This article is for education purposes only.
- Virtualization Software (VirtualBox, VMWare, or alternative)
- Mac OSX El Capitan
- Windows Virtual Machine or Physical Machine
- Kali Linux Virtual Machine or Physical Machine
This article is for education purposes only.
In order to successfully perform a Man-in-the-Middle attack (MITM from hereon out), we need to stand up a web server. For simplicity, we’re going to use the built-in Mac FTP server, then we will try an access that FTP server from our Windows virtual machine while we listen to this activity on a Kali Linux machine. To start your FTPserver on your Mac, first open up your Terminal.
Once your terminal is open, type the following command:
$sudo -s launchctl load -w /System/Library/LaunchDaemons/ftp.plist.
This will launch your FTP server, and it will be available to anyone who tries to access it (as long as they know the username and password for login purposes). What we will attempt to do is gain knowledge of the username and password so we can compromise files on the Macintosh by listening to what the Windows user types to log in.
In order to make sure our FTP server is up and running, let’s type another simple command to ping our localhost to make sure we’re able to get activity. In your terminal, type:
If you are receiving activity from your localhost, that means your server is indeed up and running. Press Ctrl+C in order to stop the ping command. If you are not getting activity, check the first command to make sure you didn’t have any typo errors.
To connect to the FTP server on your Windows machine, you’ll need to know what the IP address on your Mac is. To do this, open terminal, and run the following command:
Now, this may seem like information overload to you, and that’s okay. The only part of this that we’re particularly interested in for this project is the inet portion of your en1 interface. It should have the structure of 18.104.22.168 (with different numbers than just ones, of course).
In order to be sure that this is where our FTP server is located, on our Windows machine we will open up a web browser, and in the navigation bar type ftp://22.214.171.124 (replacing this address with your actual IP address). If all goes correctly, we should be asked for Authentication, or login information. We will not worry about logging in right now, we only navigated to this page to be sure we knew the location of our FTP server.
In order to know which machine’s packet data we want to listen to, let’s get our IP address on our windows computer. Note, this can be done using Ettercap in Kali Linux, but just to be safe, it is probably best to just go ahead and get your IP from your computer or virtual machine beforehand to ensure you aren’t accidentally attacking someone else’s computer..
Press “Start”, and type “CMD” on your Windows machine. Your command prompt will appear. Now, type:
This will show your IP address for your Windows machine. For this documentation’s purposes, I will be dealing specifically with the “Wireless LAN adapter Wi-Fi” interface, and the number you want to look for is located in the “IPv4 Address” section. It should also be structured as something like 333.333.3.333 (replacing threes with actual numbers, of course).
To successfully perform a MITM, you first need to make sure you are able to forward one IP to another. For example, if you arpspoof your Windows machine to route its packet data to you, when you attempt to log on to your FTP server, you won’t get a response, because the Macintosh computer will never receive the request. So, we need to set up IP forwarding.
To do this, boot up your Kali Linux Machine (Virtual or Physical. In this documentation I am using a physical machine, but virtualized Kali machines work exactly the same.) Open up your terminal and type
# echo 1 > /proc/sys/net/ipv4/ip_forward
We say “1” in this case, because this is a binary value for “True”, essentially. Your Kali Linux machine is now ready to forward IP addresses, arpspoof, dsniff, and perform a MITM attack properly!
Now that the setup is complete, the fun begins. We can now perform a MITM attack. First, what we’ll need to do is redirect all of the traffic from our Windows machine to our Macintosh’s FTP server, similarly, we need to redirect all of the traffic from our Macintosh’s FTP server back to our Windows machine, allowing us to see all traffic inward and outward bound.
To do this, remembering that our Mac FTP server is located at 126.96.36.199, and our Windows system’s IP address is 333.333.3.333, open up two terminals on your Kali Linux machine.
In one terminal, type
# arpspoof –t 188.8.131.52 333.333.3.333
I the other terminal, type
# arpspoof –t 333.333.3.333 184.108.40.206
This will redirect all traffic going outward from your Windows machine, and all traffic coming inward from your FTP server.
Now that we are redirecting traffic to and from our targeted machines, we should retrieve some data from them. Let’s pretend for a moment that we are an attacker who wants to get the username and password information of a user on an FTP server. We know for a fact that on this Windows machine, there is a user who logs in to the FTP server which we have the IP for. We’ve arpspoofed the connection, but that alone doesn’t give us their username and password information. We know this user has a very difficult password to figure out. How do we get this information? It’s actually quite simple. In your Kali Linux machine, open up another terminal and simply type
Now this is the part where if we were actually an attacker, we would just be waiting for the user to log in again. But, since we are playing both the hacker and the user, let’s get back on our Windows machine. For the purposes of this documentation, on the FTP server I am running, I have created a user with the name “Green Plastic Can”, and a password of “xxi9090**5%%”. This is a pretty tricky password to simply attempt to just guess, so it seems like a secure choice.
On your Windows machine, go to ftp://220.127.116.11 (replacing with your actual FTP server IP), and type the username and password that is set on the FTP server. Once you’re logged in, take a look at your Kali Linux machine and take note of the new information your Kali machine has given you.
As you can likely see, dsniff has given you the username and password of this particular user on your FTP server in plaintext. For me, it is displaying
USER Green Plastic Can
You have officially successfully completed your first MITM attack.