Well, I thought I'd write a tutorial for how to do a MiTM (Man in the Middle) attack using BackTrack (ARP Poisoning style). This is done on BackTrack 3 Beta. You will need to download and burn the ISO. I won't explain how to do that, just use Google. But MiTM depends on a few things, so here is a bit of basic knowledge behind it. This is all written by me, but I wrote it for a magazine, just in case any of you see it on the shelves anywhere. ARP - What is it? ARP stands for the “Address Resolution Protocol”, and is used to find the networks hosts Physical Addresses (MAC addresses) when only the network layer address is available. The network layer is the third layer in the OSI model, and responds to transport layer requests (4th layer) and hands out service requests to the data link layer (2nd layer). Network layers are responsible for the transfer of packets from the source up to the destination, and provide quality of service along the way. Network layers are said to be both connection-oriented and connectionless, as there are situations of both scenarios, when the end user has to accept the connection in a connection-oriented situation, or the connection is simply made in a connectionless situation. Within the network layer, there are many different protocols, such as IPv4/IPv6, which includes things like ICMP (Internet Control Message Protocol) and DVMRP (Distance Vector Multicast Routing Protocol), as well as things like IPSec (Internet Protocol Security), and IPX (Internetwork Packet Exchange). ARP is not limited to resolving the hardware address from IP addresses only, but can be (and is) used with any protocol from the network layer. However, because of the popularity and density of IP based Ethernet connections, ARP is usually used to resolve an IP address to the Hardware (MAC) address, however, it is not restricted to IP over Ethernet, and is used in things like Token Rings and Wireless Networks. ARP is used generally in four different situations, being: 1.Two PC’s on the same network 2.Two PC’s on different networks using a router to connect 3.When a router sends a packet through another router to a host 4.When a router send a packet on the same network to a host The first situation is used simply for LAN, and the last three generally for WAN (Internet mainly). ARP has two main formats; request and reply. A request is used for example when a host, such as 10.1.1.2 with a MAC of 00:11:22:33:44:55, needs to send a packet on to a newly connected client 10.1.1.3, the MAC of which is as yet unknown. 10.1.1.2 will then send an ARP request to find out this information. A reply would then be issued to 10.1.1.2 containing 10.1.1.3’s MAC address. The request containing 10.1.1.2’s IP and MAC is available for all on the network to view, and therefore cache the information; however, the reply is only available to the ‘requestee’. There are also ARP probes, which are used when a client joins a network. Once joined, it must broadcast an ARP probe to determine if it’s IP address is already in use or not. ARP is used because computers on an Ethernet network can only communicate with each other once they know the MAC address of the client they are trying to communicate with. ARP is cached in a table which maps the connections between an IP address and their related MAC address. A simple program which can be used to view this (on Windows) is PacketCreator 2.1, under the ARP tab. Linux has a more advanced program for this – Arpwatch (ftp://ftp.ee.lbl.gov/arpwatch.tar.gz). This program generates and records logs of each IP and it’s make and the time it was assigned, in order to detect ARP Poisoning, and will send an email upon detection of ARP poisoning. ARP Poisoning? ARP poisoning is also known as ARP spoofing, and is used to become what is known as the “Man in the Middle”. This means that an attacker can use this on a network (Ethernet or wireless) to redirect all traffic through them passively, which will allow clients normal internet service, with the exception of passing all data through the attacker first and thereby divulging all such secrets to that attacker unwittingly. The attacker also has the opportunity to either modify the packets as they pass through in order the change the information, or simply stop any traffic, which is known as a DoS (Denial of Service). The basic aim of ARP poisoning is to create fake ARP messages which will map the other IP’s to the attackers MAC address in the cache’s of the client. For example, lets assume the gateway 10.1.1.1 has a MAC address of 0E:33:FB:G3:G2:11, 10.1.1.2 has a MAC of 00:02:FE:G1:1B:CC, and 10.1.1.3 has a MAC of 00:11:22:33:44:55. If 10.1.1.2 was performing the attack, it would send out ARP messages indicating that 10.1.1.1 and 10.1.1.3 was on MAC 00:02:FE:G1:1B:CC, and therefore all traffic destined for either IP address would be sent to that physical MAC address as that traffic is transported over the network layer. At this stage, it is up to the attacker on 10.1.1.2 whether he forwards 10.1.1.3’s traffic on to 10.1.1.1, or whether he prevents it from getting there, or alters it on the way. A Denial of Service could also be performed by sending an ARP message informing the clients of new (but non-existent) MAC address has been assigned to the default gateway. Setup Of Attack For this tutorial, we will be using “BackTrack”, a Linux live-CD with a security focus (a customised version of which is located on the Hakin9 CD as Hakin9.live), which includes the tools that will be using: Ettercap, Driftnet and Wireshark. Basically, head over to http://remote-exploit.org/ and grab yourself a copy of BackTrack. I'm going to assume you are all familiar with the process, so grab your favourite burner, burn the ISO, and boot from the CD, selecting the default option from the CD's Boot Menu. Ettercap Configuration Once your desktop KDE session is loaded, we will be using Ettercap to perform the MiTM attack, but to do so, we will have to set up Ettercap to use IPTables to forward traffic. To do so, open up a terminal session and type the following (everything after the #) bt ~ # echo 1 > /proc/sys/net/ipv4/ip_forward This enables IP forwarding. Then, type the following: bt ~ # kedit /usr/local/etc/etter.conf This will open up a new window within which is a text file that holds all the configuration settings for Ettercap. Look for the following lines in the file, and uncomment them by removing the hashes (except for the one next to “if”, then save it and close it: Code: Code: # if you use iptables: #redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" #redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" to this: Code: # if you use iptables: redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" We are now ready to proceed to the attack stage. Becoming the MiTM Now that Ettercap is set up, becoming the MiTM is a relatively simple process for the most basic attack. This attack will simply make us the MiTM, and allow us to view passwords that are transferred through the network to such protocols HTTP, SSH plaintext, FTP, TELNET, POP3, etc. Open up another terminal session, and type the following: bt ~ # sudo ettercap -Tq -M arp:remote /$IP/ -P autoadd And replace $IP with an IP Address range of your network which includes the default gateway and a few clients. Such as, for example, a network which includes a router to the internet which is the default gateway (10.1.1.1), and four clients including yourself (10.1.1.2-5). The easiest way would be simply to put the IP range as 10.1.1.1-5, and Ettercap will add in any additional clients that join the network. The “-p autoadd” switch is optional, and probably isn't advised on larger networks for risk of DoS'ing (Denial of Service) the clients, as it automatically adds in any extra clients by detecting the ARP requests that are sent back and forth, and determining which clients exists and which don't, and adding any that do exist. At this point, Ettercap will scan through the IP Addresses that you have specified, figure out which MAC address they are on, and then send out the fake ARP packets as described earlier, pinpointing each IP address to the single MAC address of you PC, passing absolutely all traffic through it. This enables us to watch everything that happens, as well as modify any packets that come through, but we will cover that in a little while. First, you will notice in that same window that nothing much is happening – that is because no plain text passwords are being passed through the network. In order to determine if your attack has worked, go to another PC on the same network, and try to login to something like a forum, or your hotmail account, or similar. Anything that does not have an https should work. You will notice that whenever you try to login to a website when a MiTM attack is being performed, it will ask you whether you want to accept a certificate. The attack works on the basis that most people will simply accept the certificate, thinking nothing more of it, and most people will. So when you are testing if your attack worked, simply accept the certificate and watch your magic go to work. If you are ever using another PC on a public network, and you see such a prompt, be very cautious as to whether you accept it or not. Examine it and see who it was signed by, etc., in order to determine if the certificate is legitimate or not. At this point, you could simply sit back and watch the passwords be collected, or start up driftnet to view all the pictures being viewed over the network: bt ~ # cd /usr/local/driftnet-0.1.6/ && driftnet -i eth0 When quitting Ettercap, make sure to press the letter “q” instead of the typical “Ctrl+C”, because that will Re-ARP all the clients. If you simply press Ctrl+C, then there will be a massive DoS, and no clients will have the internet or network access until they refresh their network position. You can also press “p” whilst Ettercap is sniffing, and you activate further built-in plugins. Now we can move onto some more interesting propositions: manipulating the packets. Manipulating the Packets The possibilities of packet manipulation are endless, bound only by your creativity, and the time you are willing to spend exploring the different protocols and how they work and there relations with inbound traffic and outbound traffic on the network. Ettercap comes with its own built in filter creator, as well as a few of it's own pre-made packets. Building your own filter requires a basic knowledge of how programming languages work, or the ability to analyse and determine how the Ettercap filters work, which is relatively simple if you are used to analysing data/packet streams with programs such as Wireshark. Open a new console, and type: bt ~ # kedit filter.pic Then copy and paste the following into the window that comes up: Code: if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "Accept-Encoding")) { replace("Accept-Encoding", "Accept-Rubbish!"); msg("Modified Accept-Encoding!\n"); } } if (ip.proto == TCP && tcp.src == 80) { replace("img src=", "img src=\"http://img405.imageshack.us/img405/328/hacked28hi.png\" "); replace("IMG SRC=", "img src=\"http://img405.imageshack.us/img405/328/hacked28hi.png\" "); msg("Replaced the picture.\n"); } if (ip.proto == UDP && udp.src == 80) { replace("img src=", "img src=\"http://img405.imageshack.us/img405/328/hacked28hi.png\" "); replace("IMG SRC=", "img src=\"http://img405.imageshack.us/img405/328/hacked28hi.png\" "); msg("Replaced the picture.\n"); } ave this, and then close Kedit. In that same console session, run the following command to turn the code into a filter that is readable by Ettercap: bt ~ # etterfilter filter.pic -o filter.ef You will see a few things happen, and then the filter will be created. Basically, the code is fairly simple. The “if (ip.proto == TCP && tcp.dst/src == 80)” basically tells Ettercap to only pay attention to the TCP protocol packets on either the destination to port 80, or the source from port 80 (which is all web related traffic), and then to follow the instructions that come after that – being to search that packet for a string, then replace it with what you would like that string to read. You will also notice that in replacing the strings, we must keep the length of the two strings the same – be careful to make sure you do this, or it won't work. Now to make this filter run during your MiTM attack, we must use a slightly altered Ettercap command. The command to use is (assuming you saved the filter in the /root folder): bt ~ # sudo ettercap -T -q -F filter.ef -M arp:remote /$IP/ -P autoadd Now move to another computer, and navigate to a website, and see a lot of pictures being replaced with the image you specified! This can be quite funny. Alternatively, you can see the images being replaced by watching the output of your console session. The filter we created won't work with absolutely every website because of the many various ways of including images, but it will work with many of them. Applying this same principal, you can for example figure out the port of a Messenger program, and modify the outgoing packets to include words of your own – for example replacing something like “How are you” with something like “I hate you!” (notice still the same amount of characters – this is essential in general packet manipulation, however, is not necessary in our image filter, as we are adding to what is already there [via the use of the slashes], not modifying). Explore, and have fun with this. Information Gathering This section demonstrates how relatively easy it is to read and gather information by using the MiTM attack. Imagine if your neighbour read exactly what you sent through your MSN logs, who to, and when. If you gave them long enough, they could figure out roughly how you speak, and then even log in as you and impersonate you to get more information. Assuming you are still the MiTM as in previous steps, open up Wireshark, and start capturing. This is done by going to KDE Menu > BackTrack > Privelege Escalation > Wireshark, then click Capture > Interfaces, and click “Start” on the interface you want to capture the traffic on (in our case – ath0), and then wait around for a while as it captures information. If you are testing this in your own lab, go to your other PC and open up MSN, sign in, and start talking to someone (all whilst Wireshark is capturing data). Once you've chatted to a few people for a while, enter in the filter section (near the top of the Wireshark window) “msnms” making sure it's in lower case, then click “Apply”. You will notice a number of packets, most of which are useless, but if we look closely, we can eliminate a few of these. The ones you would want to take notice of are the ones with the “MSG” in front of them in the “Info” section. If it helps, you can click on one of the MSG packets, and then click Analyze > Follow TCP Streams, where you can then scroll through all the conversations and read what you need to, or print it out and highlight the actual conversation. Another somewhat easier to use, but still buggy (and Beta) program that can be used is one called “Imsniff”, available on sourceforge. To use this program, simply download and extract the .tgz file, then in the terminal, cd into the “linux” directory, and run “build” by using ./build in the terminal. This will build Imsniff according to your network devices. Then run: bt ~ # imsniff -cd /root/chatlogs eth0 The reason we run Imsniff on eth0 is because it is designed for eth0 by default, but the README in the /docs/ folder describes how to modify it for wireless connections. You can also use the imsniff.conf.sample file to make your own auto configuration folder for this. The only bug I have encountered so far is that sometimes it won't create the folders for each MSN account you are sniffing, and as such – no logs are recorded. To combat this, simply create a folder within your specified folder for that MSN contact, and then logs will be created within there. Another handy trick that you can do with Wireshark is capture any SIP phone calls that pass through that network. Again, start a capture process, then wait for a SIP call to be made and completed, then stop the capturing. Now, simply go to Statistics > VoIP Calls, and from here it will list all calls made, duration, starting time, etc., and you can then play and listen to these calls from here. Imagine what your neighbour might hear if they were using your wireless. Further Possibilities: Evidently, being a MiTM, there can be endless possibilities as to the things you can do. If you can read all packets and manipulate all packets – then what's to stop you controlling the network? There are a few more basics that we haven't covered in this article, and that would be better left for you to explore yourself. One of these possibilities is sniffing SSL (Secure Socket Layer) traffic, such as secure logins for sites like Hotmail (Secure Version), Banks, Online Stores, etc. It is beyond the scope of this article, but the basics behind it include issuing your own SSL Certificate instead of having the company's SSL certificate issued, all the while spoofing the DNS requests, and capturing all packets with wireshark. These are then decrypted with SSLDump into a human reable form, where any passwords can be read by you. Obviously, this can have hugely devastating effects to your average user who doesn't examine certificates. Another possibility is re-directing all traffic to a certain website. This can obviously be used for fun – but what if someone used this to exploit your PC? If they scanned your computer with Nmap, and figured out what services and versions you were running, they could then figure out if you had anything exploitable and create a webpage (that is locally hosted) through Metasploit, and then get Ettercap to redirect all traffic to the page – whereupon they will be exploited and you will have Root control of their system. You can image how detrimental this can be. One other further possibility is that of further access into the network. Imagine this – a client computer is authenticated with the server based on it's network address or fingerprint. This network address is then stolen by you with your MiTM attack, thus making you appear like that client to the server. The server would then give you the priveleges of that client where you normally would not have priveleges – another large security threat for administrators. These are just a few further ideas for possibilities that can be achieved through Ettercap – you are only limited by your imagination, so have a play around and figure some things out. ettercap is kind of advanced so if you dont know what your doing then do research on it first
