MITM/Evil Twin with Ettercap

From charlesreid1

This covers a bit more in depth about how to follow up with an Evil Twin access point attack and use it to Man in the Middle a client computer.

The Evil Twin Setup

Once you've got an Evil Twin access point set up, you'll have a setup that looks something like this: 

         Evil Twin AP Network Devices:

           wlan0
sheep ---> wlan1
           at0--------+
                      | lucifer (bridge)
           eth0 <----+

Recall that wlan1 is the device acting as an access point, and so the sheep is connected to wlan1.

The device at0 is created by airbase, and is a network connection for the client connected to wlan1.

We also created the lucifer bridge, which bridges the at0 network device (the client's internet connection) to eth0 (the network cable plugged into Mars, the attacker computer).

Performing MITM Attack

This attack consists of two parts: first, tricking the sheep into thinking we are the gateway, and that it should be sending all of its traffic through us, the same way it normally sends all its traffic to the router. Second, we want to rerout e traffic to the default gateway, and receive traffic back from the gateway to forward to the sheep. This keeps everything cool at both ends - important to do in the heat of battle!

Software

We'll use Ettercap to build a special bridge between devices that we can sniff.

This will allow us to do things like sniff all the clear-text HTTP traffic passing through the router, as well as set us up to run SSLStrip to bypass HTTPS encryption.

At that point we can also start using other tools:

Nmap and Metasploit, which is possible now since the target is now connected to our fake AP, and that means we can also connect to the target.

Ettercap and Dsniff, used at the Defon Wall of Sheep.

Hamster Sidejacking Tool, for sidejacking (?) and stealing cookies for persistent sessions in people's email accounts. Also used by the Wall of Sheep team.

On to Ettercap...

Build Bridge

The first step is to build a bridge between two network devices. The two devices are at0, the device that is our Evil Twin sheep's network connection, and eth0, which will be our sheep's connection to the internet.

Detailed step-by-step for building that bridge is here: EvilTwin#Building_the_Bridge

Run Evil Twin Attack

At this point you'll want to go through the EvilTwin attack process.

Run airbase in window 1.

Run deauth attack in window 2.

Sheep will be deauthenticated and reattach using wireless network connection.

Monitor Bridge

You can monitor traffic crossing the network interface bridge you've constructed with tcpdump: 

$ tcpdump -i lucifer

Now surf the web on your sheep computer. You should see the corresponding packet traffic scroll down the screen. You may also notice a slowdown from the sheep's perspective.

You've now tapped the connection. Welcome to Watergate, son.

Ettercap

Now you can use Ettercap. You can use Ettercap in two modes:

Ettercap can do unified sniffing, meeaning it sniffs all packets passing through the cable via one interface.

Ettercap can also do bridged sniffing, where it uses two network interfaces and fowards traffic between them. This is a way of replicating our brctl command.

Run ettercap: 

$ ettercap

...

Please select a User Interface

Yikes! We have to specify text mode -T or gui mode -G when we run ettercap. Try that again: 

$ ettercap -G


Defcon.png
monkey in the middle attacks
in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker.

MITM

Wireless Attacks: MITM/Wireless

Wired Attacks: MITM/Wired


Layer 1 and 2 MITM Attacks:

MITM/Layer 1 and 2

Network Tap: MITM/Wired/Network Tap

Evil Twin Attack: Evil Twin  · MITM/Evil Twin


Layer 3 and 4 MITM Attacks:

MITM/Layer 3 and 4

Traffic Sniffing: MITM/Sniffing

ARP Poisoning: MITM/ARP Poisoning

Traffic Injection/Modification: MITM/Traffic Injection

DNS Attacks: MITM/DNS  · Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2

DHCP Attacks: MITM/DHCP

WPAD MITM Attack: MITM/WPAD

Port Stealing: MITM/Port Stealing

Rushing Attack: MITM/Rushing Attack

Attacking HTTPS: MITM/HTTPS


Layer 5 MITM Attacks:

Session Hijacking: MITM/Session Hijacking


Toolz:

Ettercap  · Bettercap  · MITMf  · EvilFOCA

Wireshark  · Aircrack

Dsniff  · Arpspoof  · Dnsspoof

SSLSniff  · SSLStrip  · Frankencert

Driftnet  · Karma


MITM Labs: {{MITMLabs}}


Category:MITM  · Category:Attacks  · Category:Kali Attack Layers

Template:MITMLabs  · Template:MITMFlag

Flags  · Template:MITMFlag  · e




Retrieved from "https://charlesreid1.com/w/index.php?title=MITM/Evil_Twin_with_Ettercap&oldid=29099"