Middle Man Attack
man in the middle attack is one in which the attacker intercepts messages in a public key exchange and then retransmits them, substituting his own public key for the requested one, so that the two original parties still appear to be communicating with each other.
On your home network your router acts as a proxy server, which stands between the network and the Internet by which it using NAT. With the middle man attack the attacker acts as the proxy, being able to read, insert and modify the data in the intercepted communication.
How does the attacker act as a proxy server? I’m glad you asked. First of all you will need to be on the network in which you are trying to intercept the packets. A good place to try this out would be your local coffee shop where internet access is free. Listening to someone aim or yahoo chat is nothing new and as far as I can tell they haven’t put anything in place to stop it since the nature of the http protocol and data transfer which are all ASCII based hasn’t changed and probably never will.
If you are a windows user there are the tools you will need. Nmap, Cain and abel, and Ethereal. Nmap is a security scanner and you will use this tool for scanning the network. The scan will give you the MAC, IP, and the computer name for all the users on the wireless network. This is the chance you take when you go to starbuck to have your coffee and decide to get on line.
Most routers IP are 192.168.1.1. Within your Nmap you will type 192.168.1.1-199, because you want to scan all open TCP sessions. After everybody’s info pops up you will take that persons IP address and do a port scan using Nmap to get an idea of what apps they are using. Most web servers use port 80 and email server use port 25. Yahoo uses TCP Port 5101 and that can change but it’s always in the 5100-99.
Next you will use cain and able to snife out the network one more time to find that person again. The reason why we used Nmap was so we could port scan them and see if the attack is worth it. Cain and abel will not let you do port scans.
After Cain finds them you will start your ARP attack. This is what tells the firewall/router that you are Jacks computer, and Jack computer thinks you are the firewall. There OS builds an table using ARP
and locates all hosts that are connected to the router. ARP uses a 3 layers address scheme and is kinda hard to understand but we can save ARP for another blog. All you’re doing with Cain and abel is switching that info around.
Last but not least you will use Ethereal to scan the network and pick up all the incoming traffic from that user. A lot easier done then typed…lol Note if you try to use Ethereal without using Cain and abel first Ethereal will not be able to pick up anything. Cain and abel is what puts you between the firewall/router and host.
dynamicrekeying
Abominable Albatross
saintmartinman
Good description of the middle-man-attack. Backtrack 4 comes preinstalled with some of utilities mentioned in the youtube clip. This includes Nmap and ettercap. I believe ettercap is superior to Cain because you can configure it to sniff out passwords sent through https.
Ettercap is the better choice.
Agreed. With ettercap you can also perform a DHCP mitm attack where the attacker boots the victim off the network. when the victim signs back on to the network the attacker acts as the default gateway and assigns the victims computer an IP address. This ensures all network activity goes through the attacker’s computer. Hmmmm, I wonder what you could do with that kind of capability.