Man in the Middle/Evil Twin with Ettercap
The Evil Twin Setup
Once you've got an Evil Twin access point set up, you'll have a setup that looks something like this:
Evil Twin AP Network Devices: wlan0 sheep ---> wlan1 at0--------+ | lucifer (bridge) eth0 <----+
Recall that wlan1 is the device acting as an access point, and so the sheep is connected to wlan1.
The device at0 is created by airbase, and is a network connection for the client connected to wlan1.
We also created the lucifer bridge, which bridges the at0 network device (the client's internet connection) to eth0 (the network cable plugged into Mars, the attacker computer).
Performing MITM Attack
This attack consists of two parts: first, tricking the sheep into thinking we are the gateway, and that it should be sending all of its traffic through us, the same way it normally sends all its traffic to the router. Second, we want to rerout e traffic to the default gateway, and receive traffic back from the gateway to forward to the sheep. This keeps everything cool at both ends - important to do in the heat of battle!
We'll use Ettercap to build a special bridge between devices that we can sniff.
This will allow us to do things like sniff all the clear-text HTTP traffic passing through the router, as well as set us up to run SSLStrip to bypass HTTPS encryption.
At that point we can also start using other tools:
Hamster Sidejacking Tool, for sidejacking (?) and stealing cookies for persistent sessions in people's email accounts. Also used by the Wall of Sheep team.
On to Ettercap...
The first step is to build a bridge between two network devices. The two devices are at0, the device that is our Evil Twin sheep's network connection, and eth0, which will be our sheep's connection to the internet.
Detailed step-by-step for building that bridge is here: EvilTwin#Building_the_Bridge
Run Evil Twin Attack
At this point you'll want to go through the EvilTwin attack process.
Run airbase in window 1.
Run deauth attack in window 2.
Sheep will be deauthenticated and reattach using wireless network connection.
You can monitor traffic crossing the network interface bridge you've constructed with tcpdump:
$ tcpdump -i lucifer
Now surf the web on your sheep computer. You should see the corresponding packet traffic scroll down the screen. You may also notice a slowdown from the sheep's perspective.
You've now tapped the connection. Welcome to Watergate, son.
Now you can use Ettercap. You can use Ettercap in two modes:
Ettercap can do unified sniffing, meeaning it sniffs all packets passing through the cable via one interface.
Ettercap can also do bridged sniffing, where it uses two network interfaces and fowards traffic between them. This is a way of replicating our brctl command.
$ ettercap ... Please select a User Interface
Yikes! We have to specify text mode -T or gui mode -G when we run ettercap. Try that again:
$ ettercap -G
man in the middle attacksin which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker.
Wireless Attacks: Man in the Middle/Wireless
Wired Attacks: Man in the Middle/Wired
Layer 1 and 2 MITM Attacks:
Network Tap: Man in the Middle/Wired/Network Tap
Layer 3 and 4 MITM Attacks:
ARP Poisoning: Man in the Middle/ARP Poisoning
Traffic Injection/Modification: Man in the Middle/Traffic Injection
DHCP Attacks: Man in the Middle/DHCP
WPAD MITM Attack: Man in the Middle/WPAD
Port Stealing: Man in the Middle/Port Stealing
Rushing Attack: Man in the Middle/Rushing Attack
Attacking HTTPS: Man in the Middle/HTTPS
Session Hijacking: Man in the Middle/Session Hijacking
Man in the Middle Labs:
Dsniff ARP Poisoning:
Bettercap ARP Poisoning: MITM Labs/Bettercap Over Wifi
Bettercap to Replace Images: MITM Labs/Bettercap to Replace Images
MITMf to Backdoor Browsers: MITM Labs/MITMf to Backdoor Browsers
Browser + Wireshark/SSLSniff to Decrypt HTTPS: MITM Labs/Decrypting HTTPS Traffic with Private Key File
Browser + Wireshark to Decrypt HTTPS: MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info
Bettercap to MITM Android Phone: MITM Labs/Bettercap Android EvoFlags · Template:MITMFlag · e