Hack Like a Pro: How to Conduct a Simple Man-in-the-Middle Attack

How to Conduct a Simple Man-in-the-Middle Attack

Welcome back, my hacker novitiates!

Many of you have probably heard of a man-in-the-middle attack and wondered how difficult an attack like that would be. For those of you who've never heard of one, it's simply where we, the hacker, place ourselves between the victim and the server and send and receive all the communication between the two.

It should be totally transparent to both the client and the server with neither suspecting they're connected to anything or anyone but who they expect. This allows us to see and read all of the communication (passwords, confidential information, etc.), as well as alter it, if need be.

In this "Hack Like a Pro" tutorial, I'll show you a very simple way to conduct a MitM attack and capture unencrypted traffic.

The Art of Sniffing

Before we embark on a MitM attack, we need to address a few concepts. First, sniffing is the act of grabbing all of the traffic that passes you over the wired or wireless communication. There are a number of tools that will enable you to do this. Most famously, Wireshark, but also tcpdump, dsniff, and a handful of others.

Enter Promiscuous Mode

In order to see and grab traffic other than your own, you need to first put your NIC or wireless adapter into promiscuous mode (called monitor mode in wireless), meaning that it will pick up ALL traffic, not just that intended for your MAC/IP address. In wireless and wired networks with hubs, this can be accomplished relatively easily. In a switched environment, we need to be a bit more creative.

Switches & Spoofing

Switches are designed to reduce network traffic and congestion by isolating traffic and only sending packets to a particular IP address or MAC address that's the destination, unlike hubs that send all traffic to all NICs. This means that my NIC only sees traffic intended for it, if the switch is doing its job. This makes it harder, but not impossible to sniff and thereby conduct a MiTM attack.

To defeat the switches task of isolating network traffic, a number of strategies have been attempted. On older switches, you could flood them with ARPs and the switch would flood and fail open. These means that it would begin to act like a hub, sending all the traffic to all the NICs, enabling the hacker to sniff other people's traffic.

This strategy no longer works on modern switches and even on the older ones, a vigilant network admin is going to notice the change in network traffic and volume.

In order for switches to "know" where to send traffic, they maintain a CAM table that essentially maps IP addresses to MAC addresses. This table says that when traffic is intended for IP address 192.168.1.101, for instance, send that traffic to MAC address 11:22:33:44:EE:FF (example MAC address).

If we can change the entries in that table, we can successfully get someone else's traffic. This is called ARP spoofing, because the entries in the CAM table come from ARPs that are sent out by the switch to gather this information from the NIC.

ARP Spoofing for a MitM Attack

What we will be doing here, is using ARP spoofing to place ourselves between two machines making the client believe we are the server and the server believe we are the client. With this, we can then send all the traffic through our computer and sniff every packet that goes in either direction.

Hope all that makes sense! Let's get started with our MitM attack by opening up BackTrack!

Step 1: Open Three Terminals

To conduct this MitM attack, we're going to need three (3) terminals, so go ahead and open those now. Our goal here is to get a client on our network to believe we are the server and the server to believe we are the client.

arpspoof can do this for us by replacing the MAC address of the client and the server with our MAC address in the ARP table.

Step 2: Arpspoof Client to Server

Let's start with the client. We want to replace the MAC address of the server with our MAC address.

  • arpspoof 192.168.1.101 192.168.1.105

Where:

  • 192.168.1.101 is the IP of the client
  • 192.168.1.105 is the IP of the server

In this step, we're telling the client that we are the server.

Step 3: Arpspoof Server to Client

Now we want to replace the MAC address of the client with our address, so we simply reverse the order of the IP addresses in the previous command.

  • arpspoof 192.168.1.105 192.168.1.101

Here, we are telling the server that we are the client.

Now execute both of these commands. When we do this, the client will think we are the server and the server will think we are the client!

Step 4: Pass Packets with Ipforward

Now that we are impersonating both the client and server, we need to be able to pass or forward the packets to the other machine. In other words, we want the packets coming from the server to be forwarded to the client and those coming from the client forwarded to the server.

We do this in Linux by using the ip_forward. Linux has a built-in functionality to forward packets it receives. By default, it's turned off, but we can turn it on by changing its value to 1(ON).

We simply echo a 1 and direct (>) it to /proc/sys/net/ipv4/ip_forward, thereby turning on ipforwarding.

  • echo 1 > /proc/sys/net/ipv4/ip_forward
Image via wonderhowto.com

Now our system, in the middle, is forwarding the traffic it receives to both ends of this connection, client and server.

Step 5: Sniff the Traffic with Dsniff

Now that we have all the traffic coming from the client to the server and the server to the client going through our computer, we can sniff and see all the traffic!

To do this, we could use a number of different sniffing tools, including Wireshark or tcpdump, but in this case we'll use Dug Song's dsniff. Song designed dsniff to sniff out authentication information that appears on the wire in clear text (non-encrypted). So, protocols such as ftp, telnet, HTTP, SNMP, POP, LDAP, etc. can be sniffed off the wire.

To activate dsniff, we simply type:

  • dsniff
Image via wonderhowto.com

As we can see, dsniff responds that it is listening on eth0.

Step 6: Grab the FTP Credentials

Now, let's wait until the client logs into the ftp server. When he does so, dsniff will grab his credentials and display them to us.

Image via wonderhowto.com

As you see in the screenshot above, dsniff has grabbed the ftp credentials of the administrator with the password of "password"! How easy was that!

It's important to note that users and administrators often use that same username and password on all services and systems. Now that we have the admin's ftp password, the next step is to try to log in with it.

In my next MitM tutorial, I'll show you how to sniff encrypted credentials off the wire, so keep coming back!

63 Comments

Does kali have the ability to forward the packets?
because i tried: echo 1 > /proc/sys/net/ipv4/ipforward
and it told me:
bash: /proc/sys/net/ipv4/ipforward: No such file or directory
and i then did:
locate ipforward
and nothing came up so im assuming ipforward does not exist on kali.

EDIT: nevermind, i found it. For those of you who might have the same problem as me, its a simple fix. In Kali, the file is just named something else. instead of echo 1 > /proc/sys/net/ipv4/ipforward, use echo 1 > /proc/sys/net/ipv4/ip-forward ( < that dash is supposed to be an underscore, but whenever i use an underscore it italicizes my words) notice how all i did was add an underscore between 'ip' and 'forward'

It is ip_forward in BT, as well.

next tutorial I would like to see::: Do the same thing in windows 8!! :D

Quite right. You just need the tools of the trade.

George:

This technique is independent of the operating system. It will work with Linux, UNIX, Window XP, Windows 7, Windows 8, etc.

OTW

in Client i have to Write Victim's ip and
in server i have to write Backtrack's Internal IP or?

Giorgi:

This is a man in the middle attack. You are trying to get the server and the victim to send their packets to you, so you need their IP addresses, not yours.

OTW

and how to find those IP Addresses? for example if i wanna steal Facebook account i have to find their IP? by pinging it from CMD? or... i didn't understand at all?

Giorgi:

Yes, you need their IP address. Check out my tutorials on reconnaissance.

OTW

can you help me how to find out my friend's IP address?

Greenlemon;

Welcome to Null Byte!

Before you begin more complex like this one, I recommend that you read and do my earlier tutorials specifically reconnaissance. You can find a list of those under my article "Hacking for Newbies".

OTW

thanks. actually, before i joined the wonderhowto site, i've already read a lot of your articles and how to. it's just that until now, i can't apply or do the steps on my computer.

What is it you want to do?

Great article, as always, but there are a few things I need to point out. First, you said arpsppof instead of arpspoof in the first instance of code. Secondly, arpspoof has been upgraded since your writing (or it is because of you using backtrack and me using kali), but the code you put out doesnt work with arpspoof v2.4. You must do it like this: arpspoof -i wlan0 -t 192.168.10.1 -r 192.168.10.100 where wlan0 is the interface and 192.168.10.1 is the server and 192.168.10.100 is the client or vice versa. If you use Kali, use that code. Just trying to clear things up. Thanks for the great article!

Okay is this why mine isn't working? also do I have to do the same command again except switch the -r and the -t?

Thanks for that info Andrew!

You are welcome! I have a question though. Is there any way to detect a man in the middle attack in progress and are there any downsides to it?

Andrew:

Yes, some, switches have a number of security measures including detecting unusual arp requests from unusual IP addresses.

OTW

Two more questions: will this work externally and is the server always the router? I tried this hack in my home network and used the router as the server, but is this always the case?

Thanks again for your great help and articles!
Andrew

Andrew:

Yes, this will work externally on any two communicating systems.

OTW

can u perform this when the firewall is turned on in the victims pc?

In a word, usually.

A firewall blocks ports and IP addresses. As long as the port is open (presumably it is or that wouldn't be online) and your IP is not blocked, then it will work with a firewall in place.

There's a typo
<< Let's start with the client. We want to replace the MAC address of the server with our MAC address.

arpsppof 192.168.1.101 192.168.1.105 >>
Change "arpsppof" to "arpspoof"

Very great tutorial! thank you, but i want to know something,

if i want to sniff on external ip, in this case the ip of the victim(client) will be the same ip of the router(server) so how will it be going?

can i use the internal ip of the vicitm as the "client ip"? will this work? and if yes then how to obtain the victim's internal ip?

thanks

I don't understand your question.

sorry for that, i mean when applying this tutorial on IP that's not in my local network how can i do that? for example if i got someone's IP let's say for example it's xxx.xx.147.52, will the server IP be xxx.xx.147.52 and also the client IP be xxx.xx.147.52 the same as server IP? that would not make any sense right? because in this case the server and client have the same IP

I hope you got what i mean and sorry for my bad English!

When working on a public IP, you place yourself between the server or router and the public IP. All will have public IP's.

Great tut! Is there any way you can place yourself between multiple IP's?

how ti find ip adresss and client address??

hi otw,
running arpspoof -i mon0 -c mymacaddress -t host default gateway
i get the error segmentation fault...

reading the documentation by dug song i think that line up there should place me between all hosts on the network and the default gateway if i understood right..

can you please help me with the error am getting?
thanks ..
u noticed dug song changed the syntax or am i seeing wrong again?

Hi, OTW. I'm having a problem with this. Every time I execute the attack, my target computer can't connect to any websites. It just keeps loading and loading. Does this attack require a purchased wireless adapter? Also I have tried arpspoofing with ettercap and many other programs but none of them seem to work. When I use driftnet with this attack or urlsnarf I only get info from my host machine and not my vm. Any thoughts?

Cameron:

It's hard to answer your question without know your configuration. Want to share that with me and everyone else on here?

My first thought here is that you did not execute IP forwarding correctly.

OTW

I'd be glad to share my configuration. All I did was echo 1 > /proc/sys/net/ipv4/ip_forward and that works. I don't have a wireless card but I just listen on eth0. Is that the problem? If so, how can I fix it?

Sorry, how do I put my wireless adapter in promiscuous mode? I know I can do the aircrack start thing with wlan0 but do I still pick up things like driftnet -i wlan0 or is it mon0? I'm a bit confused and I'm not sure the easiest way to put my wireless adapter in promiscuous mode. PS it is an ALFA.

ok for that. i would like to ask if you can help me becouse i want to set up a man in the middle attack between two phones and be able to capture and modify/change the massage sent from one of the phones and forward it to the other phone

thanks

This only works if you're at the same network. What about routers?

You are right, this only works if you are on the same network. Waht do you mean by "what about routers"? Are you looking to do a MiTM between routers? What would that gain you?

hello OTW am new here and would like to know if MITM attacks can work over wan and whether it is possible to sniff between ssl on a server if perhaps an Ssl is vulnerable in any way on the target server

hello i am very new here ... and i think i have the most stupid question that there is .. but hey we are here to help each other , and in the future i can help newbies as well.

Okee my question is how can you find out what the server is .. is this the server of your router ? and how do you know what this address is ?

Thank you very much in advance for helping me out , i would appreciate your answer very much.

Greetings Dear Sir

I am a newbie hacker, and i found out about linux about a week ago,
my question is embarassing but i want to know how we can get the IP of the client and the server,

I want to try on my pc, how do i get the ip of my server and client pc ?

your blogs are Godsend btw, i have never been so motivated in life :)

Hey Elroy,

while i recommend following OTW's courses in order and starting with the linux basics tutorials, work through like this we are lucky to have someone of OTW's ca;;ibre and he's structured alot of this work as a course.

That said, you can use ifconfig on your Kali machine and ipconfig on the windows client to get the ip addresses

Thank you for your input TYR,
I also want to know what MAC adress is written under ?
is it the BSSID ? or the STATION ?

Thank you in advance

I also don't know where to find the "hacker for newbies" series

Okay so I get this phproot@Vageta:~# arpspoof 192.168.0.10 192.168.0.1
Version: 2.4
Usage: arpspoof -i interface -c own|host|both -t target -r host/php
and this
phparpspoof 192.168.0.1 192.168.0.10
Version: 2.4
Usage: arpspoof -i interface -c own|host|both -t target -r host/php

when I look at your terminal in the article I see you use the -t switch when I use that option I get phproot@Vageta:~# arpspoof -t 192.168.0.10 192.168.0.1

arpspoof: couldn't arp for host 192.168.0.10/php

is it because I am using kali linux?

those php tags did not work sorry please ignore those

arpspoof syntax have changed

VirtualBox create a virtual network card for my system to receive the traffic from Guest OS. In the host only mode, and virtual network card is in premiscuous mode, can Dsniff running in Host and captures all traffic from the Guest? Does your article only work in the senario when the server and the victim communication with each other in the internal network?

New version of arpspoof uses : arpspoof -i wlan0 -t Router/ServerIP -r Client/VictimIP. Now do I need to execute a second command where I switch places ?(victim-router). Thanks

Hello OTW,

Thanks for the article. I tried this technique in my home network. Dsniff was successfully sniffing the FTP username/Passwords. But when I tried Facebook or Gmail. Dsniff did not capture anything. Do these websites some more security measure.

My setup is: running kali 2.0 inside a VirtualBox on my Mac using a bridged network. Thus my VBox eth0 has its own ip (192.168.178.37) next to the ones on the network (.31 my mac and .22 my iphone e.g.). eth0 is operating in promiscuous mode (as I can see in the syslog). Mac and iPhone are connected via wifi with my router FritzBox).

Starting wireshark in Kali I can see all the traffic from my Mac going somewhere, i. e. if I enter a url in Safari I can see it.

However if I enter a URL on my iPhone I don't see anything popping up in wireshark.
What I do see sometimes is a MDNS standard query from iphone to 224.0.0.251, but no other traffic.
I thought I should be able to see all traffic on this network, no?

Or doesn't it work because the router acts like a switch (I'm guessing 'cos it's frequently sending out ARP packages like Who has 192.....)?

Will this work with an android phone as a victim?

unfortunately i am having the same issues that cameron was having earlier. I have everything setup the way it should be, but my victim machine cannot connect to any websites, it seems that the requests are not being forwarded. I have double checked that ip forward is set to 1, is there something else i should be looking at?

Did you put the wireless adapter in promiscuous mode (is that how it's spelled?)?

In one of his amazing tutorials, OTW teaches how to. (Look for airmon-ng)

Yes i do have my adapter in promiscuous mode? Thank you for your reply

OTW,
can you please update this with the new arpspoof synatx
because now we get this :
Usage: arpspoof -i interface -c own|host|both -t target -r host

Promiscuous mode is not the same that monitor mode is.

Okay so the the client ip is my targets ip?
and the server ip is what?

The local server your client is accessing.

Can you replace the server IP with the default gateway?

can I use external ips

Hi @occupytheweb Why we need arpspoof if Wireshark can do this to intercept credential?

Or is there any condition in what case arpspoof is good to use and in what case wireshark is good to use?

Or is there any other function that arpspoof can do but the wireshark can't other than intercept credential?

Thanks in advance.

To conduct this attack, I just need to know their ip address, and not necessarily need to have access to anything of theirs (like wifi,computer) right?

Share Your Thoughts

  • Hot
  • Latest