If you’re interested in conducting your own MitM attack, I’ve enclosed some more information on how to do so. Please remember to use this information responsibly – in your own home, in a lab, or on a network where you have explicit permission to do this. Otherwise, you can get into serious trouble!
One of the most popular types of MiTM attacks is called Address Resolution Protocol (ARP) spoofing, and that’s what we tried at BCC. Before you try this type of attack, it is important to understand how ARP works; in a nutshell, think of it as a way for your device to communicate with other devices on your local network, such as your home router or wireless access point (which happens to also be the gateway between your device and the Internet).
In ARP spoofing, I “spoof” my computer to act as the wireless router. I can then have other devices on the network send their data to me, because they think that by doing so, it will be routed to the Internet. Of course, I’ll make sure that everything is eventually sent back and forth from the real router, so that you don’t notice anything different – but now that I’ve placed my computer “in the middle” (get it now?) of the Internet connection and everyone else, I get to look at all of the network traffic as it goes by.
So, without further ado, let’s dig in and execute this type of attack.
Try it for Yourself
To replicate my demo, you’ll need the following:
- An “attack” computer, with the following installed:
- Kali Linux (which includes some standard utilities including NMAP, Wireshark, arpspoof, driftnet, iptables, etc.)
- A “victim,” which can be in the form of any Internet-connected device; for purposes of this demo, choose something with web browsing capabilities since that is what we’ll be looking at
- A small testing network
Note that these are all Linux commands (built into Kali – https://www.kali.org/, but you can use them on other Linux distros as well). There are Windows equivalent commands as well, but I haven’t listed them here. You can also use some GUI tools on Windows; the best Windows app I’ve used for ARP spoofing is Cain (http://sectools.org/tool/cain/).
I’m using the following conventions in my commands:
<target_ip> = IP address of host you want to attack
<gateway_ip> = Default gateway or router IP, you can get this from checking your network settings
Remember, when we do ARP spoofing, we put our “attack” computer in the middle of the “victim” PC and the legitimate website/server/destination they are trying to get to. We need to make sure that our computer is set up to actually redirect that traffic. To do that, use the command:
echo 1 > /proc/sys/net/ipv4/ip_forward
Now we’re ready to start.
The first thing you should do is scan your network and try to find your targets. You can scan one target or multiple at once. For this we use NMAP. I encourage you to play around with all of the different features of NMAP, but for this exercise we’re just going to do a simple query to make sure that a single target is up and your computer can see it on the network:
nmap -sn <target_ip>
Now we can start ARP spoofing, or more specifically, poisoning the victim’s ARP cache. On Linux, it’s best to do this in two separate terminal windows since they need to run at the same time. Type each of these commands into a separate window:
arpspoof -t <target_ip> <gateway_ip>
arpspoof -t <gateway_ip> <target_ip>
Once these are running, they will continue to run until you press CTRL+C in the window to stop it (You will want to do this eventually to discontinue the spoofing). After a few seconds, your victim’s traffic should be successfully redirecting to your computer.
You can test to see if everything is working properly by running Wireshark, which is a network packet sniffing tool. You’ll want Wireshark to sniff for traffic on the same network interface that you are using for the ARP spoofing. If you see packets coming to/from your target_ip, then it’s working! Pat yourself on the back; you’ve successfully performed a MitM attack.
The amount of reconnaissance or damage you can do from here is massive – here are a few things to try:
- Look closely at the traffic you see in Wireshark – you may be able to see contents of web traffic, e-mail traffic, instant messaging, and lots more. Anything that isn’t encrypted is completely open for you to see.
- Run “driftnet” in a terminal – any images that the attacker views on their device will be intercepted and will come up on your screen!
- Run “burpsuite” in a terminal – you can set your computer up as a proxy server to intercept and mess with web traffic, among other things. I’m glazing over a lot of detail here, but to make this work, you need to tell your computer to redirect any web traffic into the burpsuite proxy server. Use the following commands:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 8080
Have fun – but please don’t forget to use this responsibly and ethically.
For more information, I recommend checking out the following websites: