What is The Man In The Middle Attack

MITM (Man in the middle) or “Man in the Middle Attack” is a type of attack that is frequently used in the cyber world, which allows many opportunities such as listening, regulating, stopping, routing the internet traffic of the selected victim or the communication with other devices. In the attack, the traffic of two devices communicating on the local network can be manipulated and the traffic flow can be read/blocked. This attack works on the logic of listening and analyzing the incoming and outgoing packet exchange.

The attacker directs the internet flow to himself in a network and the requests and responses of the devices pass on the attacker. In this way, the attacker has many possibilities/authorities such as reading the packets passing through it. By analyzing the incoming and outgoing packets over the attacker or by using some ready tools, we can collect our important passwords, cookies kept in the browser. The attacker can get a lot of information such as our information.

Saldırıda temel amaç cihazları kandırmaya yöneliktir.Bu ise ARP protokolü ile yapılır.Saldırının detaylarına girmeden önce ARP Protokolü nedir ve ne işe yarar bundan bahsedelim.

WHAT IS THE ARP PROTOCOL AND WHAT DOES IT DO?

The arp protocol is known as the address resolution protocol. Devices recognize each other with their MAC addresses. In order for devices to communicate in a network, each device must have Local IP addresses. In this case, IP addresses are assigned to devices either manually or by DHCP.

There is a MAC address opposite each IP address. If a device wants to send a packet to another device, it first looks at the ARP-Table. In Windows operating systems, the “arp -a” command is entered in the Command client, CMD, to look at the arp table. Example of the Arp Table:

Arp Table

As you can see, there is a Physical address opposite each IP address. The protocol that provides this matching is the ARP Protocol.

Attack Strategy

In a network, a device sends a response to an incoming arp request to identify itself to other devices. It sends the packet as “This is my MAC Address and this is my IP address”. The manipulation process also starts here. If the arp table of this device is poisoned by continuous replies before another device receives a packet request, the attacker will intervene.

To explain it more clearly, let’s imagine a small network.

Network traffic between an ordinary device and a modem

As can be seen in the image, the modem and the target device are in communication with each other by meeting the requests and responses. However, let’s assume that an attacker is included in our network.

The attacker is included in the network and constantly introduces himself to the modem with a different IP address

The attacker sends unreturned arp packets to the modem without even asking the modem who it is, and sends these packets by making arrangements. It shows its own IP address as the IP Address of the target and sends it by putting its own MAC address on the MAC address. In this way, the MAC address of the target device 192.168.1.6 will now be changed with the MAC address of the attacker in the ARP Table of the modem. In this way, when the modem wants to send a packet to this IP, it will be sent to the attacker’s device, not to the real target. However, this is not enough. The attacker will simultaneously attack the target device.

Attacker simultaneously attacks both devices

Since the attacker goes to the target device and shows that its IP address is 192.168.1.1, that is, the IP address of the modem and its MAC address as its own mac address, the target device also thinks that the attacker is a modem.

To summarize. The modem thinks the attacker is the target device and sends requests from that IP to the attacker, while the target device thinks the attacker is a modem and sends its requests (GET/POST) to the attacker. In this way, the attacker gets between the internet flow of the two devices and passes the incoming and outgoing packets over himself.

How to Do a MITM Attack

There are more than one tool for this attack, and you can make your own tool with programming languages. I will explain the MITM attack with the “bettercap” tool.

bettercap -iface eth0

We open our tool by running the bettercap -iface eth0 command in our terminal. The -iface parameter defines the network card we are using. eth0 is for wired connection, wlan0 is for wireless connection.

Network scanning / finding devices on the network with Bettercap

Bettercap has an easy command to see devices on our network. When we type net.probe on, our network starts to be scanned and the IP and MAC address information of the devices in our network starts to be written on the screen.

The command we scan for devices on our network is net.probe on

The command we use to turn on network scanning

net.probe on

The command we use to turn off network scanning

net.probe off

As you can see, one device was found in our network. If there is more than one device, you can use the net.show command if you want to see the devices in a better table.

net.show

net.show

We use the following command to determine the IP address of the device we will attack. set arp.spoof.targets <IP> as an example

set arp.spoof.targets 192.168.43.250

set arp.spoof.targets 192.168.43.250

We determine the device to attack

If this attack is to come between the gateway and the target, we need to run the following command. This command automatically performs the same attack on both the gateway and the target we specified.

set arp.spoof.fullduplex true

set arp.spoof.fullduplex true

To start the attack and listen to incoming and outgoing packets over bettercap, we must run the following commands

arp.spoof on This is the command that is run to start the attack, we must use arp.spoof off to stop it.

arp.spoof on

net.sniff on This command allows us to suppress incoming and outgoing packets by parsing them to the terminal.

net.sniff on

Since we ran the net.sniff on command, incoming and outgoing requests started to be written to our terminal.

We can also examine these packets from the Wireshark program, which is a more comprehensive tool for network analysis. After opening Wireshark, we select our interface and type http in the search section and press enter. Doing this will allow us to see only http requests. Otherwise, many of us will send arp packages to other devices. Since we’re sending it, we’ll have to search through a heap. This will make things very difficult.

If we double-click on the incoming packages, we get more detailed information.

In a GET request package we open, we can see our requests under the Hypertext Transfer Protocol tab. If the user had filled in a form, we would be able to see the data in the form. Let’s try it right away.

During the attack on my own site, I log in to the login screen from the victim device.

At the same time, I am inspecting packages on wireshark.

We saw a package with http POST method on Wireshark, let’s open its content.

As you can see here, the username and password parts are in the hands of the attacker…