MITM with bettercap

1.Introduction to MITM

1.1.What is MITM

MITM, short for Man-In-The-Middle,  is a network attack performed on a Local Network in which the attacker can intercept, eavesdrop or even modify network packets flowing between two hosts. The attacker does so by putting himself in between the two devices and making the traffic to go through the attacker's computer.

1.2.HOW IS MITM PERFORMED?

MITM is performed with the help of another local network attack called ARP Poisoning. ARP stands for Address Resolution Protocol.

1.2.1.ARP

It is a protocol which helps devices on a network  locate other devices and facilitate data transfer. When a sender device doesn't know where its receiver device is , it sends out an ARP broadcast request pinging every host on the network. When the host, the machine has been looking for receives the broadcast packets, it sends a unicast ARP response to the device from which the broadcast packet originated. In this way, the sender is able to determine the address of the receiver.

An ARP packet contains the sender's IP , sender's MAC, receiver's IP and in the receiver's MAC is the broadcast mac address ff:ff:ff:ff:ff:ff.

1.2.2.ARP poisoning/Spoofing

ARP Poisoning is a type of cyberattack carried out over a Local Area Network (LAN) that involves sending out  maliciously crafted ARP packets to the default gateway AKA The Router, in order to manipulate the pairing in its ARP-MAC address table, thus poisoning the ARP cache.

The attacker sends specially crafted ARP packets to both the gateway and the target. 

This allows the attacker to place themselves in between the victim and the gateway. The attacker can now eavesdrop, manipulate packets, drop packets, capture clear-text passwords and hijack sessions among other things.

1.3.Using Bettercap to perform MITM

As we have seen, MITM can be only be performed when the attacker has already executed  an ARP spoofing attack, and has placed themselves in the middle. So, the first step would be to perform an ARP Spoofing attack. 

There are various utilities such as arpspoof, driftnet that can help us perform ARP Spoofing. However, I will be using a renowned utility called Bettercap which is often known as the Swiss Army Knife for WIFI, Bluetooth Low Energy, wireless HID hijacking and MITM attacks.

The modules included in Bettercap in which I am interested for an MITM attack are : 

1. net.probe
2. arp.spoof
3. http.proxy
4. net.sniff
5. dns.spoof

I will not get into details as to what each of these modules does, It can be easily found by typing the following in Bettercap.

• help <module_name>

1.3.1.STEP 1 : Launching the Bettercap-cli

• sudo bettercap -i <interface_name>

1.3.2.STEP 2 : Listing all the devices connected to the network 

• net.probe on
• net.show

The first command will ping every IP on the network and come up with the active ones.

The second command will list the devices in a tabular format.

1.3.3.STEP 3 : Launching the  ARP Spoofing  attack 

• set arp.spoof.fullduplex true
• set arp.spoof.targets  <victim IP>
• arp.spoof on

The first command will enable the duplex mode  which will allow me to attack both the gateway and the victim(s) simultaneously.

The second command will assign the target as the victim's device, thus only the victim's device will be affected by the ARP Spoofing attack and other devices on the network will not be affected. If the target(s) is not set, bettercap will attempt to attack the entire network. 

The third option launches the attack.

1.3.3.4.SNIFFING the packets

• net.sniff on

Now, every network activity of the victim will be visible on my terminal . That means I have successfully pulled off the hack. Now, if the victim logs in a to website which doesn't utilise  HTTPS , I can capture their credentials in plain-text.

But MITM is not limited to capturing plain-text credentials. One can even compromise the entire system with this attack.

2.MITM DONE - WHAT'S NEXT?

Once the attacker has successfully performed an MITM attack, they can perform a variety of other attacks such as :

1. DNS Spoofing
2. JavaScript Injection
3. HTTPS downgrading or SSL stripping
4. Stealing Cookies
5. Sniff Password
6. Denial Of Service(DOS)
7. Malware Injection.

2.1.DNS SPOOFING

DNS stands for Domain Name System. DNS resolves a domain to its corresponding IP address. This conversion is essential as browsers can work only with IPs. When we enter a FQDN (Fully Qualified Domain Name) in the search bar of the  browser, the browser sends  requests to a DNS server asking for the IP address of the entered domain. The DNS server then checks its records and replies back with the IP address. The browser can then accesses the IP address and load our website.   

When the browser receives the IP address of the FQDN, it stores the IP address in its DNS cache. When the FQDN  is entered again, the browser retrieve the IP address from its DNS cache instead of connecting to a DNS server. This decreases the time taken to load a website. 

DNS spoofing or DNS poisoning refers to an attack in which an attacker poisons the DNS cache and alters the Domain to IP mapping. This enables the attacker to redirect the victim to any website of the attacker's choice.

2.2.JavaScript Injection

JavaScript injection in the context of a Man-in-the-Middle (MITM) attack refers to the unauthorized insertion of malicious JavaScript code into web pages that are being transmitted between a user and a website. In an MITM attack, an attacker intercepts and manipulates the communication between a user and a website, allowing them to modify the content of web pages before they reach the user's browser. This attack can allow attackers to steal cookies or redirect users to phishing websites.

2.3.HTTPS Downgrading or SSL Stripping

HTTPS Downgrading or SSL Stripping involves manipulating the communication between a user and a web server by rerouting the traffic flowing through a TLS (Transport Layer Security) tunnel via an attacker controlled proxy. The goal is to intercept and capture the transmitted data in plain-text format. This attack enables the attacker to access the content even when the  communication between the user and the web server is carried out through an encrypted TLS channel. By downgrading the connection to an unencrypted state, the attacker can effectively eavesdrop on sensitive information exchanged between the user and the server. 

2.4.Stealing passwords in plain-text

The attacker can also steal user credentials using an MITM attack. An attacker eavesdropping on the conversation between the user and the server can capture credentials i.e usernames and passwords in plain-text if the victim logs in to a website, essentially compromising the victim's account. Even if TLS is in place, the attacker can employ an SSL Stripping attack and downgrade the HTTPS traffic into a plain-text format to capture the credentials.

2.5.DENIAL OF SERVICE(DOS)

A Denial of Service (DoS) attack involves an attacker attempting to overwhelm a system by flooding it with a high volume of data packets, rendering it temporarily or permanently unavailable. The primary objective of a DoS attack is to disrupt the normal functioning of a targeted system or network.

In the context of a Man-in-the-Middle (MITM) attack, a DoS attack can  be directed at the gateway. The gateway, being the central point for data transfer within a network, plays a crucial role in mediating communication between devices. By inundating the gateway with an excessive amount of traffic, an attacker aims to saturate its capacity and cause a halt in the transfer of data within the network.

Taking down the gateway in a MITM scenario essentially cripples the entire network, as all devices are connected through it. This can lead to a loss of connectivity, disruption of services, and potentially impact the functionality of devices within the network. It's important for network administrators to implement security measures to mitigate the risks associated with DoS attacks, such as traffic filtering, rate limiting, and intrusion detection systems.

2.6.Malware Injection

Malware injection in the context of a Man-in-the-Middle (MITM) attack involves introducing malicious code or software into the communication between a user and a server.  The attacker positions themselves between the user and the server, intercepting the data traffic passing between them.  The attacker identifies a specific target within the intercepted communication, such as a file download, a software update, or a webpage the user is accessing. The attacker analyzes the intercepted traffic to understand the structure and content of the communication. This may involve looking for vulnerabilities or weak points in the targeted data. Based on the identified vulnerabilities, the attacker creates a malicious payload. This could be malware-laden files, scripts, or code designed to exploit weaknesses in the target system.  The attacker injects the malicious payload into the intercepted communication. This injection can happen in various ways, such as modifying the content of a file being downloaded, altering a software update package, or injecting malicious scripts into web pages. The manipulated communication, now containing the injected malware, is delivered to the user. The user unknowingly interacts with or downloads the compromised content. Once the user interacts with the injected content, the malicious payload is executed on their device. This can lead to various malicious activities, such as unauthorized access, data theft, or the installation of additional malware.