Man in the middle attacks are a big issue in today's IT security world. So that's what we're going to be doing in this episode. Now first of all, let's make sure we know what a man in the middle attack is. On the internet on any TCP IP network, you have some type of communication going on between two computers, you might have a web browser accessing a web page, or an SSH client accessing an SSH server or a computer accessing some shared folders on another computer. It doesn't matter what's going on in terms of protocol and application. In almost every situation, we have this session going on between two computers.
And a man in the middle attack is simply a third party that's sneaking in between these two conversations, and doing whatever evil they're going to do. So when we're talking about a man in the middle attack, there are two big parts to it. Number one, you have to get in the middle. So there that's going to depend on the technology and how that's gonna work. We're going to get into that. The second issue is okay, now that you're in the stream now that you're in the middle of that conversation, what are you going to do about it?
So, to help us out, what I want to do is give you a kind of a setup. And that's what I got all these computers here for. Now, if we take a look over here, what I have are two virtual machines. So if we take a look here, you'll see this machine right here is running Windows eight, it's on 192 168, one dot 190. And then over here is a Windows 10 machine, and it's on 192 168, one dot 146. You'll notice that it's 192 161 dot one for default gateway.
So what I have is this little router right here, this little home router, he is a DHCP server passing out 192 168 ones, and he's going to be acting as our gateway. Now, in this particular episode, what I want to do is keep things a little bit simpler. So we're going to just all be on one network, but the fun part is is over here. I'm running on this laptop is a very famous Linux distribution called Kali. So Kali is kind of like your best friend when it comes to all kinds of fun security things. It's just a big pile of fun toys all in one big piece.
So if you take a look right here, right now, I don't have anything exciting running on it other than this. So you can see that it is also on our network. It's one on two 168 one dot 107. And I can talk to both the router and my two virtual machines on this box. So let's go ahead and draw up what we have right there. So what we have here is we've got our two Windows machines, the windows eight machine is 192 168, one dot 109.
And then we have the windows 10 machine, which is 192 168 one dot 146. Also, we've got a router in here too. So the router is going to be 192 168 one dot one, there'll be passing out DHCP we have our attack machine Which is going to be this Kali Linux box. And at least for right now, he's 192 168, one dot 107. They're all on the same network. Okay, so our first job with man in the middle attacks is to get into the middle somehow, we have to be able to as the attacker, see the stream as it's going back and forth between the two different systems.
Now, the first way to do this is a wireless network and wireless is fantastic because in a perfect unencrypted world, 802 11 Wireless is completely open for anybody to read anything that they want to. So I could just take a laptop like this plug in the right type of wireless network card, I can set that wireless network card in promiscuous mode, and I can just grab everybody's packets I can just start sniffing away as they say, and capturing all these packets and I could get all the information I am in essence in between the streams in a wireless network now at 211 Wireless has some potential For example, if you use WPA or WPA two, well, first of all, if you're using encryption, that will certainly stop that. That'll make that a lot harder. But even with encryption, there's ways to decrypt sometimes. So WPA, WPA two also have isolation.
So each computer on that wireless SSID can connect to the wireless access point, but they can't see anybody else. So that's very beneficial. WEP is still a bit of a problem with WPA, a WPA two, you basically got end to end encryption. Unfortunately, with WEP you don't so yet one more reason to stop using WEP. It doesn't just stop with 802 11 though. Bluetooth is also susceptible to man in the middle attacks.
Bluetooth does have encryption built into it. But Bluetooth counts on short distances and short duration of connections to make it hard for man in the middle attacks. The other problem child is NFC. Now with NFC communication what you have is A device or Apple Pay or whatever you might be using something usually like on a smartphone, and it has a chip inside of there. And it also counts on the fact that it has to be extremely close to the other side of the conversation in order to work. So we do have these issues in all types of wireless but unencrypted 802 11 is certainly the biggest problem of all.
Now. If you're using wireless, you're probably already got about half the battle taken care of all you need to do is get some kind of card that's going to listen for all the packets and start pulling it in. However, if you're in a wired network, things change dramatically. If you're going to do a wired van in the middle attack, things get a lot trickier. In a wired network packets are sent between systems based on MAC addresses or IP addresses or some other piece of information. So if we're going to do man in the middle in wired attacks, well Then we're going to have to start the magical world of spoofing.
So when we talk about spoofing, we're talking about making something in the attackers address look like one of the victims addresses. So, for example, I could spoof MAC addresses, I could in essence, tell my switch that, oh, this computer over here is actually that MAC address send the data to that one. We could also do what we could call IP spoofing. In that case, what we're doing is we're telling the one computer on the end or either computer that go ahead and send it to me, and then I can send it on over to the next guy. So we can use that we can also do things like using DNS addressing to get people to go to the wrong way. So what I want to do is go ahead and play with this a little bit.
And to do this, we're going to use a wonderful program called ettercap. This is an old program. It's been around for a long time. It is a free program. It is marketed as an As a penetration testing tool, but it's actually a lot of things all in one ettercap is going to allow me to do the spoofing by different functions called poisonings. And not only will it do that, but I'll actually grab the data for me.
And it will look through the data to give me the type of information I want. So we're going to keep it a little bit simple here. But let's go ahead and let me show you ettercap at work. One of the reasons that I like Kali Linux so much is that he comes with so many handy tools, and one of those tools is ettercap. So let's go ahead and get that guy started up. And you can see how Kali does such a nice job about putting everything in a nice easy way for me to find stuff.
So here under sniffing and spoofing, ettercap is one of many, many handy programs. Let's go ahead and get him started up. So let's go ahead and take a minute right now and take a look at our water. Setup one more time. What we're going to be doing here is we're going to be doing man in the middle attacks between our router and one of the Windows systems. So what I need to do is get ettercap set up in such a way that it can do that ettercap is designed for man in the middle.
So it'll do stuff like say, give me who I'm attacking on one side, give me who the target is on the other, and then tell me what you want to do. And we'll see that in the interface. So I'm going to begin what's called unified sniffing. And what it's doing at this point is just going out onto the wired network and seeing what hosts are out there. So that usually works pretty quickly. So what I'm going to do now is I'm going to tell him Okay, now to sniffed.
Find all the hosts on this network. And if we're lucky, we should be able to find all of our hosts. Let's see what happens. Alright, so it found three hosts So let's take a look on the host list here. And there they are. So now keep in mind, the attacking machine does not show up on here.
So here's my router. And here are my two Windows systems. So it does a really good job of sniffing just within this tool itself. So what we're going to do now is we have to pick targets. So in this case, I'm going to say target one is going to be the router. And I'm going to pick the windows eight machine, nothing special about that, and I'm going to make that target, too.
So we've got the program ready to do some man in the middle attacking. The first thing I'm going to ask this guy to do is what we call Mac spoofing. In this case, what we're going to do is we're going to lie to the switch, and basically tell the switch that we are the guy in between each one of these connections. So let's go ahead and get him started. So I'm going to tell him to go ahead and go Get started, I could propagate this to other switches. But in this case, I only have the one switch that's built into the Soho router.
So I'm just going to hit OK. Now, I've went ahead and started the Mac spoofing. So right now, this system is sending out all kinds of traffic out onto my network and going through Mac spoofing port stealing the exact same word. The problem here is that what do you do with this data? So basically, anything that's going between this router and one of my Windows systems is being sent over to this guy right here. So what do you do with it? Well, that is the big issue of man in the middle attacks.
The number one function of man in the middle attacks more than anything else is to garner data is to do data exfiltration, as they say, we want to grab some of that data, usernames, passwords, images, whatever we might want to grab. So what's going to do the grabbing well, that could be a bit of an issue. So one of the things we could use is, for example, Wireshark. So good old Wireshark. Now one of the things you're going to see right here is you see all of these ARPs, and this is all this noise that's being generated by the attacking system. And it's creating all of these what are called gratuitous ARP addresses.
And it's going to go ahead and confuse the bejesus out of the system. So the thing you do have to watch out for is all of this noise that's going out any good intrusion detection system would catch this and be very, very nervous. Now, the other nice thing about tools like ettercap, is that ettercap relieves you from the need of having to use things like Wireshark because ettercap is a man in the middle tool, not only will it go ahead and do the naughtiness for us, but the other thing it will do is begin looking at that data and grabbing stuff. So what I want to do is I'm going to turn off the port stealing and we're going to move it up To IP spoofing, and in this case, what we're going to be doing is an art poison. Now, keep in mind, every IP system on a network has a cache of IP addresses to MAC addresses.
This is called their ARP cache. So when we're ARP poisoning, what we're doing is we're going to tell ettercap to start lying to the other systems, it's not saying anything to the switch, it lies to the other systems so that the other systems will think that a particular IP address are going to has this MAC address, what they'll end up doing is that particular IP address is going to be to the attackers address. So let's go ahead and set up our poisoning. Okay, so to set up ARP poisoning, I've got my two targets. And what I'm going to do now is I'm going to start a man in the middle attack, and I just go to our poisoning right here. And I want to sniff both of the remote connections and I cannot Poison one way, in this case, we want to be able to grab both sides of the conversation.
So I'm just going to hit OK. This time with our poison, let's go ahead and actually grab some traffic. So what I'm going to do is this little router has a web interface like most of these routers do. And I'm going to go to one of these Windows machines and just access this router. So let's go ahead and do that. I'm not on the internet, so it's not gonna be happy.
And I know my routers address is when I do 168 one dot one. Alright, so I've actually hit the router right here. Now what I need to do is login to do anything, anybody can see this page, but if I want to make any changes, it's going to force me to log in. So I'm going to type in, whoops, type in the username and the password. And I log in now, let's go jump over here. Let's talk Take a look at ettercap.
Look what's happened here, the moment I did this. So let me get the right spot. So you can see the username, and my password is being captured by ettercap. This is a great example, what makes ethercat particularly convenient. So not only does it do the poisoning for me, but it also does the sniffing for me. And it's also smart enough to know to look for usernames and passwords for common protocols like HTTP, or telnet, or something like that.
So ettercap is very convenient, because it does everything in one package. But don't think that all packages work this way. It's just convenient that it does the attacking, and it does the sniffing and then it goes through the data and finds the stuff that we're looking for where normally this would be done with separate packages. That's why I like ettercap. So there's just one example of using ARP poisoning again, ARP poisoning is very noisy. It's actually sending out packets to the different targets lying to them so that their ARP caches are confused, but it works out pretty well.
And it does make a big pile of mess out there, unfortunately. So what I'm going to do here is I'm going to do is a DHCP spoofing. So I'm going to start up DHCP. And in essence, he's going to pretend to be a DHCP server. And I don't want to mess with anybody's IP addresses. But what I am going to do instead is I'm going to mess with the DNS information.
I have to type in the net mask, because that's just how the program wants me to do it. Now here, I can type in any DNS server IP address, so it's not going to take the default DHCP it's going to take whatever I put right here, so I'll make something up. So I could put anything in here. I'm going to hit OK. And now it's going to start DHCP spoofing but only changing the DNS information. So what I've done Now is every system on my network that uses DHCP, I'm not messing with its default gateway, I'm not messing with its IP address, I'm not messing with messing with its subnet mask. All I'm doing is I'm telling them all a new DNS server that they didn't have before.
So we could do a lot of cool DNS stuff with this. Let me give you one quick example. Once we've gone ahead and poisoned the DNS using the DHCP tool, we can in essence spoof DNS servers. So for example, one of the cool things I could do here is the next time somebody opens up their web browser and they want to go to www.whatever.com. If that system doesn't know, the IP address for that web server, it's going to go out and send a DNS request. Now what we could do is we could have a rogue DNS server on that particular IP address.
So all the systems will go to that server, and that particular server can point them to some places Evil, so we could have them type in www.google.com. And because their DNS servers are evil server, we could send them to someplace naughty. And that's just one example of evil things you can do with DNS poisoning DNS. Now the exam covers a few other things that are kind of man in the middle, a type of attacks, but in my opinion, they're not. But we're just going to go ahead and mention them here. Anyway, one of the things that we run into is what we call URL hijacking, better known as typo squatting.
Now, what we're talking about here is if somebody has a website like Google, and then somebody goes ahead and gets the domain goog g L, get the idea. So because someone does a typo, they will in essence, be directed to someone else's site. It's not really injecting yourself in the middle of a conversation. It's just deflecting somebody to another place, but it is considered man in the middle. So we're going to go ahead and bring that up as well. So So the other issue you can run into is called domain hijacking.
Domain hijacking is simply somebody doesn't keep a domain updated. I've done this myself, I have so many URLs that I keep around. And there was a domain I had for a long time. And I just forgot to re up the domain, the domain ran out, and somebody grabbed it really, really quick and put a whole bunch of offensive material on there. And they said, well, we'll sell it back to you for a lot of money. And I had to pay because it was really, really offensive.
Now, everything we've talked about so far, is simply ways to get to a stream as a man in the middle attack, we've had some reference to some of the things we can do. And one of the things we do is we scraped data, we try to get information, and we saw that with ettercap. But there's some other stuff you can do. So let's just take a moment and talk about what can we do once we're in the stream. So you would think the most perfect thing you could always do with man in the middle Attacks is simply grab the data and look at it. Well, that is good.
And that's something we'd like to do a lot. But the other thing you can do is do something what's called a replay attack, this tends to be more convenient for secure communications. So for example, I've got some type of secure communication protocol between two systems, I'm not interested in reading their data, what I'm interested in is getting the username and password now I'm not gonna be able to get their password. But the client in one particular example could be sending out a username and a hash. And if I get the username and a hash, I have all the information so that later I can replay that over to the server and log in as that person anytime I want. That's the big danger to replay attacks.
Once you get that information, you can keep logging in as many times as you want to do whatever you need to do. replay attacks even get into the world of certificates as well. You can do a lot of interesting things with that, but I'm going to save all of that type of information for other episodes that specify it Exactly, webpages, so hang on to that one. The other thing we can do is what's known as a downgrade attack. This is particularly useful for things like web pages. We've had a lot of different types of HTTPS protocols, starting with good old SSL and different versions of TLS.
And each one's better than the next. But if I can make a client talk to a web server and go Look, I want a secure web page. But I can only do SSL that makes it a lot weaker than the more advanced TLS version. So if we have a web server that allows that to happen, we can take advantage of that via what's known as a downgrade attack. Now the last thing I want to talk about is called session hijacking. session hijacking basically means two people are already talking, they're already up and running, they're communicating.
What I'm going to do is get in the middle of that communication and I'm going to inject information in there and I'm going to be able to do naughty things. Now. session hijacking is a incredibly difficult tool to use because What you have to do is take advantage of a real time connection that's taking place right now. However, there is a great simplified version of that. And it's been around for years and years, and it's called firesheep. So here's a picture of firesheep right here.
All firesheep does is it uses on unencrypted wireless connections, it performs a session hijack and literally connects into whatever's taking place. So here's a Facebook page that's been loaded. And since I've already logged in, I've just caught in the middle of the session. I've gone ahead and hijacked it, I could even make changes to it. So when it comes to man in the middle attack, remember, there's always going to be two parts to the equation number one, what are you going to do to get into the stream? And then number two, what are you going to do with that data?
Once you've got it, there are two separate issues and they're handled quite differently.