Differences

This shows you the differences between two versions of the page.

--- man_in_the_middle [2017/09/13 15:23] – [How to prevent this kind of attack] Santi
+++ man_in_the_middle [2019/01/04 13:06] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
-===== Man in the middle attack =====
+===== Man in the middle attack (ARP spoofing) =====
 Man in the middle attack (also known as MITM) is a kind of attack in a way that attacker pretend the computer victim establishing a connection between victim and the AP. Then, the attacker forward any package from router to victim and viceversa so that anyone realizes that someone is just in the middle listening (and maybe sniffing) all the traffic between both sides.
@@ Line 14: / Line 14: @@
 santi@kalibook:$ arpspoof -i wlan0 -t 192.168.1.254 192.168.1.12
 </code>
+In this moment you have to enable //IP forwarding// so that the victim keeps browsing without pay attention that someone is sniffing all the traffic between him and the gateway (the router or the AP):
 <code bash>
 santi@kalibook:$ echo '1' > /proc/sys/net/ipv4/ip_forward
 </code>
+Now, we are ready to listen the traffic of the victim computer. We have three utilities to do it. Notice that all of them are not capable to sniff traffic when computer victim browser a secure website (HTTPS).
+  * **dsniff**: It allows to get credentials from non-secure sites if the victim computer log in
+  * **driftnet**: It allows to get images from the websites that the victim computer browse
+  * **urlsnarf**: It allows to get some information about the URLs that the victim computer browse
+Anyway, it deals about sniffing traffic to know where is browsing the victim computer (information about URLs, images and credentials).
+=== dsniff ===
+At first, Let's see how //dsniff works//. To do that, we have to execute the command indicating wich interface we want to sniff. In our case, we are connected to a WiFi AP so we use //wlan0//.
 <code bash>
-santi@kalibook:$ dsniff
+santi@kalibook:$ dsniff -i wlan0 -m
+dsniff: listening on wlan0
 </code>
+From now, //dsniff// will be waiting for sniffing any authentication mechanism and, if found, they will ouput in the same terminal we execute the command
+{{ wiki:dsniff.png }}
+=== driftnet ===
 <code bash>
 santi@kalibook:$ driftnet -i wlan0
 </code>
+In the moment we execute this command, a new blank (and black) windows will appear. From now, this windows show every image that the victim computer load while it is surfing the web. In the next picture you can see how our victim computer (a virtualbox machine) is browsing a website (right side of the screenshot) and we can see all the pictures in the windows that //driftnet// launched (left side of the screenshot).
+Notice that right side of the picture could be a remote machine, the victim computer (in this case we are testing with a virtual machine), and the left side if our computer, the attacker computer.
+{{ wiki:driftnet.png }}
+=== urlsnarf ===
 <code bash>
 santi@kalibook:$ urlsnarf -i wlan0
+urlsnarf: listening on wlan0 [tcp port 80 or port 8080 or port 3128]
 </code>
+Fron now, //urlsnarf// will be waiting for traffic and it will show every URL with some information every time the victim visit a website. We can see an example of the output with a virtual machine (Windows 7) browsing this site and google. Our computer is the man in the middle and we have execute the previous command.
+{{ wiki:urlsnarf.png }}
 ===== MITM using sslstrip (HTTPS connections) =====
@@ Line 48: / Line 81: @@
 santi@kalibook:$ arpspoof -i wlan0 -t 192.168.1.12 192.168.1.254
 </code>
 ===== How to prevent this kind of attack =====