Man in the Middle

Man in the middle attacks are a big issue in today's I.T. Security world.

So that's what we're going to be doing in this episode.

Now first of all let's make sure we know what a man in the middle attack is on the
Internet on any TCP/IP network.

You have some type of communication going on between two computers.

You might have a web browser accessing a web page or an Ssh client accessing an Ssh
server or a computeraccessing some shared folders on another computer.

It doesn't matter what's going on in terms of protocol and application in almost

every situation.

We have this session going on between two computers and a man in the middle attack
is simply a third party that's sneaking in between these two conversations and
doing whatever evil they're going to do.

So when we're talking about a man in the middle attack there are two big parts to
it.

Number one you have to get in the middle.

So that's going to depend on the technology and how that's going to work.

We're going to get into that.

The second issue is as OK now that you're in the stream now that you're in the
middle of that conversation what are you going to do about it.

So to help us out what I want to do is give you a kind of a set up and that's why I
got all these computers here for now.

If we take a look over here what I have are two virtual machines.

So if we take a look here you'll see this machine right here is running Windows 8
it's on 182 168 1.1 90.

And then over here is a Windows 10 machine and it's on 192 168 146.

You'll notice that it's 192 168 1 1 for a default gateway.

So what I have is this little router right here this little home router.

He has a DHCP server passing out 192 168 1 and he's going to be acting as our
gateway now in this particular episode.

What I want to do is keep things a little bit simpler so we're going to just all be
on one network.

But the fun part is is over here.

What I'm running on this laptop is a very famous Lititz distribution called Cali.

So Cali is kind of like your best friend when it comes to all kinds of fun security
things it's just a big pile of fun toys all in one big piece.
So if you take a look right here right now I don't have anything exciting running
on it other than this.

So you can see that it is also on our network.

It's 1 and 2 1 6 8 1 0 1 0 7.

And I can talk to both the router and my two virtual machines on this box so let's
go ahead and draw up what we have right there.

So what we have here is we've got our two windows machines the Windows 8 machine is
1 and 2 1 6 8 1 1 0 9.

And then we have the Windows 10 machine which is 192 168 1 146.

Also we've got a router in here too.

So the router is going to be 192 168 1.1.

He'll be passing out DHCP.

We have our attack machine which is going to be this colleague Linux box and at
least for right now he's 192 168 1 1 0 7.

They're all on the same network.

OK.

So our first job with man in the middle attacks is to get into the middle somehow.

We have to be able to as the attacker see the stream as it's going back and forth
between the two different systems.

Now the first way to do this is a wireless network and wireless is fantastic
because in a perfect unencrypted world 802 wireless is completely open for anybody
to read anything that they want to.

So I can just take a laptop like this plug in the right type of wireless network
card I can set that wireless network card in promiscuous mode and I can just grab
everybody's pack and I can just start sniff it away as they say and capture all
these packets and I can get all the information I am in essence in between the
streams in a wireless network now 802 Wireless has some protections for example if
you use WPA or WPA2.

First of all if you're using encryption that will certainly stop that that will
make that a lot harder.

But even with encryption there's ways to decrypt sometimes.

So WPA and WPA2 also have isolation.

So each computer on that wireless SSID can connect to the wireless access point but
they can't see anybody else so that's very beneficial.

WEP is still a bit of a problem with WPA and WPA2.

You've basically got end to end encryption Unfortunately with WEP you don't.
So yet one more reason to stop using wep.

It doesn't just stop with 1:52 11 though.

Bluetooth is also susceptible to man and middle attacks.

Bluetooth does have encryption built into it but Bluetooth counts on short
distances and short duration of connections to make it hard for man in the middle
of attacks.

The other problem child is NFC now with NFC communication.

What you have is a device or Apple Pay or whatever you might be using something you
like on a smartphone and it has a chip inside of there and it also counts on the
fact that it has to be extremely close to the other side of the conversation in
order to work.

So we do have these issues in all types of wireless but unencrypted 802.11 is

certainly the biggest problem of all.

Now if you're using wireless you're probably already got about half the battle
taking care of all you need to do is get some kind of card that's going to listen
for all the packets and start pulling it in.

However if you're in a wired network.

Things change dramatically.

If you're going to do a wired van in the middle attack things get a lot trickier.

In a wired network packets are sent between systems based on MAC addresses or IP
addresses or some other piece of information.

So if we're going to do man in the middle in Wired attacks well then we're going to
have to start the magical world of spoofing.

So when we talk about spoofing we're talking about making something in the
attackers address look like one of the victim's addresses.

So for example I could spoof MAC addresses I could in essence tell my switch that
oh this computer over here is actually that MAC address send the data to that one.

We could also do what we could call IP spoofing.

In that case what we're doing is we're telling the one computer on the end or
either computer that go ahead and send it to me and then I can send it on over to
the next guy so we can use that.

We can also do things like using DNS addressing to get people to go the wrong way.

So what I want to do is go ahead and play with this a little bit and to do this
we're going to use a wonderful program called EDR cap.

This is an old program it's been around for a long time.

It is a free program that is marketed as an end as a penetration testing tool but

it's actually a lot of things all in one EDR cap is going to allow me to do the
spoofing by different functions called poisonings.
And not only will it do that but will actually grab the data for me and it will
look through the data to give me the type of information I want.

So we're going to keep it a little bit simple here.

But let's go ahead and let me show you our camp at work one of the reasons that I
like Cali Linux so much is that it comes with so many handy tools and one of those
tools is EDR cap.

So let's go ahead and get that guy started up and you can see how he does such a
nice job about putting everything in a nice easy way for me to find stuff.

So here under sniffing and spoofing EDR cap is one of many many handy programs that
go ahead and get him started up.

So let's go ahead and take a minute right now and take a look at our wired setup
one more time what we're going to be doing here is we're going to be doing man in
the middle attacks between our router and one of the Windows systems.

So what I need do is get EDR cap set up in such a way that it can do that.

Cap is designed for man in the middle so it'll do stuff like say give me who I'm
attacking.

On one side give me who the target is on the other and then tell me what you want
to do and we'll see that in the interface.

So I'm going to begin what's called Unified sniffing and what it's doing at this
point is just going out onto the wired network and seeing what hosts are out there

so that usually works pretty quickly.

So what I'm going to do now is I'm going to tell him OK now you sniffed find all
the hosts on this network and if we're lucky we should be able to find all of our
hosts.

Let's see what happens.

All right.

So it found three hosts.

So let's take a look on the host list here.

And there they are.

So now keep in mind the attacking machine does not show up on here.

So here's my router.

And here are my two windows systems.

So it does a really good job of sniffing just within this tool itself.

So what we're going to do now is we have to pick targets so in this case I'm going
to say target one is going to be the router and I'm going to pick the Windows 8
machine.

Nothing special about that.

And I'm going to make that target to.

So we got the program ready to do some man in the middle attacking the first thing
I'm going to ask this guy to do is what we call Mac spoofing.

In this case what we're going to do is we're going to lie to the switch and
basically tell the switch that we are the guy in between each one of these
connections.

So let's go and get him started.

So I'm going to tell him to go ahead and get started.

I could propagate this to other switches but in this case I only have one switch
that's built in to the SOHO router.

So I'm just going to hit OK.

Now I've went ahead and started the Mac spoofing.

So right now this system is sending out all kinds of traffic out onto my network
and going through Mac spoofing port stealing the exact same word.

The problem here is that what do you do with this data.

So basically anything that's going between this router and one of my Windows
systems is being sent over to this guy right here so what do you do with it.

Well that is the big issue of man in the middle attacks the number one function of
man in the middle attacks more than anything else is to garner data is to do data
exfiltration as they say we want to grab some of that data usernames passwords
images whatever we might want to grab.

So what's going to do the grabbing.

That can be a bit of an issue.

So one of the things we could use is for example wireshark so good old Wireshark.

Now one of the things you're going to see right here is you see all of these arps
and this is all this noise that's being generated by the attacking system and it's
creating all of these what are called gratuitous ARP addresses and it's going to go
ahead and confuse the bejesus out of the system.

So the thing you do have to watch out for is all of this noise that's going out.

Any good intrusion detection system would catch this and be very very nervous.

Now the other nice thing about tools like EDR cap is that EDR caps relieve you from
the need of having to use things like wireshark because EDR cap is a man in the
middle tool.

Not only will it go ahead and do the naughtiness for us but the other thing it will
do is begin looking at that data and grabbing stuff.

So what I want to do is I'm going to turn off the port stealing and we're going to
move it up to IP spoofing.
And in this case what we're going to be doing is an art poison.

Now keep in mind every IP system on a network has a cache of IP addresses to mac
addresses.

This is called their ARP cache.

So when we're arp poisoning what we're doing is we're going to tell our cap to
start lying to the other systems it's not saying anything to the switch.

It lies to the other systems.

So the other systems will think that a particular IP address or going to has this
mac address what they'll end up doing is that particular IP address is going to be
to the attackers address.

So let's go ahead and set up our poisoning.

OK so to set up our poisoning I've got my two targets and one I'm going to do now
is I'm going to start a man in the middle attack.

And I just go to our poison right here.

And I want to sniff both of the remote connections and I can also poison one way in
this case.

We want to be able to grab both sides of the conversation.

So I'm just going to hit.

OK.

This time with an ARP poisoned Let's go ahead and actually grab some traffic.

So what I'm going to do is this little router has a web interface like most of
these routers do.

And I'm going to go to one of these windows machines and just access this router.

So let's go ahead and do that.

I'm not on the Internet so it's not going to be happy.

And I know my router's address is 190 160 1.1

it so I actually hit the router right here.

Now what I need to do is log in to do anything.

Anybody can see this page but if I want to make any changes it's going to force me
to log in.

So I'm going to type in Bips new type in the username and the password

and I log in.

Now let's go jump over here.

Let's take a look at that.

Look what's happened here.

The moment I did this.

So let me get the right.

So you can see the username and my password is being captured by EDR cap.

This is a great example what makes EDR cap particularly convenient.

So not only does it do the poisoning for me but it also does the sniffing for me.

And it's also smart enough to know to look for usernames and passwords for common
protocols like DP or telnet or something like that.

So Edgar cap is very convenient because it does everything in one package but don't
think that all packages work this way.

It's just convenient that it does the attacking and it does a sniffing and then it
goes through the data and finds the stuff that we're looking for.

Normally this would be done with separate packages.

That's why I like enter cap.

So there's just one example of using art poison you know again Art poisoning is
very noisy.

It's actually sending out packets to the different targets lying to them so that
there are caches are confused.

But that works out pretty well and it does make a big pile a mess out there
unfortunately.

So what I'm going to do here is I'm going to do is a DHC piece spoofing.

So I'm going to start up the ACP and in essence he's going to pretend to be a DHP
server and I don't want to mess with anybody's IP addresses.

But what I am going to do instead is I'm going to mess with the DNS information and
I have to type in

the net mass because that's just how the program wants me to do it.

Now here I can type in any DNS server IP address so it's not going to take the
default DHP it's going to take whatever I put right here so I'll make something up

so I can put anything in here.

I'm going to hit.

OK.

And now it's going to start DHCP spoofing but only change the DNS information.

So what I've done now is every system on my network that uses DHCP I'm not messing
with its default gateway I'm messing with it's IP address.
I'm not Miskin with messing with it subnet mask.

All I'm doing is I'm telling them all a new DNS server that they didn't have
before.

So we could do a lot of cool DNS stuff with this.

Let me give you one quick example.

Once we'd gone ahead and poison the DNS using the DHC tool we can in essence spoof
DNS servers.

So for example one of the cool things I could do here is the next time somebody
opens up their web browser and they want to go to w w w dot whatever dot com.

If that system doesn't know the IP address for that web server it's going to go out
and send a DNS request.

Now what we could do is we could have a rogue DNS server on that particular IP
address.

So all the systems will go to that server and that particular server can point them
to someplace evil.

So we could have them type in WWII Google dot com.

And because their DNS servers are evil server we could send them to someplace
naughty.

And that's just one example of evil things you can do with DNS poisoning.

Now the exam covers a few other things that are kind of man in the middle a type of
attacks.

But in my opinion they're not.

But we're just going to go ahead mention them here.

Anyway one of the things that we run into is what we call you Arel highjacking
better known as typosquatting.

Now what we're talking about here is if somebody has a Web site like Google and
then somebody goes ahead

and gets the domain g o g g e l get the idea.

So because someone does a typo they will in essence be directed to someone else's
site.

It's not really injecting yourself in the middle of a conversation it's just
deflecting somebody to another place.

But it is considered man in the middle so we're going to go ahead and bring that up
as well.

So the other issue you can run into is called Domain highjacking domain highjacking
is simply somebody doesn't keep a domain updated.

I've done this myself.

I have so many you are Elle's that I keep around and there was a domain I had for a
long time and I just forgot to re up the domain the domain ran out and somebody
grabbed it really really quick and put a whole bunch of offensive material on
there.

And they said well we'll sell it back to you.

For a lot of money and I had to pay because it was really really offensive.

Now everything we've talked about so far is simply ways to get to a stream.

As a man in the middle attack we've had some reference to some of the things we can
do.

And one of the things we do is we scrape data and we try to get information.

And we saw that with EDR cap but there's some other stuff you can do.

So let's just take a moment and talk about what can we do once we're in the stream.

So you would think the most perfect thing you could always do with man in the
middle attacks is simply grab the data and look at it.

Well that is good.

And that's something we'd like to do a lot.

But the other thing you can do is do something what's called a replay attack.

This tends to be more convenient for secure communications.

So for example I've got some type of secure communication protocol between two
systems.

I'm not interested in reading their data.

What I'm interested in is getting the username and password now I'm not going be
able to get their password.

But the client in one particular example could be sending out a username and a
hash.

And if I get the username and a hash I have all the information so that later I can
replay that over to the server and log in as that person anytime I want.

That's the big danger to replay attacks once you get that information you can keep
logging in as many times as you want to do whatever you need to do replay attacks
even get into the world of certificates as well.

You can do a lot of interesting things with that but I'm going to save all of that
type of information for other episodes that specify exactly web pages.

So hang on to that one.

The other thing we can do is what's known as a downgrade attack.

This is particularly useful for things like web pages.

We've had a lot of different types of protocols started with good old SSL and
different versions of TLS.

And each one is better than the next.

But if I can make a client talk to a web server and go look I want a secure web
page but I can only do SSL.

That makes it a lot weaker than the more advanced version.

So if we have a web server that allows that to happen we can take advantage of that
via what's known as a downgrade attack.

Now the last thing I want to talk about is called session highjacking session
highjacking basically means two people are already talking.

They're already up and running.

They're communicating.

What I'm going to do is get in the middle of that communication and I'm going to
inject information in there and I'm going to be able to do naughty things now.

Session hijacking is a incredibly difficult tool to use because what you have to do
is take advantage of a real time connection that's taking place right now.

However there is a great simplified version of that and it's been around for years
and years and it's called Fire sheep.

So here's a picture of fire sheep right here.

All fire sheep does is it uses on unencrypted wireless connections.

It performs a session hijack and literally connects into whatever is taking place.

So here's a Facebook page that's being loaded.

And since I've already logged in I've just caught in the middle of the session I've
gone ahead and hijacked it.

I could even make changes to it.

So when it comes to man in the middle attack remember there's always going to be
two parts to the equation.

Number one what are you going to do to get into the stream.

And then number two what are you going to do with that data once you've got it.

There are two separate issues and they're handled quite differently.

To start a man-in-the-middle attack one must "get in the middle"

Once an attack is successful you must use all information obtained

The type of network can make the man-in-the-middle attack easier or more difficulr