Introduction
As I've been getting deeper into Cybersecurity and after the Wazuh lab I did a MITM lab using ettercap for ARP Poisoning and Wireshark to capture the traffic and analyse it.
Full write up on GitHub repo.
Demo video: youtu.be/jZ10v4bCBzY
About the lab
I am enrolled in a college course for Cybersecurity and now the course is currently teaching us Penetration Testing. And this exact lab was taught to us in Network Security, a few days ago.
That one was very similar to this one but the network architecture was very different. We were told to connect our laptops to our mobile hotspot (so that we are hacking in a network we own, completely legal) and put one Kali VM in bridged adapter mode.
Now both the host and the Kali VM behave like real network devices talking to the real router (phone). We were told to consider the host as the victim and Kali as the attacker.
And the ettercap command was run in Kali to make the host think Kali is the router and to make the router think Kali is the host, then we were told to generate some traffic on the host, and open that same vulnerable website mentioned in the write up and capture it in wireshark and login. Then after that we were supposed to do the same analysis and sniff out the credentials.
In theory it sounds like it works and it did work for a lot of people using Windows on their host machine but for me, since I use Linux btw, the traffic from the host was just not being seen from Kali even after disabling Cloudflare WARP. I called my teacher and showed him and he said it could be because of some inbuilt security features in Linux.
So I introduced the lab architecture I usually use when working with multiple Virtual Machines because this one is just cleaner and more isolated. And I cloned a Windows VM from my list of base images into the LAN part of the pfSense router and then I did the same thing on Kali with the Windows hosts IP and it worked, the traffic capture and analysis and credential sniffing.
So I thought it will never work with Linux but if you read the write up, I never used Windows anywhere and replaced the Windows VM with Debian Desktop VMs for victims. And it still worked.
Turns out, it will only not work when the Linux host is being ARP poisoned by a bridged VM. When Linux is not the host and a VM on the same network as the attacker, ARP poisoning will work just fine.
Things I learnt from this lab
I learnt about
- ARP poisoning
- precisely how attackers sniff out passwords over plain HTTP connections
- and why exactly ARP snooping is required in enterprises, something I learned while studying for CCNA.
Conclusion
I also documented the remediation steps for individuals, network administrators and website owners to protect themselves from this type of attack. It is in the write up, link above, go read it.
Top comments (0)