MITM Attack or How to get Access to Your Neighbour's Gmail

I will try to explain the two main methods of getting the victim's access to sites he visits (even those protected by HTTPS).

The methods I will talk about are based on MITM (Man in the middle) attack.
Both methods require you to connect to the victim's wifi beforehand (prerequisite).

1. Listen to all traffic from the devices on your network to the router.
2. Cheat the router and the victim to pass all of their traffic through you (as a proxy, thus gaining access to all traffic).

Listen

The first method (listening mode) is more non-detectable as you don't actually disturb the victim or the router, you just listen to the packets of traffic as they go through the air.
This method can be done using two main modes:
I. Promiscuous mode - Which is a mode you can use even on windows OS, and can be enabled on many network devices.
This mode is not recommended ever using as it has lots of limitations, the most prominent one is that it can listen to traffic only on non-encrypted networks or WEP encrypted networks (even some of the WPA ones), but can't listen to most WPA networks nor any more advances encryption (WPA2 etc).

II. Monitor Mode - This mode works only on Linux machines and only on a small set of network cards.

Monitor mode is actually a good way of harvesting access to the victim's sites, you just need to be prepared in advance which means to use a linux machine and buy a specific network adapter.

Proxy

The second method (ARP Spoofing) is placing the attacker as a proxy between the victim and the router thus it is a slightly more risky and detectable way, but it enables the attacker to do more things as the attacker can modify the traffic packets on the fly, thus he can modify them to send the victim to a page of his choosing etc.

Please note that for ARP Spoofing you will generally target a specific target and be its proxy so it is not a fire and forget solution but it is more of a sniping solution which needs a little more setup.


I will sum things up till now

  • Prerequisite: Connect to the victim's wifi network before attack.
  • MITM can be done by listening (Monitor mode) or by Proxying (ARP Spoofing)
  • Listening mode using promiscuous mode works on windows but is quite useless.
  • Listening mode using Monitor mode requires a special network card and works only on linux
  • ARP spoofing works on any OS with any card, but is more detectable
  • ARP spoofing can alter the packets
  • As a general guideline, use Monitor mode for long and general network captures (On the CAFE, on your own network etc, where you don't know which IP to capture) and use ARP spoofing on any other sniping attack.

Scenarios

A. You want to monitor your home/office/honeypot network - what will you use?
ARP spoofing is taken out of the equation here as it is not the right tool for general capture-all, it is more a sniping tool as if you spoof the whole network it will slow it down and errors will occur on some of the sites people will visit.
Monitor mode is a good option if you have a computer to spare and have the right network card.
Best option will be installing an open sourced router firmware (Tomato, DD-WRT or OpenWRT), then configure it to dump all traffic to a log file (as a .pcap file) using rolling log, to an external drive - this method is the best as it is totally undetectable, most lightweight, non intrusive, fire and forget, costs the least.

B. You decide on the spot that you want to monitor a specific device what should you use?
If you have a working Kali linux and the right network card (which has monitoring mode), then you are rightly served by using monitoring mode (Not likely doable on a 15 minutes notice).

ARP sniping will be the best answer here probably as it is more accessible and is best used to snipe the target, can even be used under windows (Use Cain, EvilFOCA or Bettercap).

C. Monitor a CAFE/Home for all devices for the coming hour or so 
This case will best be served by using monitor mode as you don't want all of the devices on the CAFE to have surfing problems nor network slowdown and most important of all you really don't want to be detected.

The above being said, you might find Bettercap v2 to be a good ARP Spoofing tool which doesn't do so much harm as they claim they worked a lot on performance etc. - so this might also be not such a bad option.

Comments

Popular posts from this blog

Profiling Java @ 2019

Ant Explorer graphical Ant build tool

Start Working with AutoIT