I have a test environment, where I try some wireless hacking tools and approaches, and lately I have been interested in evil twin attacks. I created a fake AP using airbase-ng, and specified the IP tables manually, at what point if the client connected had Internet access. Then, I fired the MITMf framework and ran it with the following command:
./mitmf.py -i at0 --spoof --hsts --arp --dns --gateway 192.168.0.1
Using this approach, I was able to get the credentials of the victim (myself in my test lab) from FB and GMail. It was redirecting the connection to some not secure subdomain, such as account.google.com instead of the original accounts.google.com.
On the other hand, I tried to use the MANA toolkit in order to create the fake AP automatically. It also comes with tools such as SSLStrip and dns2proxy (which MITMf uses too). But, once I ran the script that comes with MANA (start-nat-full.sh
), it created a fake AP, and the connected client had Internet access, but if the client wanted to visit a website like FB or GMail, the page won't open at all.
I didn't spend time to go over the source code fully, but I believe one difference between them is that MITMf also offers DNS and ARP spoofing using the tool Spoof, which I used while running the attack. If I remove them, the attack doesn't succeed, while then it would open the secure version of FB or GMail.
Though, I don't exactly know whether this was the primary reason why it succeeded with one tool and not with the other one. If someone has had similar experiences I would like to hear. But, my question is, does ARP or DNS spoofing play role in doing MITM attacks (or bypassing HSTS)?