Man in the middle attack allows the attacker to eavesdrop between clients, servers, and people. This attack may include HTTPS connections, SSL/TLS connections, and more. In this tutorial, I am going to use Ettercap to perform Arp poising in the man-in-the-middle attack with the help of Wireshark. I am going to intercept e-mail communication between two devices and get the file attached to it.
So then let’s go over some basic theoretical concepts.
What is a Man-in-the-middle attack?
Man-in-the-middle (MITM) attack needs 3 persons. The victim, the person with whom the victim is attempting to interact, and the "man in the middle" who is retrieving the victim's communications. In these types of scenarios, the victim has no idea about the man-in-the-middle.
MITIM occurs as someone listens to two computers and intercepts, communicates, and sometimes even alters the communication between the two machines.
What is ARP Poisoning?
ARP (or Address Resolution Protocol) converts a device's physical address (its MAC address or media access control address) into an IP address on a local area network
ARP spoofing allows an intruder to insert false information into a local area network to redirect connections to the infected computer.
What is Ettercap?
Ettercap is an all-in-one open source solution for man-in-the-middle attacks. It has live connection sniffing, on-the-fly content filtering, and several other interesting features.
It has many features for network and host research so it can analyze various protocols both actively and passively.
What is Wireshark?
Wireshark is a network protocol analyzer or an application that collects packets from a shared network, like a connection between your device and your home office or the internet. In a standard Ethernet network, a packet refers to a specific unit of data.
The packet sniffer Wireshark is the most widely used in the world. Wireshark does three things like any other packet sniffer:
Packet Filter: Wireshark listens in real-time to a network link before capturing entire streams of traffic – potentially tens of thousands of packets at a time.
Filtering: With the help of filters, Wireshark can slice and dice all of this haphazard live info. You will get exactly the details you need to see by using a filter.
Visualization: Like any successful packet sniffer, Wireshark helps you to jump straight into the middle of a network packet. It lets you see whole conversations and network streams on a single screen.
First, you need to start Ettercap graphical. It is preinstalled in Kali Linux. As soon as Ettercap starts it will start sniffing on the network and collect the host IP address present on the network.
You can find the list of Host in the host list options. For this tutorial, I am going to perform Arp poisoning. Ettercap gives few other attack options as well.
Once you have the list of Host you want to target add them in Target 1and Target 2 respectively. Select ARP poisoning from the menu and check the sniff on the network checkbox.
Start Wireshark once you have started the ARP poisoning. Select the interface you are working on. Here I am working on eth0.
Jump over the other 2 virtual machines. Here I am using Ubuntu and Windows 8.1. You can choose any operating system. Send email from one target to another.
But you have to keep in mind that the target machine should be in the same network as the attacker.
Once the email is sent check to make sure that the email is received by the other target. Jump back to Wireshark once the email is received. In filters try using SMTP. If you don’t get any packets that’s okay.
Check POP in the filter and you should be able to packets. Analyze the packet and you’ll find the contents of the Email that you have sent along with attachments if there are any.
Using this type of technique you can eavesdrop on the conversation going on the network. You can also modify the communications and the victim will have no clue that he is interacting with the attacker.
How to Protect against MITM attacks
Thankfully, there are few ways to protect yourself from MITM attacks. A few of them are:
Always make sure the URL bar of the websites you visit still says "HTTPS" (with the S).
Beware of the email asking you to change or update your password or any other type of credentials.
Never click on the link provided always manually type the link in the browser.
Never use any Public/Free Wifi directly. Always use the VPN while using the Free Wifi.
Since MITM attack is mostly executed with the use of malware. Make sure to install antivirus solutions such as Quick Heal, Kaspersky, McAffe, or any other of your choice, and always keep it updated.
Keep your home network safe by changing all default passwords to unique and complex ones.
MITM attacks can be used to get sensitive information shared over the network. In this swiftly changing world, one should be aware of the types of attack he can face. Especially in the time of this pandemic where everyone is working from home, the attackers are more active than ever. One must be aware of the threats that can be used.
Finally, I hope you learned something new from this tutorial.