Professional Documents
Culture Documents
Author:
Muvhunzwi Peacemaker Supervisor:
Addis Abebe Feyso Bruno crispo
Samuel Birhanu
2 Environment Setup 3
2.1 Ettercap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.1 Installation of Ettercap graphical . . . . . . . . . . . . 6
2.2 MitmProxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.1 Intallation of Mitmproxy . . . . . . . . . . . . . . . . . 7
2.3 SSLSPLIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.1 Installation of sslsplit . . . . . . . . . . . . . . . . . . . 8
2.4 Apache web server . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4.1 Installation of Mysql . . . . . . . . . . . . . . . . . . . 8
2.5 Websites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3 Protocol detail 12
3.1 Http Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.2 Https Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4 Attack-1 14
4.1 Address Resolution Protocol (ARP) . . . . . . . . . . . . . . . 15
5 Attack-2 25
5.1 Transport Layer Security . . . . . . . . . . . . . . . . . . . . . 25
5.2 Security Socket Layer . . . . . . . . . . . . . . . . . . . . . . . 25
6 References 31
1
1 Introduction
One of the most common network attacks used against individuals and large
organizations is man-in-the-middle (MITM) attack. It works by establishing
connections to user machines and relaying messages between them. The user
believes it is communicating directly with another user or server, when in
reality the communication flows through the attacker machine performing
the attack. The end result is that the attacker can not only intercept sensi-
tive data, but can also inject and manipulate a data stream to gain further
control of its user. The purpose of this Lab is to introduce you to the concept
of Man in the middle attack, the tools used for this kind of attack and to
give you the general idea of performing this attack in real life scenarios. In
the end of this Lab we will give you the idea of the Mitigation techniques
that can be used to prevent this kind of attack. There are different forms
of MITM attacks like ARP poisoning, eavesdropping, WIFI WEP/ WPA/2
Hacking, DNS spoofing, and Port stealing.
2
2 Environment Setup
In this lab, will be having a Lab structure in which you will inserting yourself
in the middle of a connection between a client and a server to perform a
Man-in-the-Middle (MitM) attack. The attack will be done in a virtual
environment Using VirtualBox software. Three Virtual machines will be
used for this Lab in which one of them will be the server, the other will be
the client while the third machine will be the attacker. In detail we will have:
A Server running Ubuntu 16.04 LTS with an IP address of 192.168.0.1
and Mac address of 08:00:27:9c:07:2b
3
An attacker running Ubuntu 16.04 LTS with an IP address of 192.168.0.3
and Mac address of 08:00:27:7d:ac:89
4
2.1 Ettercap
Ettercap provides many features for network and host analysis. It offers four
modes of operation which are
5
2.1.1 Installation of Ettercap graphical
To install Ettercap-graphical on the attacker virtual machine:
Step 1: Update system
$ sudo apt-get update
Step 2: Install: ettercap-graphical
$ sudo apt-get install ettercap-
2.2 MitmProxy
Mitmproxy is an open source proxy application that allows intercepting
HTTP connections between any HTTP client and a web server using a typ-
ical mitm attack. it accepts connections from clients and forwards them to
the destination server. The goal of mitmproxy is to let an attacker monitor,
capture and alter these connections in real time.
For plain text HTTP connections, mitmproxy accepts a connection from
the HTTP client, displays the request to the attacker on the screen, and
forwards the request to the destination web server as soon as the attacker
confirms or maybe after adjusting the request. mitmproxy simply acts as a
middle man: To the client, it looks like as if the mitmproxy server was simply
relaying its connection. And to the server, it looks like the mitmproxy server
is the client.
6
2.2.1 Intallation of Mitmproxy
The first step to install mitmproxy on the attacker virtual machine is to
install pip3, python3-dev and several libraries using the following command.
$ sudo apt-get install python3-dev python3-pip libffi-dev libssl-dev
The second step is to install the mitmproxy using the command below
$ sudo pip3 install mitmproxy
2.3 SSLSPLIT
SSLsplit is a tool for man-in-the-middle attacks against encrypted HTTPS
connections. Connections are transparently intercepted through a network
address translation engine and redirected to SSLsplit. SSLsplit terminates
SSL/TLS and initiates a new SSL/TLS connection to the original destination
address, while storing all the data transmitted in log files. SSLsplit acts as
a middle man between the client and the actual server if traffic is being
redirected to the server on which SSLsplit is running by changing the default
gateway or ARP spoofing. It picks up SSL connections and pretends to be
the server the client is connecting to. To do so, it dynamically generates a
certificate and signs it with the private key of a CA certificate that the client
must trust.
7
2.3.1 Installation of sslsplit
First step to install sslsplit on the attacker virtual machine is to download
the SSLsplit zip file and extract it as follows:
$ wget http://mirror.roe.ch/rel/sslsplit/sslsplit-0.4.7.tar.bz2
$ bunzip2 sslsplit-0.4.7.tar.bz2
$ tar xvf sslsplit-0.4.7.tar
Then install the following packages and compile the source code:
$ apt-get install libssl-dev libevent-dev $ cd sslsplit-0.4.7 $ make
8
$sudo apt-get install apache2
To install MySQL, we install the package mysql-server by running the
following command
$ sudo apt-get install mysql-server
To install PHP, we install packages php5 and libapache2-mod-php5 as
follows
$ sudo apt-get install php5 libapache2-mod-php5
9
2.5 Websites
To be able to demonstrate the mitm attack, we managed to create shopping
website where the client has to login and fill in some details to complete an
order. These are the information that the attacker will manipulate.
We hosted an HTTP and an HTTPS protocol website on the server virtual
machine. The HTTP protocol website is http://shop.com while https://ssl.shop.com
is the HTTPS protocol website
We generated a self-signed X509 certificate for the domain https://ssl.shop.com.
We move the .crt file into the folder /etc/ssl/certs and the .key file into the
folder /etc/ssl/private. We also added the IP address and domain names
of the websites into the hosts file (/etc/hosts) of the client and attacker
virtual machines. So these domains will be resolved locally. The con-
figuration files for the two websites mentioned above were copied to the
/etc/apache2/sites-enabled directory. In the end the web application was
setup in the //var/www//shop.com//publich tml and
//var/wwwssl.shop.com//publich tmlf olders.
To set up a MySQL database for the websites, we installed phpmyadmin
on the server virtual machine. Phpmyadmin is a MySQL database manage-
ment software available for windows and Linux based machines.To login to
phpmyadmin use username root and password 123456.
10
11
3 Protocol detail
3.1 Http Protocol
The Hypertext Transfer Protocol (HTTP) is an application-level protocol of
the TCP/IP protocol suite. It is a communication protocol, that is used
to deliver data on the World Wide Web. The default port is TCP 80, but
other ports can be used as well. HTTP is stateless protocol since the server
and client are aware of each other only during a current request. It is a
request/response protocol based on the client/server based model. The Http
client sends a request to the server in the form of a request method, URI, and
protocol version while the server responds with a status line, including the
messages protocol version and a success or error code. Http and https have
some request methods which include the GET and POST request methods.
The GET method is used to request a representation of specified results and
it should only retrieve data that exist already on the server or return an
error. The POST method is used to request that the server accept the data
enclosed in the body of the request and probably store it as a new resource.
The major drawback of Http is that all communications are in plain text
and can be read by a man in the middle that manages to break into the
connection between client and the server. For a secure web communication,
we need to use Https protocol
12
client requests an HTTPS connection to a server, the server will send its SSL
certificate to the client. This certificate contains the public key needed to
begin the secure session. The client and the server then initiate the SSL
handshake. The SSL handshake involves the generation of shared secrets
to establish a uniquely secure connection between the client and the server.
When a trusted SSL Digital Certificate is used during a HTTPS connection,
clients will see a padlock icon in the browser address bar.
13
4 Attack-1
On this attack we will demonstrate an attack on the http protocol using
Ettercap, Mitmproxy and the website http://shop.com .We will also be in-
troducing you the idea of Arp poisoning which is one of the basics of this
attack.
Step 1 After verifying that the machines are connected check the arp
tables of the virtual machines.
Before the attack the two machines connected to each virtual machine on
the interface enp0s3 have a different IP and Mac addresses
Step 2: Start ettercap using the command below on the Attacker virtual
machine
$sudo ettercap -G
14
4.1 Address Resolution Protocol (ARP)
ARP allows systems to associate an IP address to a MAC address. Systems
keep an ARP look-up table where they store information about what IP
addresses are associated with what MAC addresses. When trying to send a
packet to an IP address, the system will first consult this table to see if it
already knows the MAC address. The ARP tables are formed by using either
ARP request-reply mechanism or Gratuitous ARP mechanism. In the ARP
request -reply mechanism the sender broadcasts request with the IP address
of the receiver on the network and the receiver replies with its MAC address.
For the Gratuitous ARP mechanism, a machine broadcast is its IP and MAC
address on the network.
What is ARP poisoning?
ARP replies or Gratuitous ARP do not require an additional conforma-
tion. Thus, the attacker can send a falsified ARP broadcast over the network.
This results in the linking of attackers MAC address to the IP address of
another user on the network
Step 3: To perform the ARP poisoning using ettercap
15
After pressing Ok on the window you see go to Hosts on the upper
menu bar
Click for the Hosts option on the upper menu bar again
Then you should be able to see the ip address of the client and the
server along with their MAC addresses
16
On the Ettercap window go to Mitm on the upper menu bar
Click Ok
17
step 4
Check the ARP tables of the client and the server virtual machine by
typing arp -a
After ARP poisoning attack, we can see that the two machines connected
to the victims have the same MAC address so our attack was a success
18
Are there ways to mitigate ARP poisoning?
One of the solution to prevent ARP cache from being poisoned there by
protect against ARP Spoofing, is to add static IP-MAC entries to the cache.
If an ARP cache has been made static it will not process any ARP Replies
received unlike a dynamic ARP cache.
We can set the static-MAC entry to the cache of the client machine using
the following command
$ sudo arp -s 192.168.0.1 08:00:27:9c:07
ARP poisoning will not work after using a static arp entry. Another so-
lution, is to use Intrusion Detection Systems (IDS) to detect ARP Poisoning
attacks
Step 5 Redirecting the traffic
By default mitmproxy listens on TCP port 8080. To allow for interception
we will redirect all incoming HTTP traffic to the port 8080 where mitmproxy
listens and HTTPS traffic to port 8443 where sslsplit listens on.
To activate IP forwarding use the command below
$ sudosysctlwnet.ipv4.ipf orward = 1
We remove any other previous entries to prevent conflicting enteries using
the following command
$sudo iptables t nat -F
Next we redirect all incoming Http traffic to port 8080
$sudo iptables t nat A PREROUTING -i enp0s3 p tcp dport 80 j
REDIRECT to-port 8080
Finally we redirect all incoming Https traffic to port 8443
$sudo iptables t nat A PREROUTING -i enp0s3 p tcp dport 443 j
REDIRECT to-port 8443
19
step 7 On the client machine open the web browser and access the website
http://shop.com On the login page enter the user name and password given
as
Username: user
Password: 123456
20
On the image above we can see the information exchange between the
client and the server. The attacker can get all the sensitive data of the com-
munication and all the details of the conversation between the client and
server such as the port number, protocol version and connection establish-
ment procedures
step 9 Modifying the conversation
Mitmproxy allows you to intercept the traffic and modify the information
You will need to use .* as intercept filter and press Enter key. This
allows you to intercept all requests and responses.
21
To forward these requests to the server and the responses to the client,
click on them and press a
Enter in the client browser your information to allow confirm the pur-
chase and the delivery.
22
Use the arrow keys to navigate to the values you want to edit
After modifying press esc key and move down to the next value using
arrow keys
Once you finish editing press q to go back and accept the request
and the response
23
To check if the changes were successful check the client web browser
This attack possible due to the lack of security in the Http protocol and
lack of authentication between the server and the client. Thus, it is recom-
mended to use Https protocol which is a secured version of Http. There are
3 effective ways to defend against a man-in-the-middle attack even without
SSL. These methods encrypt the data traffic between you and the server you
are connecting to, and also include some kind of end-point authentication.
The first method is using Virtual Private Network (VPN) which is a secure
connection that extends a private network across a public network results in
benefiting from the functionality, security and management policies of the
private network. The second method is utilizing Proxy Server with Data En-
cryption which lets you encrypt the transmission between you and the proxy.
The last method is the use of Secure Shell(SSH), which is a network protocol
for remote administration of UNIX/LINUX hosts. SSH is typically used to
log into a remote machine and execute commands, but it also supports tun-
nelling, forwarding TCP ports and X11 connections. A Secure Shell (SSH)
tunnel consists of an encrypted tunnel created through an SSH protocol con-
nection. Users may set up SSH tunnels to transfer unencrypted traffic over
a network through an encrypted channel.
24
5 Attack-2
We will be demonstrating an attack on Https protocol by using Ettercap
and sslsplit .This attack will be implemented on https://ssl.shop.com which
is Https based shopping website. In order to change Http to Https we can use
either TLS or SSL to encrypt the information that is transmitted between
the client and the server.
25
How to create and install a CA certificate
$ cd sslsplit-0.4.7
26
Step-3 Access the secure website https://ssl.shop.com on the client ma-
chine
As shown on the image above, the browser is giving a warning since the
connection is using a self signed certificate and not trusted by the browser.
To ignore this warning, Click on advanced > add exception > confirm
security exception
27
To be able to see the certificate created on the client web browser click
on the Key icon >click on the right arrow pointing to the right > select
more information >click on view certificate.
28
Step 3 View the captured traffic on sslsplit
After completing the login details on the website Sslsplit saves the log files
f0r each request and response in the /tmp/sslspit/logir we created
$ cd /tmp/sslsplit/logdir
$ ls
29
To view the contents of the file
Then press the tab key and a number will appear and the press the
tab key twice. Enter the next 2 or 3 digits which are unique for the file
you want to see and the press the tab key for auto completion and click
on enter key.
30
How to prevent such kind of attack
Since this attack is also based on Arp poisoning all the mitigation mea-
sures suggested before can be used. The availability of OpenSSL as open
source allows to attackers to create self-signed certificates easily. Thus, users
should take warnings given by the browser in to account and not continue to
visit the website since the connection might be passing through a man in the
middle. In addition, users should check the URL link they are visiting, if it is
secured by a trusted SSL CA then it shows a green padlock or a green URL in
some browsers. We can use HTTP Strict Transport Security (HSTS) which
mitigates attacks on servers by enabling web sites to declare themselves ac-
cessible only via HTTPS. Public Key Pinning Extension for HTTP that can
be implemented and mitigates attacks on servers by enabling web sites to
declare fingerprints of allowed server and CA certificate
when transferring sensitive information,user should avoid using public WIFI
hotspots since since some of them will act as man in the middle and steal or
modify information they are routing between them and the Internet.
6 References
1. https://www.concise-courses.com/man-in-the-middle-attack/
2. https://www.devmanuals.net/install/ubuntu/ubuntu-16-04-LTS-Xenial-
Xerus/how-to-install-ettercap-graphical.html
3. https://www.darknet.org.uk/2016/12/ettercap-man-in-the-middle-attack-
suite/
4. http://docs.mitmproxy.org/en/stable/install.html
5. https://blog.heckel.xyz/2013/07/01/how-to-use-mitmproxy-to-read-and-
modify-https-traffic-of-your-phone/
6. https://blog.heckel.xyz/2013/08/04/use-sslsplit-to-transparently-sniff-tls-
ssl-connections/
7. http://howtoubuntu.org/how-to-install-lamp-on-ubuntu gq0wodUVE
8. https://code.tutsplus.com/tutorials/an-introduction-to-apachenet-25786
31
9. https://www.instantssl.com/https-tutorials/what-is-https.html
10. https://www.instantssl.com/ssl-certificate-products/https.html
11. http://desadware.com/articles/security/3-effective-ways-defend-man-middle-
attack-mitm/
12. https://tools.ietf.org/html/rfc826
32