Man-in-the-Middle Attack

by Oddacon T. Ripper

It's been so long since I first started using Linux's Slackware, Red Hat.

It was completely different than my Windows 98 "plug n' play," so installing it the first few times was a nightmare for me.  Getting on the Internet for the first time was like a miracle from God.

I had no idea what TCP/IP meant, or what a gateway was.  I was skeptical at first but, after I figured out my modem device, baud rate, flow control, and a few other things, I was online and in my old, grungy IRC channel.

I try to keep up with Internet security, but it's too hard.

Luckily, 2600 helps me out most of the time and, hopefully, I can help you out by showing you how to perform this "man-in-the-middle" attack using the BackTrack operating system.

I've seen a thousand different ways to do this so, the usual disclaimer: Don't do this, don't do that, educational purposes only, strictly for tightening the belt of our network!

What is a man-in-the-middle attack?  A man-in-the-middle attack is essentially placing your computer in between a host (the victim) and its destination.  So you're acting as a "man-in-the-middle," redirecting information from the victim to the destination.  What does this do?

Performing this "test" allows you to interfere with SSL connections and strip the SSL from the destination, so that you can view the data from the victim, such as inputs and other settings.

We will be using BackTrack to perform this task, as I have said.  BackTrack can be found at: remote-exploit.org/backtrack.html.  The operating system can be booted from virtual machines, CD-ROMs, USB devices, and more.

I currently use a virtual machine and a USB device.  The USB way is the simplest, so here's how to get BackTrack installed on your computer using a USB device (assuming you're running Windows).

First, you will need a USB device.  It should be at least a gigabyte, because BackTrack's ISO image is about 800 megabytes and, if you download BackTrack 4 pre-final (the one with all the tools), it's over a gigabyte.  After you have a USB drive, you need to download BackTrack's ISO image.

Visit BackTrack's download page at: remote-exploit.org/backtrack_download.html I suggest getting BackTrack 4 pre-final because it comes with all the tools we will be using.  You can download it from the official download page or do a torrent search for BackTrack 4 pre-final (bt4-pre-final.iso).

Now, while you're downloading the ISO image, you will need to pick up a tool to burn the image to the USB device.  You can use a tool like ISO Buster, or UNetbootin.  I use UNetbootin, so I would recommend downloading that.  You can find it at: unetbootin.github.io

Once you have UNetbootin and the BackTrack ISO image, plug your USB drive into the computer and open up UNetbootin.  Select the option "Diskimage" and browse for the ISO image file you just downloaded.

UNetbootin should have recognized your USB drive and have it selected in the drop-down list box, down at the bottom.  After you have selected the ISO image file and have the USB drive ready to go, hit the O.K. button and BackTrack will be installed on your USB drive.

To perform this man-in-the-middle attack, we will also be using the tool SSLStrip, which can be found at: thoughtcrime.org/software/sslstrip

(If you are using BackTrack 4 pre-final, it is pre-installed).

What SSLStrip does is listen on a numbered port and then strip the SSL connection, before passing it back to the victim.  Before we get to SSLStrip, though, we first need to redirect the traffic using the tool arpspoof which can be found at: monkey.org/~dugsong/dsniff

arpspoof will pick out HTTP and HTTPS traffic from the network and redirect the data to a numbered port.  Finally, after redirecting the traffic, you can extract the needed data using SSLStrip.

Now that you have BackTrack installed on the USB drive, reboot your computer and select from the boot menu the USB drive which you have installed BackTrack on.

Boot up and type in your username and password.

By default:

Login: root Password: toor

If you're new to BackTrack, and I imagine you are, go ahead and start up a GUI using the startx command, and wait for BackTrack to load up.

Now assuming you already have an Internet account, wireless- or Ethernet-based, you can start networking by opening a shell and typing either:

# /etc/init.d/networking start or # dhclient

This will configure your networking interface.

You can then view the appropriate connection by typing in ifconfig for Ethernet cards or iwconfig for wireless cards.

For example, I type ifconfig eth0 up, which configures BackTrack to use my Ethernet connection.  There are other ways to configure your network and gain Internet access.

For more information, check out the BackTrack Forums at: forums.remote-exploit.org

Alrighty, now that you have set up BackTrack, you need to set up your machine to act as a router so that it can accept connections and forward traffic from the victim to the destination.

First you need to set a port to receive any data coming in on port 80.  Let's use port 8080.

The file we will be changing is /etc/etter.conf or /etc/ettercap/etter.conf.

To set the port to 8080, open a shell and type:

# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

You can also type vi /etc/etter.conf, which will open the program Vim and the file etter.conf.

Scroll down to where it says:

##################################### # redir_command_on/off ##################################### # you must provide a valid script for your operating system in order to have # the SSL dissection available # note that the cleanup script is executed without enough privileges (because # they are dropped on startup). so you have to either: provide a setuid program # or set the ec_uid to 0, in order to be sure the cleanup script will be # executed properly # NOTE: the script must fit into one line with a maximum of 255 characters #--------------- # Linux #--------------- #redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp -d %destination --dport %port -j REDIRECT --to-port %rport" #redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp -d %destination --dport %port -j REDIRECT --to-port %rport"

Where it says Linux, below you can also edit the port to 8080, or whatever port you may choose.

Now we have established that any traffic coming in on port 80 will be directed to 8080.  Which is important in later steps because we will be using SSLStrip to listen in on that particular port (8080).

Now we want to allow connections to be forwarded through our computer.  So to forward the traffic through the system, in the shell type:

# echo "1" > /pro/sys/netipv4/ip_forward

which will allow connections to be received and then forwarded on.

Finally we start the man-in-the-middle attack!

We will use arpsoof here, which will keep us hidden from the victim, allowing us to become any IP address on the local network.  Now I have not selected a victim yet, so I will use a random IP address for show.

So in the shell type:

# arpspoof -i eth0 -t 192.168.1.17 192.18.1.1

-i means interface and eth0 is interface that I am using, yours may be different.  wlan0 is another common one.

-t means the target IP address, 192.168.1.17, and 192.168.1.1 is the gateway that we want to disguise ourselves as.  If this works, you will see in the shell the gateway 192.168.1.1 as our computer's MAC address.

Essentially, we have now done the attack!

SSLStrip will redirect the traffic from the victim and send the data which was suppose to be encrypted to the destination and to us.  Now it's just a matter of waiting for the right data, like HTTPS, which is for inputs like webmail and signing in and out of accounts, to come in.

Once the victim has checked his or her e-mail, Gmail, Facebook, PayPal, etc. SSLStrip will log the data and we can view it in another shell, because you want to continue to "poison" the IP address in the first window.

So open a new shell and type:

# sslstrip -a -l 8080

-a means it will log all data.

-l means it will log all HTTP and HTTPS data, which we have specified to 8080.

To view, simply open a new shell and type cat sslstrip.log, which is the default log file SSLStrip makes.

Or you can just go to your SSLStrip directory and open sslstrip.log.

Look for text like: sign-in, username, password, passwd, value

Nonetheless, you should still have data in your log file.

You don't have to use SSLStrip.  You can also use Ettercap to view the data.

Open a new shell and type:

# ettercap -T -i eth0 # or your corresponding interface

-T means text only and -i means the interface.

This should bring the data right into the shell window, if done properly.