[Security] Man In The Middle Attack (MiTM) !


MiTM attack is very dangerous attack, this attack put the users of specific network at great risk , because every single information could be retrieved by the hacker easily, this includes user names , passwords ,visited sites, images , emails sent, IM (yahoo messenger, MSN ....) and much more , simply your connection is no longer secure at all !


So , what is MiTM attack? here is the definition from Wikipedia: (if you are familiar with definition skip to the practical part!!)

".....In cryptography, the man-in-the-middle attack (often abbreviated MITM), bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle)......" From Wikipedia.

This simply means if i have user A , and user B , and both of them connected to each other, the technique is done by sending a message to user A from the hacker says " hi A ;  I am B" , and to user B " hi B ; I am A " that means you fool each side and make them believe that you are the other part, by doing this all the connection will go through you !

MiTM Attack!

I will explain how you can perform MiTM by using Backtrack4 , this tutorial is very important for network security administrators , because it gives you a good idea for what information can be discovered in you network and to help you fix this problem.

Things you have to know before starting:
  • You have to have access to the network you want to examine.
  • You have to know the IP address of the victim , and the router (gateway, server...).
  • I am using LAN connection so i will use my ethernet adapter , so i will use (eth0) interface, change it according to what you have, if you are using wireless connection for example use (wlan0 , ath0 ...) .
  •  I TAKE NO RESPONSIBILITY FOR ANY MISUSE FOR THIS GUIDE.

1. First; you have enable IP forwarding.

echo 1 > /proc/sys/net/ipv4/ip_forward



2. We will do ARP spoofing for both the target and the server (or router or the gateway) :


arpspoof -i eth0 -t targetip gatewayip

-i eth0 : the adapter you are use, mine is eth0 .
-t targetip : substitute this with your target ip , my target at 192.168.127.129
gatewayip : this stands for server, router,or the gateway IP, my router at 192.168.127.1

So the command will be :

arpspoof -i eth0 -t 192.168.127.129 192.168.127.1


3. Now we have to run the command for the router too , (keep the previous command running ; open new window) but notice the target IP (after -t ) will be the router here, because we are targeting the router in this step (arpspoof -i eth0 -t gatewayip targetip )

arpspoof -i eth0 -t 192.168.127.1 192.168.127.129


4. Next step is to make sure that you are successfully poison the two target, and this step will give you a look at all information the target requests (remember keep the previous two command running all the time!).

tcpdump host 192.168.127.129 and not arp -i eth0


You will see a lot of information , this shows you when the victim request www.google.com , you can see the time , victim IP , the port used, the website URL .....etc


5. If you are expert user you are maybe satisfied to what you got in Tcpdump , so you can analysis everything you have , and even dump it to a file ( add "> filename" to the previous command) but to make things much easier , there are other commands you can use to make things more simple and to check how much secure your information :

  • macof -i eth0
This attack floods the LAN with random MAC addresses, in a lot of times this may cause the LAN to collapse and stop responding for a while, you can add "-s" to specify source IP address and "-d" for destination IP address.

  • dsniff -i eth0
Password sniffer , it can sniff a various type of passwords such as FTP, Telnet, SMTP, HTTP, POP...etc. here is an example, the username is admin and the password was shown too! (i hide it !!)


  • msgsnarf -i eth0
Sniff chat messages from common IM client, such as Yahoo, MSN , AIM ...

  • urlsnarf -i eth0
This shows websites visited , see the image below after the target request mail.yahoo.com


  • driftnet -i eth0
This shows images (jpeg,jpg) that target see.

You can save them too, by simply clicking over the photo.



DNS Spoof !

Redirect the requested websites to another sites!

I explained this in previous post using ettercap , but this technique is much simpler and straightforward.

1. Step 1,2,and 3 above should be running!
2. In this example we will direct any request for Yahoo to Google , so we have to know Google IP , we will write :

ping www.google.com


3. We will create a file called dnsspoof.hosts

kate dnsspoof.hosts

and write in it:


Save the file and exit.

4.Now we will start spoofing:

dnsspoof -i eth0 -f dnsspoof.hosts


5. Here is the target requesting www.yahoo.com


And here is the result :


Here is our output :




There are a lot of other commands that can be used in MiTM attack feel free to take a look at them, here is a list with all other command:

arpspoof : send out unrequested (and possibly forged) arp replies.
dnsspoof: forge replies to arbitrary DNS address / pointer queries on the Local Area Network.
dsniff::password sniffer for several protocols.
filesnarf:saves selected files sniffed from NFS traffic.
macof: flood the local network with random MAC addresses.
mailsnarf: sniffs mail on the LAN and stores it in mbox format.
msgsnarf: record selected messages from different Instant Messengers.
sshmitm: SSH monkey-in-the-middle. proxies and sniffs SSH traffic.
sshow: SSH traffic analyzer.
tcpkill: kills specified in-progress TCP connections.
tcpnice: slow down specified TCP connections via "active" traffic shaping.
urlsnarf: output selected URLs sniffed from HTTP traffic in CLF.
webmitm: HTTP / HTTPS monkey-in-the-middle. transparently proxies.
webspy: sends URLs sniffed from a client to your local browser.


See Also!

[Security] DNS Spoofing!
[Security] Wireless Network Hacking!

Read Users' Comments (0)

0 Response to "[Security] Man In The Middle Attack (MiTM) !"

Post a Comment