MITM ATTACK WITH ARP POISONING NETWORK
I'm trying out ARP poisoning to do a MITM attack.
MITM stands for Main in the Middle. This type of attack simply is a form of
active eavesdropping. The attacker make connections between victims, and relay
all traffic between them. From the victim's point of view, it appears as if
they are talking directly to each other with no knowledge that there is someone
in the middle accessing all traffic.
Firstly I'll setup a virtual lab which is as below.
I am using Parallels Desktop 9 on OSX.
Router:
Untangle
MAC:
00:1c:42:66:2e:26
IP:
192.168.2.254
Victim:
Windows XP
MAC:
IP:
192.168.2.30
Attacker:
Kali Linux
MAC:
00:1c:42:eb:c8:2b
IP:
192.168.2.20
After
a successful MITM attack:
On the
Kali machine, these are the tools that I am using to do the attack:
Ettercap
Driftnet
Driftnet
listens to network traffic and picks out images from the TCP streams that it is
observing
Ettercap
can be best summed up by the summary on their website as below:
Ettercap
is a comprehensive suite for man in the middle attacks. It features sniffing of
live connections, content filtering on the fly and many other interesting
tricks. It supports active and passive dissection of many protocols and includes
many features for network and host analysis.
On Kali,
if you are using Ettercap for the first time, it does need to be tweaked before
using. The etter.conf file need to be edited as below:
ec_uid =
65534
ec_gid =
65534
to:
ec_uid =
0
ec_gid =
0
and the
lines below:
#---------------
# Linux
#---------------
# if you
use ipchains:
#redir_command_on
= "ipchains -A input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT
%rport"
#redir_command_off
= "ipchains -D input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT
%rport"
# if you
use iptables:
#redir_command_on
= "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j
REDIRECT --to-port %rport"
#redir_command_off
= "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j
REDIRECT --to-port %rport"
need to
be edited. Just remove the hash for iptables above so that it read as:
# if you
use iptables:
redir_command_on
= "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j
REDIRECT --to-port %rport"
redir_command_off
= "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j
REDIRECT --to-port %rport"
That
will allow Ettercap to work as intended.
ec_uid =
0
ec_gid =
0
will
allow Ettercap to have root access so that it can open the link layer sockets.
NOTE: You can find etter.conf in /etc/etter.conf however Ettercap on Kali
actually use /etc/ettercap/etter.conf so be sure to edit the correct file!
Let's
fire up Ettercap. You can do this in command line by entering ettercap -G which
will open the GUI of Ettercap.
Click
on Sniff and select Unified Sniffing.
In my case I selected eth0 as the network interface.
You should see Privileges dropped to UID 0 GID 0... showing in the log window
among with other details showing that ettercap is able to open the link layer
sockets.
Click on Hosts and then on Scan for hosts (or press
Ctrl-S). 2 hosts added to the hosts list... shows at end of the log and press
'H' to show the hosts - it'll show their IP address and their MAC number.
As you can see, it found both the Windows XP victim
and the Untangle system (which is the "router" in my virtual lab).
Click on Mitm in menu and select Arp poisoning. Tick
the box for "Sniff remote connections" and click OK.
Now it's all ready. Click on Start and select Start sniffing.
