MITM Labs/Bettercap to Replace Images
Replacing Images in Web Traffic
We have a sheep connected to wifi. The sheep is going to be man in the middle attacked by the attacker, who will pretend to be the gateway to the sheep, and pretend to be the sheep to the gateway. Then the attacker will use this control of the traffic to modify HTTP content returned to the sheep, and replace all images with this one:
Get the custom ruby proxy module to replace images with a custom image:
$ wget https://raw.githubusercontent.com/evilsocket/bettercap-proxy-modules/master/http/replace_images.rb
(see Man in the Middle/Traffic Injection for more info).
Now you have
replace_images.rb in a given directory with your materials and logs and scripts.
Make a directory that will contain the image you're going to serve up in place of the old images. This will be called img/ and will contain an image called hack.jpg.
Now we can run bettercap from this directory, specifying the custom Ruby proxy module with the
--proxy-module replace_images argument. You will also need to set the
--httpd-path options to run an http server, from the directory that contains your hack.jpg image, to serve up the image to the sheep.
The whole thing looks like this:
bettercap -I wlan2 -O bettercap_proxy.log -S ARP -X \ --proxy --proxy-module replace_images \ --httpd --httpd-path img \ --gateway 192.168.0.1 --target 192.168.0.7
--gateway 192.168.0.1 is not strictly necessary.)
The first line specifies my network device, output file, type of attack, and turns on a sniffer.
The second line turns on the http proxy server, which is what gives me access to the traffic to modify it.
The third line runs a web server on the local machine to host my O HAI image - when we inject it in the sheep's traffic, it will be served up by us.
The last line specifies the internet gateway and the sheep, via their IP addresses.
This worked like a charm. I ran the script on the attacker, closed the browser on the sheep, gave it about 15 seconds, and then opened the browser. It slows down the loading time by a substantial amount - but as you can see, it's worth it:
To see more info on how the http proxy works, and how else the traffic can be modified, see the Bettercap page.
Other observations I made: I could see the tool trying to use the HSTS attack, redirecting requests to wwww.charlesreid1.com. These would fail initially, but when I refreshed, they worked fine - totally transparent. Except for the failure.
HTTPS content was showing up as insecure - for example, an embedded Vimeo player would show up as a minipage with a "Your connection is not secure" error.
However, for the most part, on the HTTP sites that I tried, the images were replaced and the entire attack worked flawlessly. It is actually quite scary how easy it is to carry out this attack, once you've got it down pat, and how hard it would be for a sheep to detect. This is an excellent, excellent reason to assume that every bit of traffic on an untrusted network is being monitored.
VPNs - once again, running a VPN on the sheep (OpenVPN) led to all the traffic being tunneled through the VPN, and it was impervious to the attack.
Layers of protection:
- HTTP - absolutely zero protection. You're just walking around naked.
- HTTPS - encrypted traffic. It's gonna take a more dedicated attacker to crack this, but it isn't secure. Make sure you've got a modern browser.
- VPN - yet another layer of encryption. Yet another layer that's possible to crack, given a dedicated enough attacker.
- Encrypted tunnels - like HTTPS, these types of connections are still vulnerable to dedicated attackers (Bettercap can run SSH traffic through its TCP proxy and force the connection to happen using SSH version 1, which has known weaknesses, instead of version 2, opening up the communication channel to sniffing and more attacks.)
What kind of trouble you can get up to:
- Imagine you force an SSH connection down to version 1, you crack the encryption, and you man in the middle the session. Now, you run a regexp, and every time the user runs the "vim" command, you replace it with the "rm -rf" command.
- Sheep have to be visiting HTTP sites
- Need to disable HTTPS proxying
- Slows down loading times for the sheep
- The more targeted, the better - definitely.
man in the middle attacksin which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker.
Wireless Attacks: Man in the Middle/Wireless
Wired Attacks: Man in the Middle/Wired
Layer 1 and 2 MITM Attacks:
Network Tap: Man in the Middle/Wired/Network Tap
Layer 3 and 4 MITM Attacks:
ARP Poisoning: Man in the Middle/ARP Poisoning
Traffic Injection/Modification: Man in the Middle/Traffic Injection
DHCP Attacks: Man in the Middle/DHCP
WPAD MITM Attack: Man in the Middle/WPAD
Port Stealing: Man in the Middle/Port Stealing
Rushing Attack: Man in the Middle/Rushing Attack
Attacking HTTPS: Man in the Middle/HTTPS
Session Hijacking: Man in the Middle/Session Hijacking
Man in the Middle Labs:
Dsniff ARP Poisoning:
Bettercap ARP Poisoning: MITM Labs/Bettercap Over Wifi
Bettercap to Replace Images: MITM Labs/Bettercap to Replace Images
MITMf to Backdoor Browsers: MITM Labs/MITMf to Backdoor Browsers
Browser + Wireshark/SSLSniff to Decrypt HTTPS: MITM Labs/Decrypting HTTPS Traffic with Private Key File
Browser + Wireshark to Decrypt HTTPS: MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info
Bettercap to MITM Android Phone: MITM Labs/Bettercap Android EvoFlags · Template:MITMFlag · e