How a Man-in-the-Middle ARP Attack Works // MiTM with Ettercap // Ethical Hacking

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Man-in-the-middle. ARP Poisoning. Hijacking  connections. How does all of that actually work?   now especially if we're studying ethical  hacking or learning about cyber security   these are going to be terms that we absolutely  hear i'm going to show you how to do art   poisoning with a man in the middle attack but  we're going to capture it with wireshark so   that you can learn how the protocols actually  work instead of just pushing buttons on a tool   we're going to learn how these protocols  actually do what they do so let's get to it all right so arp poisoning with a  man-in-the-middle attack to do that   we're going to use a tool called ettercap  now if you've never used ettercat before   go ahead and go download it you can install it  on your machine or if you have kali linux it's   already right there for you now here i have my two  vms and on the right here i have my kali linux box   and on the left you can see i've just got a  windows 10 machine so what i'm going to do   the windows 10 machine is going to be my target  machine what i'm going to do is i'm going to   intercept traffic coming and going to this machine  and i'm going to be able to do so by staging an   arp poisoning attack a man in the middle from  the kali linux machine now both of these are   guest vms on my local system however if these  were machines on a real connected cabled network   we could also do a very similar attack okay  so to start off to look at how this is going   to work first let's take a look at my kali  linux machine i'm going to do something up arp   dash a and what i'd like you guys to do is take a  close look at the mac addresses that we see here   so here my system it can see three other machines  it can see 3.15 and dot one well not one as our   default gateway so i want you to do is just pay  close attention to those last four values that   we see here thirty five zero zero okay just  trying to burn that in the back of your mind   also with dot 15 you can see there 27 cd that's  the virtual mac address for the windows system   over here okay so just to be sure though let's  go ahead and do an ifconfig so by doing an   ifconfig here i can see what my local address is  on this machine on the kali linux machine so 2.4   all right so now that we have a bit of a lay of  the land here on the cali machine let's go ahead   and go over to the windows box so i'm going  to go ahead and just open up a command prompt   and what i'm going to do is come  here i'm just going to do ipconfig   okay so here i can see that  this is the machine that's 2.15   and if i do an rp-a here i can see the systems  that this machine knows about at layer 2. these   are the other mac addresses that it's aware of  so let's go and take a look at that first one 2.1   there we've got 3500 sounds familiar it was the  same one that the kali linux machine knew about   and if i come to dot four there i can see 53 72  okay so this is a simple network only a couple   machines and a default gateway so now how does  a man in the middle our poisoning attack really   work well let's go ahead and take a look so here  i've got my windows 10 machine okay so windows 10   and he is aware of the router right he's already  arp for that router this is dot one and that   router's responded so he's aware of what his mac  address is in order for windows 10 to communicate   out into the internet and off this network it's  very important that he know the mac address of   that interface so we saw that in the arp table  now when he sends a message out and a message   comes back in this gateway needs to be aware  of the mac address for the windows 10 machine   so that's already happened they've already arped  they're aware of each other's mac addresses so now   those mac addresses can be used as the source  and destination mac addresses in the ethernet   frame and we're going to see that in a little  bit in wireshark so here's the issue if i'm on a   switch if i'm just on a network switch here so if  i want to come in here like a hacker or hopefully   an ethical hacker and i want to intercept that  traffic this is where i do my man in the middle   from but here's the thing about a network switch  you see when the windows 10 box sends a message   over to the gateway the switch is only going to  forward it out to this outbound interface the   switch already knows where that gateway is because  it's already heard its mac address and updated its   cam table well the same is true in the opposite  direction when the gateway responds when it sends   a message or a message comes from another network  back to this windows 10 box that gateway then   sends it over and the switch will only send it  out that outbound interface so if i'm sitting here   like an attacker if i want to be that man in the  middle if i'm sitting here i don't hear anything   i'm only going to hear broadcast multicast and  traffic to and from myself so i can't just plug   into the switch and just hope that i can capture  the traffic to and from this windows 10 box   so in order to do so really to break the rules  of switching if you will what i'm going to do is   i'm going to tell the windows 10 box that i am in  fact the gateway and i'm going to do that with arp   i'm going to go ahead and tell the windows 10  box that i'm one and over here on the other side   i'm also going to send an arp packet over here to  the router and i'm going to say hey i'm actually   15. so now both of these devices think that i'm  the other one the windows 10 box thinks that i'm   the router the router thinks that i'm the windows  10 box okay so let's actually do this man in the   middle attack now let's actually see how we can  use the edit cap tool to do that arp poisoning   so on kali linux before we bring up edit cap first  i also want to make sure that you have a setting   in your system and it's an important one you see  this system control net.ipv4.ip underscore forward   equals one this is a command that we have to  enter into our system in order for our system   to actually forward traffic on otherwise if  the windows 10 box thinks that i'm the gateway   i'm not going to forward that traffic on to the  real gateway this is what allows that forwarding   to happen so this is an important thing we  have to do before we kick off ettercap okay   so now that that's set i'm going to go ahead and  close this i'm going to come up to my my uh drop   down menu and i'm going to type in header cap and  i'm going to use the graphical editor cap for now and while i'm doing this with editor cap something  else i'm going to do in the background is do that   thing that we all came here to see and that's  the wireshark stuff so let's go ahead and open up   wireshark as well okay so what i'm going to do in  the background before i actually start to inject   those arps is i'm first going to capture them  because i want to make sure that you understand   at the packet level how ettercap is doing that are  poison so i'm going to come up here to ethernet 0   that's going to be the interface that i capture  with i'm just going to double click it and now   i have wireshark running in the background all  right so let's go ahead and just put this off to   the side all right so now with edit cap i go ahead  and bring up editor cap and my primary interface   ethernet 0 that's the one i'm going to select and  for right now i'm not going to do bridged sniffing   i only have one interface coming into this vm i  don't have two interfaces packets coming in one   and going out the other it's all coming in and  going out of the same interface so i don't have   to use bridge sniffing here all right so let's  go ahead and check this all right so the first   thing that i have to do with edit cap is i need  to tell it who the two targets are the windows 10   box and also the gateway so that it knows how to  build that arp poison now to make this simple i'm   first just going to come up and hit the search key  button that search thing and what that does is it   actually sends out a bunch of arp traffic scanning  through the local subnet and then looking at what   systems respond so here i've got four hosts that  were added to the host list now here's something   to think about if you're trying to be really  stealth and if you're doing an actual pen test   that's something that you're not going to want  to do you're not going to just throw out the fact   that you're arping the entire subnet that could  trigger some alarm so just be very careful if you   use that search here in my little lab i don't  care about that however if i was on a pen test   that's something that i would want to think about  okay so let's go ahead and come up now to my hosts   here i can see what systems i have active now  this is where i can configure my man in the middle   first i'm going to take a look at 2.15 remember  that was the windows box that we have over here   that was 2.15 and i'm gonna come and make him  target number one after that i'm going to come up   here to 2.1 and i'm gonna come over here to target  number two all right so now i have my two targets   configured so now let's go ahead and set up that  arp poison before i do that i'm going to come back   out here to my wireshark capture i'm just going  to reset this just to make sure that i can see   i don't have to see all of those arps go and  continue without saving come back to edit cap   now let's go ahead and come up here and this  gives us our man in the middle menu uh just   for this video we're just going to look at art  poisoning so let's come here go to art poisoning   and this is going to ask a couple questions so  it's going to say okay sniff remote connections   only poison one way we can just leave this at  the default sniff remote connections and hit ok so you see here over here in wireshark we're  actually able to capture these arp poison   attacks so what we want to do let's go and see  if it worked i'm going to come back over here to   my windows box now remember before  i thought that 2.1 was at 3500 that   was the mac address of my gateway but let's  just take a look now let's go to arp dash a   and now let's take a look you see now 2.1 has  changed now 53.72 or the editor cap box windows   thinks that that's the gateway all right so how  did that happen well if i come here here i can see   let's go ahead and take a look at this first  packet here let's actually take a look at the   packets that's that's going to be fun okay now i'm  just going to come down here i'm going to select   that first arp that i see this is the first packet  that went out when i actually did the attack okay   so ethernet 2 let's go ahead and take a look at  these mac addresses so the source is coming from   the amount in the middle box and i'm sending it  to 27 cd which is the windows 10 device all right   so that's the unicast from the man in the middle  box to windows 10 this is an arp let's go ahead   and expand this and see what this looks like now  here's the key if i take those if i take a look at   this down here this is an opcode reply or a two so  this is what we call an unsolicited arp reply i'm   giving the windows 10 box an arp response that it  never asked for it didn't arp for the gateway i'm   just telling it this is the gateway's address  alright so let's just see how that works here's   my sender's mac address this is 53.72 so that's  the man in the middle and i'm telling him hey   i'm 2.1 right so i know that your gateway is 2.1  that's who i am i'm impersonating him now i'm the   target this is windows 10 device and windows 10.  well right after that check out what i do in the   opposite direction now if i come down to the next  packet down this is where i can see i'm coming   from the man in the middle and i'm going to 3500  so this is to the gateway but check out what i'm   saying to him this is an a reply so again this is  not an op code one that would be an arp request   instead this is just a reply who's sending it man  in the middle this time i'm acting like i'm 2.15   so now i'm the windows 10 device i'm acting as  if i was him so the man in the middle that's   how it does the arp poison is it sends these  unsolicited arp replies in each direction to   the gateway and to the windows 10 device what that  does is that breaks their arp table thinking that   i'm actually the gateway and the opposite in the  other direction so let's go ahead and see if that   worked so i'm going to come down here remember  before we weren't able to capture those ping   packets right so i'm going to scroll all the way  to the down and i'm going to take a look at ping   dot google.com and over here now i can actually  see those ping replies coming i'm capturing and   forwarding those pings through the man in  the middle now let's see what else we can do   if i just open up microsoft edge over here let's  open up a browser and let's do a little browsing   you can see over here on the right a bunch of  traffic going by i'm capturing packets a lot   of black lines and red letters we're going to  talk about that stuff on my channel don't worry   and if i come up here let's just  go ahead and hit our favorite site   wireshark.org now here i am capturing the traffic  passively this is how i'm able to execute a   man-in-the-middle poison attack i'm making windows  10 think that i'm the gateway and i'm making the   gateway think that i'm the windows 10 box so here  my page loaded i was able to capture that traffic   and just for now what i'm going to do is run back  to edit cap and i'm going to go ahead and stop my   man in the middle attack now just because we were  able to do that right now with arps doesn't mean   that we're able to decrypt everything that we just  saw everything that went by us especially those   tls sessions that we saw those are still encrypted  but for the purposes of this video what i wanted   to do was show you how an arp poison actually  works remember that you're sending unsolicited   arp replies in each direction and that makes  each endpoint think that you're the other party   so if you like this video on a man in the middle  attack and how an art poison actually works at   the packet level let me know go ahead and comment  down below please like subscribe if you haven't   and we'll make sure to do more content like this  in the very near future take care Packet People! you
Info
Channel: Chris Greer
Views: 3,346
Rating: undefined out of 5
Keywords: MiTM attack, MiTM kali linux, ettercap arp poisoning, arp poisoning attack, Wireshark arp analysis, Wireshark tutorial, wireshark tutorial kali linux, man in the middle attack, man in the middle attack kali linux, 2022 wireshark tutorial, wireshark capture, ethical hacking, ettercap, wireshark
Id: cVTUeEoJgEg
Channel Id: undefined
Length: 13min 29sec (809 seconds)
Published: Thu Dec 09 2021
Related Videos
burp suite
David Bombal
83K
Catch a MiTM ARP Poison Attack with Wireshark // Ethical Hacking
Chris Greer
1K
Man in the Middle Attacks & Superfish - Computerphile
Computerphile
914K
Springboard: the secret history of the first real smartphone (Full Documentary)
The Verge
328K
ARP Poisoning | Man-in-the-Middle Attack
CertBros
82K
StormFish OS Arch Edition - An Everyday Person's OS
OldTechBloke
2.8K
my SUPER secure Raspberry Pi Router (wifi VPN travel router)
NetworkChuck
373K
the Linux File System explained in 1,233 seconds // Linux for Hackers // EP 2
NetworkChuck
676K
TCP Congestion Control // Hands-On Deep Dive TCP Analysis with Wireshark
Chris Greer
2.6K
How TCP Works - The Receive Window
Chris Greer
48K
How TCP Works - Selective Acknowledgment (SACK)
Chris Greer
30K
The Attack That Could Disrupt The Whole Internet - Computerphile
Computerphile
1.4M
AWS VPC Beginner to Pro - Virtual Private Cloud Tutorial
freeCodeCamp.org
91K
How does a USB keyboard work?
Ben Eater
1M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.