MITM/Traffic Injection: Difference between revisions

What is traffic injection?

The term "traffic injection," in the context of a Man in the Middle attack, refers to any situation where the attacker is conducting a man in the middle attack and is actively modifying traffic passing between the sheep and the gateway.

This can take many forms, of course:

• Attacker can modify traffic from gateway to sheep, or from sheep to gateway
• Attacker can selectively drop packets for denial of service of certain protocols/content
• Attacker can perform search/replace on traffic (e.g., replace all images with other images)
• Attacker can inject things into traffic, e.g., particular content, javascript/css files, etc.

How traffic injection works

Typically, the way this works is, a man in the middle attacker will set up an HTTP and/or HTTPS proxy server. On one side of the proxy server is the sheep, and on the other side of the proxy server is the client. As traffic from the sheep enters the proxy server, it is passed through any traffic filters, its headers updated, and when (if) it comes out the other side, it is forwarded along to the gateway. Likewise, as traffic from the gateway enters the proxy server, it is passed through different traffic filters, its headers updated, and when (if) it comes out the other side, it is forwarded along to the sheep.

This gives the attacker control of traffic. The different forms of traffic injection (modification, selective drops, search/replace, etc) take the form of different filters that the attacker writes and drops into the proxy server.

Implementation

To actually implement a traffic injection attack, you can use the Bettercap tool to perform a man in the middle attack. Bettercap implements a built-in http and https proxy, which allows you to execute a man-in-the-middle attack and perform traffic injection/modification attacks on the fly, all in one tool. Bettercap can also interface with another non-Bettercap proxy program.

To implement various filters in the proxy, you use Ruby, the language in which Bettercap is implemented.

Bettercap proxy

Bettercap has a --proxy option to enable the proxy. Once you enable the proxy, you'll also want to pick a proxy module using the --proxy-module flag - proxy modules are the filters you're writing and dropping into your proxy filter. These filters are written in Ruby, and there are three existing modules: injecthtml, injectcss. injectjs.

To get help, just add the -h flag after the proxy module specification:

bettercap --proxy-module injecthtml -h

This will print out the bettercap help, with info about the injecthtml module at the very bottom.

Showing the sheep some kittens

For the lulz, let's suppose our goal is to tamper with the sheep's http traffic - specifically, to replace all of the images in their stream with images of kittens.

Flags

monkey in the middle attacks in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker. MITM Wireless Attacks: MITM/Wireless Wired Attacks: MITM/Wired Layer 1 and 2 MITM Attacks: MITM/Layer 1 and 2 Network Tap: MITM/Wired/Network Tap Evil Twin Attack: Evil Twin  · MITM/Evil Twin Layer 3 and 4 MITM Attacks: MITM/Layer 3 and 4 Traffic Sniffing: MITM/Sniffing ARP Poisoning: MITM/ARP Poisoning Traffic Injection/Modification: MITM/Traffic Injection DNS Attacks: MITM/DNS  · Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2 DHCP Attacks: MITM/DHCP WPAD MITM Attack: MITM/WPAD Port Stealing: MITM/Port Stealing Rushing Attack: MITM/Rushing Attack Attacking HTTPS: MITM/HTTPS Layer 5 MITM Attacks: Session Hijacking: MITM/Session Hijacking Toolz: Ettercap  · Bettercap  · MITMf  · EvilFOCA Wireshark  · Aircrack Dsniff  · Arpspoof  · Dnsspoof SSLSniff  · SSLStrip  · Frankencert Driftnet  · Karma MITM Labs: {{MITMLabs}} Category:MITM  · Category:Attacks  · Category:Kali Attack Layers Template:MITMLabs  · Template:MITMFlag Flags  · Template:MITMFlag  · e