MITM Attack Using Windows at 2018
A year ago I wrote about my first stab at MITM attacks.
In this post I want to focus on MITM attacks using windows only tools.
So instead of:
Victim -> Router
It is altered to:
Victim -> Attacker -> Router
A. Spoofing tool - this one will make the attacker spoof the network to make the victim believe the attacker is the router thus sending all of its packets to the attacker instead of to the router, then the attacker will forward those packets to the router.
B. Dumping tool - A tool to capture all of those packets going through the attacker.
C. Parsing tool - to go over thousands of those packets dumped to the attacker's computer and search for the usernames/passwords or the sessions/cookies.
B. Start your packet sniffing tool
C. Parse the above packets.
Well, you have three main scenarios I suggest considering:
I. Dump the packets, Parse them, find FORM username and passwords which the user wrote in a login page.
II. Dump the packets, parse them, find the cookie/session for the victim's site, use a plugin for your favorite browser in order to reuse that session and enter that site as the victim logged in user (hoping that the victim didn't logout in the meantime).
III. Alter the victim's packets to redirect to your site containing your favorite phishing script, or redirect the victim to a XSS script which will steal the victim's cookies.
Another tool which looks really great but for some reason I didn't manage to work well with it is: EvilFOCA, so feel free to read about it and use it instead of C&A.
B. For the task of packet capturing I recommend using WireShark as it is a very powerful tool, from which you can use advanced filters and other super advanced functionality.
So you will want to use a filter like this one:
ip.src==IP OF THE VICTIM'S COMPUTER
If you know enough of wireshark it is enough for you to parse the requests and find the usernames/passwords or take the session cookies, if not then just use wireshark to dump those packets coming from the victim's IP and use a good parser to find all passwords inside.
There are loads of other packet dumping software, yes, even on windows, I won't mention them as wireshark beats them all, but if you want a simple substitute I would recommend Nirsoft's powerful yet simple Smart Sniff
C. For Parsing the packets for the usernames/passwords or sessions use Network Miner - This one is total magic as it does a great job of parsing so many requests and finding all of the goodies!
If you are using C&A then you might find it parses passwords on the fly so it is worth checking there if it is already open, if not and you still need a password from thousands of packets parser, I will recommend Nirsoft's simple yet powerful snifpass as a good second choice after Network Miner (Which is the best choice).
In the honorary tool section I want to mention Cookie Cadger which is a single tool which is used after spoofing the network instead of wireshark, just start cookie cadger and it will get all sessions running live in the packets (It does not capture or parse username/passwords).
On the other side I want to mention a tool you might have heard about: FireSheep - Just stay away from this one as if you want this kind of tool you should use cookie cadger which is much more robust and has more functionality, firesheep got lots of headlines as it was a firefox plugin which was very simple to use, but it is hard to find and needs a specific and very old firefox to run on, not to mention it is very flaky and can crash easily.
Disclaimer: This post is very informative and can give you a good picture of the ways to MITM and the tools of the trade, that being said, it disregards HTTPS which can be found on many sites and will be found on more and more sites as time passes, so most of the above tools won't work today as most sites use HTTPS.
(Yes, I am sorry :-), I will do some more research and find the tools which work on HTTPS and post a new article).
In this post I want to focus on MITM attacks using windows only tools.
What is MITM Attack?
A Man In The Middle attack is an attack where the attacker is connected to the same network as the victim while positioning himself between the victim and the router thus makes himself a sort of a proxy while grabbing all of the network packets on the fly with the possibility of dumping them or even altering them.So instead of:
Victim -> Router
It is altered to:
Victim -> Attacker -> Router
How does the MITM work ?
Without delving deeply to technicalities, the attacker will need three main tools:A. Spoofing tool - this one will make the attacker spoof the network to make the victim believe the attacker is the router thus sending all of its packets to the attacker instead of to the router, then the attacker will forward those packets to the router.
B. Dumping tool - A tool to capture all of those packets going through the attacker.
C. Parsing tool - to go over thousands of those packets dumped to the attacker's computer and search for the usernames/passwords or the sessions/cookies.
How can you use the MITM attack ?
A. Start your spoofing tool, positioning yourself to be able to capture the victim's packetsB. Start your packet sniffing tool
C. Parse the above packets.
Which Methods of MITM Do I Recommend ?
Using MITM you will get all of the victim's packets, what now?Well, you have three main scenarios I suggest considering:
I. Dump the packets, Parse them, find FORM username and passwords which the user wrote in a login page.
II. Dump the packets, parse them, find the cookie/session for the victim's site, use a plugin for your favorite browser in order to reuse that session and enter that site as the victim logged in user (hoping that the victim didn't logout in the meantime).
III. Alter the victim's packets to redirect to your site containing your favorite phishing script, or redirect the victim to a XSS script which will steal the victim's cookies.
Which Tools Exist for The Task ?
A. For the task of Spoofing use Cain & Abel, It is a discontinued project and might be hard to install and start on windows 10, but it is doable (See my previous article which explains all about it) and is totally worth it.Another tool which looks really great but for some reason I didn't manage to work well with it is: EvilFOCA, so feel free to read about it and use it instead of C&A.
B. For the task of packet capturing I recommend using WireShark as it is a very powerful tool, from which you can use advanced filters and other super advanced functionality.
So you will want to use a filter like this one:
ip.src==IP OF THE VICTIM'S COMPUTER
If you know enough of wireshark it is enough for you to parse the requests and find the usernames/passwords or take the session cookies, if not then just use wireshark to dump those packets coming from the victim's IP and use a good parser to find all passwords inside.
There are loads of other packet dumping software, yes, even on windows, I won't mention them as wireshark beats them all, but if you want a simple substitute I would recommend Nirsoft's powerful yet simple Smart Sniff
C. For Parsing the packets for the usernames/passwords or sessions use Network Miner - This one is total magic as it does a great job of parsing so many requests and finding all of the goodies!
If you are using C&A then you might find it parses passwords on the fly so it is worth checking there if it is already open, if not and you still need a password from thousands of packets parser, I will recommend Nirsoft's simple yet powerful snifpass as a good second choice after Network Miner (Which is the best choice).
In the honorary tool section I want to mention Cookie Cadger which is a single tool which is used after spoofing the network instead of wireshark, just start cookie cadger and it will get all sessions running live in the packets (It does not capture or parse username/passwords).
On the other side I want to mention a tool you might have heard about: FireSheep - Just stay away from this one as if you want this kind of tool you should use cookie cadger which is much more robust and has more functionality, firesheep got lots of headlines as it was a firefox plugin which was very simple to use, but it is hard to find and needs a specific and very old firefox to run on, not to mention it is very flaky and can crash easily.
Disclaimer: This post is very informative and can give you a good picture of the ways to MITM and the tools of the trade, that being said, it disregards HTTPS which can be found on many sites and will be found on more and more sites as time passes, so most of the above tools won't work today as most sites use HTTPS.
(Yes, I am sorry :-), I will do some more research and find the tools which work on HTTPS and post a new article).
Comments