MITM Labs/Bettercap Over Wifi: Difference between revisions
From charlesreid1
| Line 102: | Line 102: | ||
Follow steps on [[Ettercap]] page. | Follow steps on [[Ettercap]] page. | ||
* Start up ettercap | |||
* Select scan type: Sniff > Unified sniffing | |||
* Scan for hosts: Hosts > Scan for hosts | |||
* View list of hosts on network: Hosts > Host List | |||
* Select your ARP poison target: find target 1, and click "Add to Target 1"; find target 2, and click "Add to Target 2" | |||
* Start your attack: Mitm > Arp Poisoning (make sure "Sniff remote connections" is checked) | |||
Once your attack is running, you should see packets | Now you can start running the attack. Once your attack is running, you should be able to monitor network traffic with wireshark and see the spoofed ARP packets - these are faked ARP responses that state that the attacker's MAC address corresponds to either 192.168.0.1 or to 192.168.0.7. | ||
==Step 4: Dsniff? Other?== | ==Step 4: Dsniff? Other?== | ||
Revision as of 19:25, 21 August 2016
Lab Scenario/Overview
This lab covers the use of Ettercap to carry out a Man in the Middle attack on a wifi network. This also covers the case of SSL encryption and how it may be defeated using other tools like SSLStrip.
Make sure you check out the Ettercap page for notes before you start. That's where a lot of the detail has been worked out. This is a CNP (copy-and-paste) project.
Setting Up
Let's walk through the setup required for this type of attack. This does not require any kind of tricky setup. It's a fast and easy attack to carry out, and an attack that virtually all networking equipment is susceptible to.
Wifi Network
This lab will utilize a standard home wifi router, which incorporates an ethernet switch and a wireless router all on board a single device and on a single LAN. The router is the gateway, 192.168.0.1, and both the sheep and the attacker are laptops connected to the router via wifi.
Sheep
The sheep is a normal laptop connected to the wifi. Given the failures with HTTP traffic with Dsniff, this lab will aim low and focus on intercepting HTTP and HTTPS traffic only. We'll work on SSH, email, and sql some other time. The sheep is at 192.168.0.7.
Attacker
The attacker is the same model of laptop, same operating system, connected to the wifi. The attacker is at 192.168.0.8.
Execution
Once the components are in place, we proceed with the execution of the attack. Of course, we start the execution with passive listening and information gathering.
Plan
The attack steps are as follows:
- Perform recon and gather information about gateway, sheep, network, hardware
- Prepare for ARP poisoning attack (packet forwarding, network interface setup, etc.)
- Run ARP poisoning attack to broadcast packets to poison ARP tables of sheep and router
- Run dsniff and/or urlsnarf to capture goodies from HTTP traffic (good example site: nytimes)
- Start with HTTP traffic goodies
- Add SSLStrip and aim for HTTPS traffic goodies
Step 1: Recon/Info Gathering
The ARP poisoning attack requires us to be on the same subnet as our victim. If this is a foreign network, there are a couple of things we might want to know about it:
- How many other clients are there on the network?
- What is the volume of traffic on this network?
- Is this network administered? What is the potential the network is monitored?
- What kind of network router/other hardware is present?
If we're on a network like 192.168.0.* we can get a very quick picture of what other computers are on the network by doing a fast scan, or by scanning a particular port:
$ nmap -F 192.168.0.*
If you want more detailed information about the types of devices that are running, what operating systems, etc, you can run with the -A flag:
$ nmap -A 192.168.0.*
With this type of Nmap scan, it is possible to discover the following information:
- Router manufacturer from MAC address lookup
- Service information and operating system
- Open ports on router/sheep
- Other potential attack vectors
Step 2: Prepare for ARP Poisoning
First, keep in mind the disclaimer section on Man in the Middle/ARP Poisoning page. This will generate lots of network traffic, lots of network collisions, slow down network service by a significant amount, and be very loud packet-wise.
Gather required information
You'll want to pick out your sheep target and the gateway router, and record the MAC address and IP of each. Here's the configuration for my laboratory:
Role IP Example MAC Gateway 192.168.0.1 11:11:11 Sheep 192.168.0.7 22:22:22 Attacker 192.168.0.8 AA:AA:AA
Set up packet forwarding
NOTE: Ettercap will take care of this automatically.
When we carry out the ARP attack, we're confusing nodes on the network about which physical computer corresponds to which IP address. It's important that we keep traffic moving, however, or else the entire network will come to a grinding halt. We can do this by forwarding packets. That means that when the gateway sends a packet intended for the sheep, and it gets to the attacker instead, the attacker's network card will simply forward the packet along.
echo 1 > /proc/sys/net/ipv4/ip_forward
Remember: not necessary with Ettercap.
Change your MAC
Important: change the MAC address of the wireless interface you're using to connect to the wireless:
$ ifconfig wlan1 down $ macchanger -r wlan1 $ ifconfig wlan1 up
Step 3: ARP Poisoning
Follow steps on Ettercap page.
- Start up ettercap
- Select scan type: Sniff > Unified sniffing
- Scan for hosts: Hosts > Scan for hosts
- View list of hosts on network: Hosts > Host List
- Select your ARP poison target: find target 1, and click "Add to Target 1"; find target 2, and click "Add to Target 2"
- Start your attack: Mitm > Arp Poisoning (make sure "Sniff remote connections" is checked)
Now you can start running the attack. Once your attack is running, you should be able to monitor network traffic with wireshark and see the spoofed ARP packets - these are faked ARP responses that state that the attacker's MAC address corresponds to either 192.168.0.1 or to 192.168.0.7.