Stuck in the Middle - This 8-Bit Life
OK kids, today I’m going to try something a bit different. This is going to be an instructional article of sorts. I’m an avid reader of a magazine called 2600 which is a magazine written, produced and distributed by hackers. It’s been an amazing source of knowledge and interesting information for me over the years. But enough with the prefacing. The last issue I read contained a very good article on Man in the Middle attacks and how to leverage them to break SSL. The article was credited to Oddacon T. Rripper, so respect to the writer as I am borrowing heavily from his work to produce a short, concise explanation of this attack. And of course I should provide a disclaimer stating that I am in no way responsible for how you use this knowledge, I’m simply providing it to you. When I practiced this I did so on my own private
network as a proof of concept, I suggest you do the same. Now on to the basics.
So what do we mean when we say “Man in the Middle”? Well it’s basically exactly how it sounds, When you request or send data through the internet, you have to do so from some type of gateway device which connects you to your ISP (and then the internet at large). So the concept for a MITM attack is simple, make yourself appear to be the gateway on a network and allow connections to pass through you to the actual gateway. The idea being that any requests for data must pass through you to get to the gateway and then outside. And of course that makes you privy to all communications across the network. Now what we will be doing in this example will direct us at one specific target in order to capture their information. Once we’ve established ourselves as the “gateway” we’ll take a look at what we can do with that.
First we need to find a target. I’m going to assume that you already know how to identify a device on a network and enumerate it’s IP address. For our example we’re just going to say that the target device has an IP address of 192.168.1.3 (TGT), the actual gateway is 192.168.1.1 (GWY). This can of course be done from any linux distro but I’m using Backtrack in this example because it comes pre-built with all the hotness we need. So boot up your Backtrack 4 thumb drive/DVD and connect to the network. **links to all of the tools in this article are embedded in the ‘tools needed’ section.** Now we want to redirect all traffic from TGT to GWY to us, but first we need to be setup to pass that traffic on to the GWY or TGT wont be able to actually access anything, and we want that so that we can grab their tasty info. We want to set ourselves up to receive incoming port 80 data on port 8080. Open up a terminal window and type the following:
iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 8080
This sets us up to listen for any data on port 80, and redirect it to 8080 which is where we’ll have sslstrip listening later on. From here though we still need to allow connections to be forwarded through us, so in the terminal window type:
echo “1” > /pro/sys/netipv4/ip_forward
Now we are all setup to begin our attack! We’re going to use Arpspoof which is part of the dsniff toolkit. Bring up your terminal again and type:
arpspoof -i eth0 -t 192.168.1.3 192.168.1.1
Now if you’re connected over wifi you may need to specify a different interface (-i) like wlan0 or wlan, etc. To break this down, -t is pretty obviously your target, and the next IP is the device (in this case the gateway) that you want to spoof yourself to look like. And that’s it! You are now GWY as far as TGT is concerned. All of TGT’s data is flowing through you. From here there are all sorts of fun things you could do like capturing packets and sifting through them later, injecting packets into the stream or even removing SSL from their “secure communications” to veiw plaintext sessions!
So, why SSL? Well it’s used for quite a few secure logins at sites like Facebook, Gmail, Paypal, and quite a few banks. It would take some serious resources to crack SSL, so we’re just gonna do away with it instead. What SSLstrip does is force a target to use http instead of https, http of course sends all data as plaintext and human readable. So by using this tool we have effectively interrupted the https request to whatever server is being accessed and told it that the target is only capable of http. Most sites will then default to an http login and allow access. And since all that data has to pass through us, we now have it. So here’s the attack. Type the following in a NEW terminal window, you need to keep the other one going so you can continue to poison TGT’s IP:
sslstrip -a -l 8080
This tells sslstrip to log all SSL and HTTP traffic and to listen for it on port 8080 which is where we redirected everything earlier. From here you can open up sslstrip.log in a text editor or you can run tail -f sslstrip.log to watch it all stream in and enjoy some plaintext login/password viewing. Better yet you can run a packet sniffer and grab all of the whole packets as they come through! Please comment to let me know if you liked this article and if I made any glaring mistakes. That’s really about it, good luck and happy hacking.