Procedure

Hardware

Conducting an attack with Kali Linux running on a laptop.

The target is a sheep running Android on an HTC Evo. The Evo info:

Android 2.3.5

Kernel 2.6.35.10

Build number 5.07.651

Browser versoin WebKit/533.1

Connect to Wireless with Phone

Obtain IP address on local network. Next step is to attack.

Surveillance

Start by doing recon. Scan the network with nmap to find the phone's IP:

$ nmap -F 192.168.0.*

-F is for fast scan, which only scans the lowest 100 ports.

This reveals a scan report for Android_A100001B90B222.domain (192.168.0.22).

Now we have our target for the MITM.

Do an aggressive nmap scan so you know what services are running on the sheep:

$ nmap -A 192.168.0.22

No open ports, no running services, and not enough information to produce a specific operating system fingerprint. Well, at least we tried.

MITM with Bettercap

On the Kali machine, run a MITM attack with Bettercap:

$ bettercap -I wlan1 -O betercap_androidmitm.log -S ARP -X --gateway 192.168.0.1 --target 192.168.0.22

then run Wireshark on the attacker machine to verify the traffic is flowing your direction. Running an active filter like !arp makes the traffic a lot easier to follow.

Results

Somewhat surprisingly, the phone held up perfectly under the attack, and the attack failed.

HTTP pages would NOT load on the phone. Apps that required an insecure network connection (e.g., news app) reported a network error. No HTTP traffic could be sniffed.

HTTPS services like Google search, large bank website, and map app worked fine and were not vulnerable to the MITM attack. They made it past the attacker unsniffed and uninterrupted.

Further Notes: MLB Scoreboard Requests

I tried the same set of attack steps against a newer Android phone, LG G4, with the same results: HTTP was blocked during the MITM attack, while HTTPS made it through the attack unscathed and unsniffed.

HOWEVER, on that phone there was an MLB sportsball app, and I saw some of the GET requests from that app going to mlb.com. That traffic could clue in an attacker to the presence of a web app that is a weak point in the security exterior.

Flags

monkey in the middle attacks in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker. MITM Wireless Attacks: MITM/Wireless Wired Attacks: MITM/Wired Layer 1 and 2 MITM Attacks: MITM/Layer 1 and 2 Network Tap: MITM/Wired/Network Tap Evil Twin Attack: Evil Twin  · MITM/Evil Twin Layer 3 and 4 MITM Attacks: MITM/Layer 3 and 4 Traffic Sniffing: MITM/Sniffing ARP Poisoning: MITM/ARP Poisoning Traffic Injection/Modification: MITM/Traffic Injection DNS Attacks: MITM/DNS  · Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2 DHCP Attacks: MITM/DHCP WPAD MITM Attack: MITM/WPAD Port Stealing: MITM/Port Stealing Rushing Attack: MITM/Rushing Attack Attacking HTTPS: MITM/HTTPS Layer 5 MITM Attacks: Session Hijacking: MITM/Session Hijacking Toolz: Ettercap  · Bettercap  · MITMf  · EvilFOCA Wireshark  · Aircrack Dsniff  · Arpspoof  · Dnsspoof SSLSniff  · SSLStrip  · Frankencert Driftnet  · Karma MITM Labs: {{MITMLabs}} Category:MITM  · Category:Attacks  · Category:Kali Attack Layers Template:MITMLabs  · Template:MITMFlag Flags  · Template:MITMFlag  · e