MITM Labs/Bettercap Over Wifi

From charlesreid1

Lab Scenario/Overview

This lab covers the use of Bettercap to carry out a Man in the Middle attack on a wifi network. This also covers the case of SSL encryption and how it may be defeated using other tools like SSLStrip.

Check out the Ettercap and Bettercap pages for more notes.

Setting Up

Let's walk through the setup required for this type of attack. This does not require any kind of tricky setup. It's a fast and easy attack to carry out, and an attack that virtually all networking equipment is susceptible to.

Wifi Network

This lab will utilize a standard home wifi router, which incorporates an ethernet switch and a wireless router all on board a single device and on a single LAN. The router is the gateway, 192.168.0.1, and both the sheep and the attacker are laptops connected to the router via wifi.

Sheep

The sheep is a normal laptop connected to the wifi. Given the failures with HTTP traffic with Dsniff, this lab will aim low and focus on intercepting HTTP and HTTPS traffic only. We'll work on SSH, email, and sql some other time. The sheep is at 192.168.0.7.

Attacker

The attacker is the same model of laptop, same operating system, connected to the wifi. The attacker is at 192.168.0.8.

Execution

Once the components are in place, we proceed with the execution of the attack. Of course, we start the execution with passive listening and information gathering.

Plan

The attack steps are as follows:

  • Perform recon and gather information about gateway, sheep, network, hardware
  • Prepare for ARP poisoning attack (packet forwarding, network interface setup, etc.)
  • Run ARP poisoning attack to broadcast packets to poison ARP tables of sheep and router
  • Run dsniff and/or urlsnarf to capture goodies from HTTP traffic (good example site: nytimes)
  • Start with HTTP traffic goodies
  • Add SSLStrip and aim for HTTPS traffic goodies

Step 1: Recon/Info Gathering

The ARP poisoning attack requires us to be on the same subnet as our victim. If this is a foreign network, there are a couple of things we might want to know about it:

  • How many other clients are there on the network?
  • What is the volume of traffic on this network?
  • Is this network administered? What is the potential the network is monitored?
  • What kind of network router/other hardware is present?

If we're on a network like 192.168.0.* we can get a very quick picture of what other computers are on the network by doing a fast scan, or by scanning a particular port: 

$ nmap -F 192.168.0.*

If you want more detailed information about the types of devices that are running, what operating systems, etc, you can run with the -A flag: 

$ nmap -A 192.168.0.*

With this type of Nmap scan, it is possible to discover the following information:

  • Router manufacturer from MAC address lookup
  • Service information and operating system
  • Open ports on router/sheep
  • Other potential attack vectors

Step 2: Prepare for ARP Poisoning

First, keep in mind the disclaimer section on Man in the Middle/ARP Poisoning page. This will generate lots of network traffic, lots of network collisions, slow down network service by a significant amount, and be very loud packet-wise.

Gather required information

You'll want to pick out your sheep target and the gateway router, and record the MAC address and IP of each. Here's the configuration for my laboratory: 

Role        IP              Example MAC
Gateway     192.168.0.1     11:11:11
Sheep       192.168.0.7     22:22:22
Attacker    192.168.0.8     AA:AA:AA

Set up packet forwarding

NOTE: Ettercap will take care of this automatically.

When we carry out the ARP attack, we're confusing nodes on the network about which physical computer corresponds to which IP address. It's important that we keep traffic moving, however, or else the entire network will come to a grinding halt. We can do this by forwarding packets. That means that when the gateway sends a packet intended for the sheep, and it gets to the attacker instead, the attacker's network card will simply forward the packet along. 

echo 1 > /proc/sys/net/ipv4/ip_forward

Remember: not necessary with Ettercap.

Change your MAC

Important: change the MAC address of the wireless interface you're using to connect to the wireless: 

$ ifconfig wlan1 down
$ macchanger -r wlan1 
$ ifconfig wlan1 up

Step 3: ARP Poisoning

Now you are ready to carry out the ARP poisoning attack with Bettercap. It's important to note that Bettercap has significantly better performance with MITM attacks - there was absolutely no sign of lag or fishy behavior running a MITM with Bettercap, whereas it was painfully obvious something funny was going on when using Ettercap to conduct a MITM.

This command will spoof a single sheep, according to the scenario we outlined above: 

$ bettercap -I wlan0 -O bettercap.log -S ARP --gateway 192.168.0.1 --target 192.168.0.7

This command will ARP spoof an entire network, running everyone's traffic through you. Unlike with Ettercap, which struggled with traffic from one client, this command actually works, and you can plausibly spoof an entire network without avoiding detection by users: 

$ bettercap -I wlan0 -O bettercap.log -S ARP -X

Step 5: Parsing the Output

The output takes a little bit of understanding, and I'm still trying to figure out what's passed in plaintext and where I can test this out.

Step 6: Sheep Booty

Flags

Retrieved from "https://charlesreid1.com/w/index.php?title=MITM_Labs/Bettercap_Over_Wifi&oldid=12994"