MITM Labs/Bettercap Over Wifi

From charlesreid1

Lab Scenario/Overview

This lab covers the use of Ettercap to carry out a Man in the Middle attack on a wifi network. This also covers the case of SSL encryption and how it may be defeated using other tools like SSLStrip.

Make sure you check out the Ettercap page for notes before you start. That's where a lot of the detail has been worked out. This is a CNP (copy-and-paste) project.

Setting Up

Let's walk through the setup required for this type of attack. This does not require any kind of tricky setup. It's a fast and easy attack to carry out, and an attack that virtually all networking equipment is susceptible to.

Wifi Network

This lab will utilize a standard home wifi router, which incorporates an ethernet switch and a wireless router all on board a single device and on a single LAN. The router is the gateway, 192.168.0.1, and both the sheep and the attacker are laptops connected to the router via wifi.

Sheep

The sheep is a normal laptop connected to the wifi. Given the failures with HTTP traffic with Dsniff, this lab will aim low and focus on intercepting HTTP and HTTPS traffic only. We'll work on SSH, email, and sql some other time. The sheep is at 192.168.0.7.

Attacker

The attacker is the same model of laptop, same operating system, connected to the wifi. The attacker is at 192.168.0.8.

Execution

Once the components are in place, we proceed with the execution of the attack. Of course, we start the execution with passive listening and information gathering.

Plan

The attack steps are as follows:

  • Perform recon and gather information about gateway, sheep, network, hardware
  • Prepare for ARP poisoning attack (packet forwarding, network interface setup, etc.)
  • Run ARP poisoning attack to broadcast packets to poison ARP tables of sheep and router
  • Run dsniff and/or urlsnarf to capture goodies from HTTP traffic (good example site: nytimes)
  • Start with HTTP traffic goodies
  • Add SSLStrip and aim for HTTPS traffic goodies

Step 1: Recon/Info Gathering

The ARP poisoning attack requires us to be on the same subnet as our victim. If this is a foreign network, there are a couple of things we might want to know about it:

  • How many other clients are there on the network?
  • What is the volume of traffic on this network?
  • Is this network administered? What is the potential the network is monitored?
  • What kind of network router/other hardware is present?

If we're on a network like 192.168.0.* we can get a very quick picture of what other computers are on the network by doing a fast scan, or by scanning a particular port: 

$ nmap -F 192.168.0.*

If you want more detailed information about the types of devices that are running, what operating systems, etc, you can run with the -A flag: 

$ nmap -A 192.168.0.*

With this type of Nmap scan, it is possible to discover the following information:

  • Router manufacturer from MAC address lookup
  • Service information and operating system
  • Open ports on router/sheep
  • Other potential attack vectors

Step 2: Prepare for ARP Poisoning

First, keep in mind the disclaimer section on Man in the Middle/ARP Poisoning page. This will generate lots of network traffic, lots of network collisions, slow down network service by a significant amount, and be very loud packet-wise.

Gather required information

You'll want to pick out your sheep target and the gateway router, and record the MAC address and IP of each. Here's the configuration for my laboratory: 

Role        IP              Example MAC
Gateway     192.168.0.1     11:11:11
Sheep       192.168.0.7     22:22:22
Attacker    192.168.0.8     AA:AA:AA

Set up packet forwarding

NOTE: Ettercap will take care of this automatically.

When we carry out the ARP attack, we're confusing nodes on the network about which physical computer corresponds to which IP address. It's important that we keep traffic moving, however, or else the entire network will come to a grinding halt. We can do this by forwarding packets. That means that when the gateway sends a packet intended for the sheep, and it gets to the attacker instead, the attacker's network card will simply forward the packet along. 

echo 1 > /proc/sys/net/ipv4/ip_forward

Remember: not necessary with Ettercap.

Change your MAC

Important: change the MAC address of the wireless interface you're using to connect to the wireless: 

$ ifconfig wlan1 down
$ macchanger -r wlan1 
$ ifconfig wlan1 up

Step 3: ARP Poisoning

With Ettercap text/CLI interface:

  • asdf

With the Ettercap GUI:

  • Start up ettercap
  • Select scan type: Sniff > Unified sniffing
  • Scan for hosts: Hosts > Scan for hosts
  • View list of hosts on network: Hosts > Host List
  • Select your ARP poison target: find target 1, and click "Add to Target 1"; find target 2, and click "Add to Target 2"
  • Start your attack: Mitm > Arp Poisoning (make sure "Sniff remote connections" is checked)

Now you can start running the attack.

Once your attack is running, try monitoring network traffic with Wireshark from the sheep. You should see spoofed ARP packets - these are faked ARP responses that state that the attacker's MAC address corresponds to either 192.168.0.1 or to 192.168.0.7.

Step 4: Capture Sheep Booty

Okay... Now I'm running the MITM attack. And, nothing. No credentials, no output, no messages.

Statistics are updating though...

Step 5: Sheep Booty

Flags

Retrieved from "https://charlesreid1.com/w/index.php?title=MITM_Labs/Bettercap_Over_Wifi&oldid=12968"