Saturday, 9 May 2015

Man-In-The-Middle Attack using Arpspoof in Kali Linux

Consider the following scenario:

There is a LAN which is connected to the Internet through a router 'Gateway'. There is a machine 'Victim' on the LAN , which is connected to the Internet through the 'Gateway'. There is a machine 'Attacker' on the LAN, which will launch a 'man-in-the-middle' attack against the 'Victim' and 'Gateway'. All communication between 'Victim' and 'Gateway' will pass through the 'Attacker'.


How will the Attacker do this ?

'Attacker' will send the 'Victim' false ARP replies telling that it is 'Gateway'. And
'Attacker' will send the 'Gateway' false ARP replies telling that it is 'Victim'.

'Victim' will make a wrong entry in it's ARP Cache associating 'Gateway's IP Address' with 'Attacker's' MAC Address.
Similarly,
The 'Gateway' will make a wrong entry in it's ARP Cache associating 'Victim's IP Address' with 'Attacker's MAC Address'.

So, when 'Victim' will send data to 'Gateway's IP Address', the data will be sent to 'Attacker's MAC Address'. The 'Attacker' will examine the data and then forward it to 'Gateway'.
Similarly,
When 'Gateway' will send data to 'Victim's IP Address', the data will be sent to 'Attacker's MAC Address'. The 'Attacker' will examine the data and then forward it to 'Victim'

Hence, this attack is also called 'ARP Spoofing' or 'ARP Cache Poisoning' attack.

When the Victim will send data to the Gateway, the data will go to the Attacker. The Attacker will examine the data for any username, passwords in PlainText. And then forward the packet to the 'Gateway' to be sent on the Internet. Similarly, the replies from the Internet, sent by the 'Gateway' to the 'Victim' will pass through the 'Attacker'.


Perform the following steps on the 'Attacker' machine:

1) Tell the 'victim' that we are 'gateway'. Open a terminal window and type the below command:
     arpspoof -i eth0 -t victimIP gatewayIP

2) Tell the 'gateway' that we are 'victim'. Open a terminal window and type the below command:
     arpspoof -i eth0 -t gatewayIP victimIP

3) Enable IP Forwarding in the kernel. Open a terminal window and type the below command:
    sysctl -w net.ipv4.ip_forward=1

4) Ensure that Forwarding is enabled in the Firewall

5) Capture HTTP, FTP, Telnet PlainText username, password using 'Wireshark'.
In this tutorial, we will use 'Wireshark' to capture username, password when a user is logging in to a website using HTTP protocol 


5.1)  Start Wireshark
Click Applications -> Kali Linux -> Top 10 Security Tools -> Wireshark

5.2) Select Interface and start Capture
Click Capture -> Interfaces . Select eth0 and press Start button.

Wireshark has now started capturing packets.

5.3) Tell Wireshark to show only http data.
In Filter: , write http

4) The screen shot below shows captured data. username 'shabbir' and password 'admin'.




No comments:

Post a Comment