A man in the middle (MITM) attack is a general term for when a machine positions itself in between a connection between a client/user and the server/internet — either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is underway. This is nicely depicted in the diagram below.
The MiTM attacker will be able to place himself/herself between the user and the internet server to see what is happening. We will be using an ARP spoofing attack to achieve this. Before starting let’s know what is ARP protocol and how we are going to exploit it to become the man-in-the-middle.
ARP stands for Address Resolution Protocol. It links the IP addresses to the device MAC addresses. Each computer in a network will have a table storing IP addresses of the device in a network with their MAC addresses. So whenever data is sent in a network, it will be sent to the device having the MAC address associated with the destination IP of the packet. We can see this ARP table by running the following command.
$ arp -a
For me, this is the output:
ARP Spoofing can be achieved by telling the router that the user’s IP corresponds to our MAC address. We will also tell the user that the router’s IP address corresponds to my MAC address. And guess what !!! all the traffic between the user and router will now flow through our machine.
The reason that this exploit is possible is because the ARP protocol is not secure, the client machines will accept responses even if they didn’t send requests and the client machines won’t even verify before updating their ARP table. You can look at the image below for a graphical representation of what we will be achieving.
webp
As mentioned, we will be using an ARP spoofing attack to be the Man-In-The-Middle. ARP Spoofing will redirect the flow of packets. So instead of packets flowing directly between the client and access point, it would redirect through our system. This means that we will be able to see all the websites, usernames, passwords, images that the user is browsing.
Let’s practically see how this would work. I am using Ubuntu 20.04 for executing all the below commands. The commands will remain the same for any Debian-based Linux Machine. Kali Linux
is preferred since it will have most of the tools pre-installed. The tool I will be using is bettercap
. It’s an open-source tool. Let’s download it and install it by running the following commands in your terminal :
$ wget "https://github.com`curl -s https://github.com/bettercap/bettercap/releases | grep -E -o '/bettercap/bettercap/releases/download/v[0-9.]+/bettercap_linux_amd64_(|v)[0-9.]+zip' | head -n 1`"
$ unzip bettercap_linux_amd64_*zip
$ sudo mv bettercap /usr/local/bin/
$ rm bettercap_linux_amd64_*
Run bettercap -h
to see that the installation is proper
$ bettercap -h
Note : There’s an optional step. If you want you can change your MAC address. This is a way to hide your identity on the network. To do this, you can follow the steps here: How to change MAC Address?
As you can see I have 2 interfaces, wlan0
and wlxb0a7b9b32df2
. I will choose wlxb0a7b9b32df2
interface and use it in further commands. You can choose any of them.
bettercap
tool by running the following command.interface-name
is the name we fetched in the above step.
$ bettercap -iface <interface-name>
Hereafter we will write all the commands inside this shell.
ProTip : You can type
help
inside this shell to get a list of all the cool stuff you can do using bettercap
We require a list of devices connected to the router so that we can select a target device on which we will perform the attack.
To do this we will start the net.probe
module. This module will keep probing for new hosts on the network by sending dummy UDP packets to every possible IP on the subnet. To turn net.probe
on, execute the below command
bettercap-shell> net.probe on
Turning it on will also trigger the net.recon
module on which will read the ARP cache in order to monitor for new hosts on the network and create a nice list out of it.
To view this list run the following command
bettercap-shell> net.show
The output should look something like this:
Note down the IP of the target device on which we want to perform ARP spoofing. For my case, it is the device with the name infinee.local
and target IP is 192.168.29.65
.
Now we will run the ARP spoofing attack on the target device. This will place us in between the user and the router. So we can intercept the data and see all the URLs and the websites the target device is visiting, and anything the user posts. We will use the arp.spoof
module provided by berttercap
.
If you wish you can run help arp.spoof
to see the list of options provided by this module. We will need to set the arp.spoof.fullduplex
option to true. Doing this will spoof both the target device and the router and we will be in the middle of the connection. We will do this by running the following command.
bettercap-shell> set arp.spoof.fullduplex true
Next, we should set the target using the below command. target_ip
for me here is 192.168.29.65
. And turn it on by typing arp.spoof on
bettercap-shell> set arp.spoof.targets <target_ip>
bettercap-shell> arp.spoof on
arp.spoof
on will do 3 things:
target_ip
target_ip
that I am the routerKudos!!! We are now Man-in-The-Middle. We can now capture packets using a program of our own or use Wireshark. For this blog, we will use a tool provided by bettercap
. Once you are man-in-the-middle, there will be a small lag on the page load time on the target machine.
We have to tell bettercap
to capture all the data that flows through this computer and analyze it for me. To do this we will use the net.sniff
module provided by bettercap
. Simply run the following command to start sniffing.
bettercap-shell> net.sniff on
As you can see, we are able to see the API requests and the request bodies transferred between the client machine and the internet.
We had to write so many bettercap
commands for ARP-spoofing. We can write all these commands in a *.cap
file where * is any file name and execute them through bettercap
. For this, I will create a file called arp-spoof.cap
with the following contents
net.probe on
set arp.spoof.fullduplex true
set arp.spoof.targets <target_ip>
arp.spoof on
net.sniff on
We call this a caplet. To execute it, run the following command in the terminal:
$ bettercap -iface <interface_name> -caplet arp-spoof.cap
Alternatively, we can use a sniffing tool called Wireshark
to sniff these packets. We will still need to do arp spoofing using bettercap
. Wireshark
is just a replacement of the net.sniff
module of bettercap
.
Run the following commands to install wireshark
:
$ sudo add-apt-repository ppa:wireshark-dev/stable
$ sudo apt-get update
$ sudo apt-get install wireshark
To start wireshark
:
$ sudo wireshark
From the UI of wireshark
, we select the network interface that we got in step 1. And our sniffer will start as shown in the pictures below.
The network packets viewed by both the methods — bettercap
and Wireshark
are the same, just that wireshark
is the UI way of net.sniff
inbettercap with slightly more information.
This method won’t work for packets sent over the HTTPS
protocol. We will only be able to read packets that are sent over the HTTP protocol.
However, there are caplets available on the internet that can be executed via bettercap
that will help you to partially bypass the HTTPS
and the HSTS
protocols. You can find one such caplet here: ByPass HTTPS
And that’s a wrap! Hi, I am Gourav Dhar, a software developer and I also write blogs on Backend Development and System Design. Subscribe to my Newsletter “The Geeky Minds” and learn something new every week - https://thegeekyminds.com/subscribe
Other Articles
What is an SSL/TLS Certificate and How do they Secure Your Website?
What are WebSockets? Everything you need to know about WebSockets!
How to create the perfect Pull Request?