Procedure

Hardware

Conducting an attack with Kali Linux running on a laptop.

The target is a sheep running Android on an HTC Evo. The Evo is about two years out of date.

Connect to Wireless with Phone

Obtain IP address on local network. Next step is to attack.

Surveillance

Start by doing recon. Scan the network with nmap to find the phone's IP:

$ nmap -F 192.168.0.*

-F is for fast scan, which only scans the lowest 100 ports.

This reveals a scan report for Android_A100001B90B222.domain (192.168.0.22).

Now we have our target for the MITM.

Do an aggressive nmap scan so you know what services are running on the sheep:

$ nmap -A 192.168.0.22

No open ports, no running services, and not enough information to produce a specific operating system fingerprint. Well, at least we tried.

MITM with Bettercap

On the Kali machine, run a MITM attack with Bettercap:

$ bettercap -I wlan1 -O betercap_androidmitm.log -S ARP -X --gateway 192.168.0.1 --target 192.168.0.22

then run Wireshark on the attacker machine to verify the traffic is flowing your direction. Running an active filter like !arp makes the traffic a lot easier to follow.

Results

Surprisingly, the phone managed to hold up under the attack.

HTTP pages would NOT load. Apps that required an insecure network connection (e.g., news app) reported a network error.

HTTPS services like Google search, large bank website, and map app worked fine and were not vulnerable to the MITM attack.