What is man in the middle attack

Man-in-the-middle attack （Man-in-the-Middle Attack, MITM） Is a long-standing means of network intrusion , And today there is still a wide range of development space , Such as SMB Session hijacking 、DNS Attacks such as deception are typical MITM attack . In short , So-called MITM The attack is to intercept normal network communication data , And data tampering and sniffing , And the two sides of the communication have no idea .

arp Agreement and arp The limitations of the attack

Address resolution protocol , namely ARP（Address Resolution Protocol）, It's based on IP Address gets a physical address TCP/IP agreement . When the host sends the information, it will include the target IP Address of the ARP Request broadcast to all hosts on the LAN , And receive the return message , To determine the physical address of the target ; After receiving the return message, it will be IP The address and physical address are stored in the machine ARP Cache and keep it for a certain time , The next time you ask for it, look it up directly ARP Cache to save resources . The address resolution protocol is based on the mutual trust of each host in the network , The host on the local area network can send ARP Reply message , Other hosts will not detect the authenticity of the response message when they receive it, and will record it in the local machine ARP cache .
arp The limitations of the attack ： Exists in the same LAN

Tools used

Bettercap
beef-xss
driftnet

preparation

Bettercap install

Bettercap Is a very powerful 、 Easy to expand and portable framework , use Go To write , Designed for safety researchers 、 Red team members and reverse engineers provide an easy-to-use integrated solution , This includes performing reconnaissance and attack WiFi The Internet 、 All the functions required by Bluetooth low-power devices , wireless HID Equipment and IPv4/IPv6 The Internet .
The main features

• WiFi Network scanning , Remove the authentication attack , No client PMKID Correlation attack and automatic WPA / WPA2 Client handshake capture .
• Bluetooth low power device scanning , Feature enumeration , Reading and writing .
• 2.4Ghz Wireless device scanning and MouseJacking Attack via wireless HID Frame injection （ Support DuckyScript）.
• Passive and active IP Network host detection and reconnaissance .
• For based on IP Of the Internet MITM The attack ARP,DNS and DHCPv6 Spoofing programs .
• Packet level ,TCP Level and HTTP / HTTPS Application level agents are fully scriptable , Easy to implement javascript plug-in unit .
• Powerful network sniffer for credential collection , It can also be used as a network protocol fuzzer .
• Easy to use web The user interface .
• wait .
  Enter... On the command line

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo apt-get install bettercap

Use the following command to open bettercap

┌──(root㉿kali)-[/home/kali/Desktop]
└─# bettercap

After opening, enter the command net.recon on To list the surviving hosts

Input net.show The surviving hosts will be listed in the form of a list

At this time Bettercap It's already installed .

BeEF-XSS install

BeEF-XSS brief introduction

BeEF-XSS It's a very powerful web Framework attack platform , It integrates a lot of payload, Many functions can be realized ！

setup script

BeEF-XSS Can be in kali But now kali There is no pre installed BeEF-XSS So we need to install it ourselves

apt-get update
apt-get install beef-xss

Then type on the command line beef-xss You can start it

stay url Input in ip:3000/ui/panel You can access the console , Enter the default account beef And the password you set yourself can go in

The attack process

start-up arp cheating

stay Bettercap Input in help arp.spoof You can see arp.spoof Help documentation for this module

According to the document, we need to use arp.spoof.targets To designate an attacked ip That is to say set arp.spoof.targets ip

Then input arp.spoof on You can start the attack
It can be seen that the gateway physical address of the target before being attacked is

The physical address after being attacked will become

ping Baidu

Normal access , like this arp Cheating is even successful

adopt driftnet Capture the image of the target target's access page

Start... First driftnet This tool

driftnet -i eth0

Then simulate the victim to visit the web page on the target target

to glance at kali Return picture in

Successfully hijacked ！

Bettercap And beef-xss linkage

Ideas

Use bettercap Conduct arp Cheat and inject beef Of hook js

bettercap operation

Modules used :

arp.spoof
http.proxy
net.probe

set http.proxy.script /home/crack/eval.js
http.proxy on
net.probe on
arp.spoof on

At this time, as long as the target aircraft accesses http Web site open for F12 You can see the inserted js Script

Then you can see in beef It's on the line

ps：eval.js It's from master Lin Jinhuan article

notes ： We can use three tools at the same time to monitor at any time , At the same time, you can also go through wireshark And other monitoring tools to monitor the traffic of the target host to obtain sensitive information such as accounts and passwords .