-1

For educational purposes, I want to conduct a demo for a Man In The Middle attack. The attack scenario is:

1) The client request aaa.com 2) The MITM changes the client request to bbb.com 3) The client get response for bbb.com

Notes: 1) bbb.com is not owned by the attacker. It is just another website

2) I know that with normal user can identify and detect that the new website is bbb.com if the user can see different URL or different interface. But this is off topic. I still need to do this scenario.

How to coduct this attack? What are the tools? Please, I do not need general statements like (MITM redirect traffic, DNS spoofing, etc.). I need a guide on how to implement it including the required tools or SW.

user9371654
  • 469
  • 1
  • 6
  • 15
  • 3
    I don't see any relevant difference from this question to your previous one, i.e. duplicate of [How to implement an active Man-In-The-Middle attack that changes the request URL address](https://security.stackexchange.com/questions/207795/how-to-implement-an-active-man-in-the-middle-attack-that-changes-the-request-url). Please don't expect any MITM for dummies guide here. There are several guides on the internet how to MITM and all you need is to add some HTTP redirect as explained in the answer to your previous question. – Steffen Ullrich Apr 24 '19 at 09:06
  • We are not a tutorials site. – schroeder Aug 17 '22 at 15:16

2 Answers2

0

The hard way of doing this is by implementing a PROXy. You may create just a socket to which you will connect and then create a socket to the destination server. You analyze the traffic of HTTP header and if it requests aaa.html you change request to the bbb.html or different domain.

The more sophisticated way of doing that would be for example using libpcap. You just listen on the interfaces and pass them or redirect them. The same thing you may accomplish with the firewall. All depends on the scenario you have.

But in general you want to have something like:

      --------        ----------------------------------          --------
-----| client |----> | your interface/process/something |------->|server|
      --------        ----------------------------------         -------

Please remember that you may get encrypted traffic. In that scenario, you need somehow to generate a trusted cert. In most cases, you have to somehow install your own CA in the client.

If you are controlling DNS server you also may just return different records to the different clients.

Those this answare your question?

oshogbo
  • 16
  • 1
0

If you have Windows, you can use "cain & able". You can DNS spoof with this tool and no need for any URL redirection in your scenario

If you use gnu/linux, you can use tools like ettercap. ettercap is one of the best tools you can find out there.

After installation, edit dns-spoof plugin for your scenario by editing /etc/ettercap/etter.dns

If you have single network interface use unified sniffing ctrl+u and if you have two interfaces connected to the same LAN, press ctrl+b for bridged sniffing and get better performance. After that select your interface (e.g. eth0).

Now you must select your targets. Press ctrl+shift+t or select them from host list. If using host list, you must first scan your network by pressing ctrl+s. After that, you will see all alive devices on host list by pressing ctrl+h. Now add your target by selecting them for target1 or target2. If you don't select any target, ettercap will arp spoof any device to any device.

You select dns_spoof plugin by pressing ctrl+p.

Now use ctrl+shift+w to start sniffing.

You must select MITM attack type. Find Mitm button in the toolbar. You can use arp spoof in most cases, and select sniff remote connection check box. Spoofing and sniffing will start after that.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Rasool Ziafaty
  • 126
  • 4