
Run the following commands to install wireshark :
$ sudo add-apt-repository ppa:wireshark-dev/stable $ sudo apt-get update $ sudo apt-get install wireshark
To start wireshark :
$ sudo wireshark
From the UI of wireshark, we select the network interface that we got in step 1. And our sniffer will start as shown in the pictures below.
The network packets viewed by both the methods — bettercap and Wireshark are the same, just that wireshark is the UI way of net.sniff inbettercap with slightly more information.
This method won’t work for packets sent over the HTTPS protocol. We will only be able to read packets that are sent over the HTTP protocol.
However, there are caplets available on the internet that can be executed bettercap that will help you to partially bypass the HTTPS and the HSTS protocols. You can find one such caplet here: https://github.com/bettercap/caplets/tree/master/hstshijack
This blog was originally published in the personal blog website of Gourav : https://gourav-dhar.com