MAN IN THE MIDDLE ATTACK

Posted on by deadsec

In a Man-in-the-middle(MITM) the attacker manage to position him in the middle of the connection and intercept the communication between users, with this attack the attacker can steal confidential information by spoofing the opposite legitimate party by making them thinking they are talking to a the legitimate parties.

man-in-the-middle-mitm

The attack can be active o passive, in a active attack the attacker intercept and modifies the data being transmitted and in a passive attack the attacker intercept the communication without alter the data being transmitted, mitm can be accomplish by using a variety of methods:

  • ARP poisoning is a technique used to corrupt the host arp table, allowing the attacker to redirect traffic to the attacking machine.The ARP poisoning process

  • ICMP redirects the attacker force the icmp packet trough his computer.icmpredirection

  • DNS poisoning attacker manipulates the dns server to redirect the victim to the attacker server.

DNS-spoofing

Man-in-the-Middle Attack 

Arpspoof Client to Server

Let’s start with the client. We want to replace the MAC address of the server with our MAC address.

arpspoof 192.168.1.101 192.168.1.105

Where:

  • 192.168.1.101 is the IP of the client
  • 192.168.1.105 is the IP of the server

In this step, we’re telling the client that we are the server.

Arpspoof Server to Client

Now we want to replace the MAC address of the client with our address, so we simply reverse the order of the IP addresses in the previous command.

  •  arpspoof 192.168.1.105 192.168.1.101

Pass Packets with ipforward

We do this in Linux by using the ip_forward. Linux has a built-in functionality to forward packets it receives. By default, it’s turned off, but we can turn it on by changing its value to 1(ON).

We simply echo a 1 and direct (>) it to /proc/sys/net/ipv4/ip_forward, thereby turning on ipforwarding.

  • echo 1 > /proc/sys/net/ipv4/ip_forward

Sniff the Traffic with Dsniff
Now that we have all the traffic coming from the client to the server and the server to the client going through our computer, we can sniff and see all the traffic!

To do this, we could use a number of different sniffing tools, including Wireshark or tcpdump, but in this case we’ll use Dug Song’s dsniff. Song designed dsniff to sniff out authentication information that appears on the wire in clear text (non-encrypted). So, protocols such as ftp, telnet, HTTP, SNMP, POP, LDAP, etc. can be sniffed off the wire.

To activate dsniff, we simply type:

  • dsniff

Both red team and blue team use this technique and can be used to know if your network got compromised.

Published by deadsec