Professional Documents
Culture Documents
Executing A Man-In-The-Middle Attack
Executing A Man-In-The-Middle Attack
Executing A Man-In-The-Middle Attack
coengoedegebure.com
Executing a man-in-
the-middle attack
Coen Goedegebure
23-29 minutos
1 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
to prevent this.
During this attack I'm able to see a
victim's network traffic and browsing
behavior. Weaponizing this
possibility I then steal the victim's
cookies, take over his web session
and change his profile picture on the
website he's visiting to demonstrate
the privileges I gained.
The reason I like this demonstration
so much, is that it really helps
convey the importance of security
awareness on the audience's
personal level. Moreover, the MiTM
attack is a great container for
introducing several interesting
techniques, concepts and tools and
executing the attack brings these all
2 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
together.
This is why I decided to put this
knowledge in the article you are
reading now.
Contents
3 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
4 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
5 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
6 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
7 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
ARP protocol
Let's briefly go over the 3 steps in
the animation:
8 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
9 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
10 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
11 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
ARP Spoofing
12 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
13 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
ARP spoofing
The image above depicts the same
scenario as before. However, a
hacker has now joined Machine A
and B on the network. The hacker
has done his work in the
reconnaissance and scanning
phases, knows Machine A and B
exist in the network and what IP
addresses they have.
In this example, the hacker himself
has IP-address H and MAC-address
mac-H. He sends his malicious ARP
response directed at Machine A with
the message "mac-H is the MAC-
address of IP-address B". Machine
A updates its ARP table and IP-
14 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
15 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
16 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
17 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
18 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
HTTPS.
Before I explain how this can be
done, let's take a look at how an
HTTPS-session is setup when you
browse to www.google.com (for
example):
19 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
20 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
SSLStrip
21 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
22 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
23 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
24 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
Setup
Lab setup
25 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
Attack setup
26 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
reconnaissance first.
Reconnaissance
ifconfig
Here we see that our own IP-
address is 192.168.1.134 and
our MAC-address is
00:0c:29:a0:08:88.
Then we should find out the IP-
address of the gateway by running
the route -n command:
27 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
route -n
We can see the gateway's IP-
address is 192.168.1.2. Now we'll
attempt to discover who's on the
network in our 192.168.1.xxx
subnet, by running the command
netdiscover -r
192.168.1.0/24. This will attempt
to discover all nodes in the range
192.168.1.0 to 192.168.1.255:
netdiscover -r 192.168.1.0/24
Besides the gateway, we found
another node: the victim on
192.168.1.130. Notice the line above
28 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
SSLStrip setup
29 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
30 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
iptables -t nat -A
PREROUTING -p tcp
--destination-port 80 -j
REDIRECT --to-port 10000
Running SSLStrip
Since sslstrip is included in Kali
Linux, running this program is as
31 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
32 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
33 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
34 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
35 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
36 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
Victim's side
ARP table
37 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
38 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
Just browsing
39 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
40 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
41 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
42 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
43 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
44 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
45 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
Cookie stealing
When I give a live demonstration of
ARP spoofing, I always take it a little
further after the attack succeeded.
Using the information from the
Wireshark network capture I can
46 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
47 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
Network / infrastructure
48 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
Website
Use HTTPS
50 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
51 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
52 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
53 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
The user
54 de 55 6/4/21 5:12
Executing a man-in-the-middle attack about:reader?url=https://www.coengoedegebur...
55 de 55 6/4/21 5:12