Ethical Hacking v2 NETLAB+ 12 - ARP Spoofing and MITM Attacks w/ Ettercap

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome this is barrett at the c4 cyber club here at cypress college and in this lab today we're going to cover the ethical hacking lab series for arp spoofing and man-in-the-middle attacks so this this is a really nice lab because a lot of times when you learn about these type of attacks it's really hard to put it into context until you actually see it happening so in this lab we're going to do arp spoofing with the edit editor cap tool and we'll see how we can capture usernames and passwords using that once we have poison the arp cache and then we're going to also look at manipulating http and javascript once we have that man in the middle status right so and essentially what happens and why we need to spoof or or poison these arp caches essentially on a local area network and if you if you've taken cisco networking for example you you've probably you're familiar with arp stands for address resolution protocol and essentially local networks have arp tables that basically map a host's ip address with its mac address and this is how a network identifies all the different systems now what we're going to be doing using ettercap is we're going to send malicious arp requests that will basically say um you know this ip and this ip they both have the mac address of x where x is the actual mac address of the attacker machine of the cali machine so what's going to happen is if there's no defenses in place it's going to just the gateway will just automatically assume like oh you're you're sending to 192 168 0.30 well i've been told that it that is the this mac address so it's going to go here so that's essentially what what is happening there but like i said it's uh better understood as we do it so hopefully that will start to make sense as we move along in the lab so i've already logged in to both the cali and the open seuss machine we'll be using both of those in this lab so i recommend that you just go ahead and get those logged in log in for cali as root password is t-o-o-r and for open so excuse me opensuse not open source opensuse is osboxes.org for the password all right so we have to do a quick configuration change on the network adapter on the cali machine before we begin um so you'll click in the top right corner here we're going to disconnect the eth0 network and then we're going to connect the eth1 so this is going to be necessary for us to do this kind of uh arp spoofing and mana in the middle activity okay and then you could double check okay we have a wired connection to eth1 and we can confirm that that's been changed also in the command line so if you have your terminal open important to note there's two ways that you can get your ip address and mac address information on linux the old way is ifconfig and you'll still see people using this this is getting sunset or or deprecated um so you may in fact i think newer versions of cali may not be installed um by default anymore but ifconfig is one so when we type that in we notice it pulls up all of our network adapters and it shows our local loopback we also see a docker information for our docker containers now we were originally using eth0 but remember we disconnected that so now we're using eth1 and we see okay this is our ip address 192.168.0.2 and then it also does show our mac address so that's under other and this is essentially what we will be telling the other ip addresses to send back to we're gonna we're gonna do some arp cache poisoning we're gonna say hey this ip and this ip they both have this mac address that's why um we're gonna take over as a man in the middle because those those all of that data and information is going to come back to us now i i mentioned there's two ways to get ip and mac address information so we used ifconfig and the other one is the command is ip and then you could type out fully address you'll notice in the lab it abbreviates to addr now this is the output is slightly different but very similar information so we have our different network adapters we have our eth1 we have our ip address you also know notice it also includes the cider notation that's telling you what the subnet mask is and we have our mac address up here so slightly different but ip is the more current version of this tool so that's what you'll definitely see in all future um distro updates for whether it's cali whether it's ubuntu debbie and all the other various distributions um and and you could even type ipa as well if you really want to get very streamlined and type as little as possible okay so moving on we've got we we understand our our network adapter we've got to change the eth1 now let's go ahead and launch ettercat and to do that we'll type editor cap dash capital g and that opens up pretty quickly so you notice in the lab it recommends that we full screen this it will make sense in a moment um and essentially we just need to set our interface to eth1 and then we press the check box up here and we notice a little terminal opens down here started unified sniffing so now we we are actively going to attempt to sniff the network you can you can raise this up for a little bit more viewing space and now next up we want to click the scan for hosts so the little magnifying glass in the top left so it's scanning our subnet mask remember we're on a slash 24 so our subnet mask is 255 255 255.0 which leaves us with 255 hosts so it scanned it scanned all of those we found two hosts and those were added to the host list well whereas the host list is right up here next to the magnifying glass so click on that and so this is a good example of like what an arp table looks like so it is just ip addresses matched to the mac address so you notice that both of these mac addresses are different and these coincide with this machine here and then also this pf sense firewall or you can kind of think of this as the default gateway or router essentially and next step we need to add both of these to target 1 and target 2. so we want to make sure this first ip the dot 30 is highlighted simple as this add to target 1 host has been added click on the next one added target to that host has been added so now we're able to um sniff traffic but we haven't technically poisoned um arp yet we haven't sent out those um mal informed um or malformed i should say art packets but we want to go ahead and click the man in the middle menu and then choose our poisoning here and this you could you could leave this on the default settings we're going to press ok and you can see it happening down here are poisoning victims and it's as simple as that this like i said this i i know i keep saying it it's as simple as that this tool makes it very easy um to send these requests so moving on to the next part let's now that we are acting as a man in the middle let's see this in action so we're gonna go to the open seuss machine we'll launch firefox essentially all we're doing here okay let's let's pretend we're remotely wanting to administer our pfsense firewall so we are connecting to that you know through the network to its ip and we're going to log in now keep in mind we're logged in or we're using http on port 80 right now and remember this is oh it auto fills the password remember port 80 http is clear text it's unencrypted so that's going to be a problem because we have somebody sitting here sniffing the traffic as a man in the middle so we see that request happen okay user signed in now if we scroll over we see username field admin password is pfsense so this is a good example of why you want to use https which runs on port 443 because it is encrypted so we could have still sniffed that traffic but we wouldn't have been able to read it we would have been able to look at it here and say oh yeah here's the username here's the password because it would have been encrypted so that's a layer of protection that's going to give you confidentiality right if you're thinking about the cia triad it's going to add confidentiality all right so let's move on to actually manipulating http images so remember we're still man in the middle we're capturing everything as requests are made so let's go back to the open seuss machine and we will visit a website that resides on the owasp bwa machine so remember we're yeah so we're connecting to this down here we're just viewing the uh web page looks normal okay but what we can do is we can launch a web server on our cali machine to um essentially uh manipulate that on the fly as requests are being made to various websites so we could we could alter that information so let's take a look at where these filters they're called filters that we can load into editor cap so if we go to our file manager they are located yeah so in this root folder here we have a filters folder and the first one we're going to take a look at is logo filter so essentially this is just um code that is going to look for okay if the protocol is tcp and the destination is port 80 so it's on http it's going to get rid of the accept encoding message and then what it can do is it's going to replace so this this is kind of like html for image source it's going to replace whatever image the website originally had programmed in and it's going to replace it with an image that's located on the kali's server and logo.jpg right so this is a way to just completely this isn't manipulating on um technically on the server side it's more on the client side whoever's making the requests and because we're in in the middle we're able to then re kind of edit it on the fly all right so and then that this message here images have been replaced this this is referring to output displayed in the edit cap terminal okay so now that we've looked at that let's um first thing we need to do is start our web server on our cali machine or else we would we would have no no where to direct this filter to remember um it's replacing what was originally there on whoops sorry not that one on this website so it's going to replace these images um and it needs it needs a web server to be launched to you know so this is accessible so that's why we need to launch a web server on the cali machine and the web server for linux one of the most popular is apache okay so i'm going to launch terminal and the command for this is just service apache to start and if you want to double check and verify that it is indeed running you can say service apache 2 status and we can see it is active and running and you can press q to exit out of there all right so we looked at the filter and we can close this terminal here now that that's running so we looked at the filter but we now we need to load it into ettercap so we'll go to click on the three dots up here go to filters load a filter and remember this was on the in root filters and we're working with logo on this one and it's going to be logo.ef so we'll double click on or i'm sorry not double click it doesn't allow a double click you actually have to press ok up here okay content filters loaded okay and if we come back to the opensuse machine reopen firefox if you had that close and we just visit the owasp.bwa ip address again and now we notice that all of these images have changed so this is this right here this url this logo.jpg which resides on the cali web server we are intercepting the requests that the open seuss machine is making so opensuse machine is requesting the website from here but we are intercepting that information and manipulating it to display this image and obviously you can think this could get much worse right this is a pretty harmless way to manipulate but obviously we could add all kinds of malicious code in here that gets executed immediately and that kind of takes us to the next portion too where we're going to manipulate javascript so we're going to take a little bit step further so back on the cali machine let's go ahead and take a look at the filter related to that so i'm going to go back to file manager we're going to go to filters and we will look at the hacked alert filter so very similar to before we're looking for tcp protocol destination is port 80. um we're going to trash this accept encoding message and so down here we're going to be looking for the end of the html header so in html there's usually a header section at the at the top it's denoted between head and then a forward slash head denoting that it's the end of that and so it's going to look for that end of the header and then it's going to inject this javascript and this is very very simple there's nothing malicious about this but it's it's often used by testers to see if a website is vulnerable to to javascript or sql injection things like that so all we're doing is we're causing an alert to pop up and that alert is going to say you got hacked and so this will be because it's right after the header it's going to be the first thing that happens so likely it's you're just going to see a pop-up you're going to probably have to press ok and then you'll see the rest of the website load as normal and then the message here you notice this will display this output to the ettercap terminal okay so we looked at the filter let me close that now remember we need to load the filter into ettercap so we'll go filters load a filter we need to go to home filters and we need to use the hackedalert.ef okay content filters loaded okay and then we'll come back to the open seuss machine i'm just going to go ahead and open up a new tab and let's revisit the os bwa machine and so you notice here is our javascript alert so you got hacked i press ok and then the rest of the site loads okay um one thing i wanted to mention if you have trouble where you're you're loading the filter while you're doing this lab and you notice if you hit refresh or you retype the uh url and it doesn't update as you expect from the lab just close your browser and open it back up i've noticed some weird things with the cache that prevents some of these things from happening as they should so um a quick um stop and start of your browser should should fix that but uh yeah so that is uh the end of the lab as well so once again we we've we talked about arp cache poisoning we essentially poisoned an arp table into thinking that the ip addresses of things like the open seuss machine and the gateway here corresponded with the mac address of our cali machine so once that happened we were the man in the middle and any of the network traffic that happened through here we were able to see it we were we sniffed a password um when we tried to log into the pfsense firewall and then also we were able to manipulate information on the fly so we manipulated http images we launched that web server over here to act as a repository for swapping out a logo for example and then finally in the last section we injected javascript into a a legit web request from the opensuse machine over to the owasp machine and we injected that alert pop-up right so that covers this lab arp spoofing a man in the middle attacks thank you for watching and i will see you in the next one

Info

Channel: Cypress College Cyber Club C4

Views: 468

Rating: 4.5294118 out of 5

Keywords: ethical hacking, kali linux, ettercap, mitm attack, arp spoofing, ethical hacking lab, hacking lab, kali lab, cypress college, c4cyberclub, CEH, pentest+

Id: CyIJs4rldIQ

Channel Id: undefined

Length: 22min 50sec (1370 seconds)

Published: Tue Mar 02 2021