5

I'm TAing a particular course on system security. A specific example is transitting the password in plain text when developing a web application (as part of a class project).

Over the years a bunch of students don't really 'care about encrypting the passwords' or avoid using SSL as a possible solution (i.e., an SHA-128/256 hash of the password is sent over the wire in case of plain text but still no SSL. So I can conduct a replay attack as a result).

I want to be able to 'demo the dangers' of the man-in-the-middle (MITM) and am not sure how to go about it. Students question if someone is really able to pull it off and are curious on the how. I thought it'd be good to 'show it to them'.

So here are the scenarios:

  1. Same wifi connection but no control over the wifi settings (i.e. university wifi)
  2. Same wifi where I can control whatever wifi settings I want (i.e. router etc., under my control in our lab)
  3. Arbitrary adversary over the internet

Now, I think a 'demo' of 2 and 3 should suffice with an 'idea' of how is #3 exploited in practice (I do not intend to breed hackers. But if there is a way to demo that too it would be an icing on the cake ;)

How exactly can I demo the MITM attack and show them that I got access to their 'plain text' or 'hashed' password and gained access to the said system? Tools to use, scripts to write or a tutorial on 'how to do it' would suffice.

PhD
  • 153
  • 1
  • 4

6 Answers6

2

You may be interested in checking out this link for SSLStrip. It's a tool developed by Moxie Marlinspike for MiTM on connections to http that redirect into https. The video has some demos of ways you can use this tool but the basic idea is you target an insecure login page that redirects to a secured session, Setup an arpspoofing and configure iptables and ssl strip will log data that passes through it. We did a lab once where we set this up on a virtual network and captured passwords as they were sent. This would probably help at least situation number 2. Hope this helps.

dudebrobro
  • 673
  • 3
  • 7
2

I'd recommend you look into something such as http://sourceforge.net/projects/easy-creds/

This will allow you to leverage a suite of tools to conduct a MitM attack, including SSL strip mentioned in another answer. It helps with the arpspoofing etc.

Peleus
  • 3,827
  • 2
  • 19
  • 20
2

I would start showing how the MitM works, showing an example of arptable before and after the MitM, so they can check that MAC has changed.

#!/bin/bash

if (($EUID != 0)) 
then
   echo "Only root can run this script"
   exit 1
fi
if (($# != 2))
then
   echo Usage: ./mitm.sh hostA hostB
   exit 1
else
   echo 1 > /proc/sys/net/ipv4/ip_forward
   arpspoof -i eth0 -t $1 $2
fi

Then is time to capture traffic. First show them the packet which contain the plain text key when they use their login (also you could try log into the router, many send the password in plain text). After this, you could use sslstrip for show them that they must pay attention always to https when they are login.

The Illusive Man
  • 10,587
  • 16
  • 58
  • 89
2

Most systems are vulnerable to ARP Cache Poisoning. I think it's a great way to show how MitM attacks are done: Poison victim's arp cache to route traffic to the mitm machine, use any "interception proxy" to look at sent data, manipulate.

My tool of choice for this is ettercap, it simplifies the ARP attack and can automatically forward the traffic. In combination with burpsuite and/or sslstrip, this would give a great example. There are plenty of those demos, just search for ARP Cache poison, ettercap or other known tools.

Depending on the kind of router, you could simply use iptables to reroute traffic or just run a packet dumper on the router.

As for #3, I don't know any details, but DNS Spoofing or an XSS vuln could be used to be able to reroute one's traffic and therefore dump it or manipulate the traffic.

NoMad
  • 141
  • 4
2

I've covered in depth quite a few methods that would allow you to do what you're looking for.

You can use Cain to ARP Poison a WiFi/LAN network and then use Wireshark to sniff the credentials. You can also perform a session hijacking attack which doesn't give you access to the user's credentials but their session ID instead. This means you can impersonate them on the target website once logged in.

You can also use SSLstrip which will attempt to remove the SSL protection on some websites and give you access to clear text credentials.

There are too many articles to link to on my blog but they have all been covered fairly recently: https://www.scotthelme.co.uk

Scott Helme
  • 3,198
  • 3
  • 22
  • 32
0

You can do it like we did

This is a description for a man in the middle solution in hardware