Adversary-in-the-middle using Network Sniffing

What is this article about?

What are the key skills/tools used?

  1. Changing the routing table of a host using route
  2. Capturing traffic using tcpdump
  3. Modifying kernel-level parameters using sysctl
  4. Setting up Network Address Translation (NAT) using iptables

How do we go about this?

Step 1 — Create the Victim and Sniffer hosts

> multipass launch -n victim && multipass launch -n sniffer
Launched: victim
Launched: sniffer
> multipass ls
Name State IPv4 Image
sniffer Running 192.168.64.15 Ubuntu 20.04 LTS
victim Running 192.168.64.14 Ubuntu 20.04 LTS
#- To get the current driver: 
> sudo multipass get local.driver
#- To set the current driver to hyperkit.
> sudo multipass set local.driver=hyperkit

Step 2— Sniffer — Enable IP Forwarding

#- Get a root shell into the sniffer
> multipass exec sniffer -- sudo -i
#- Edit /etc/sysctl.conf to add the following lines. This will ensure changes persist across reboots. #- Enable IPv4 forwarding
net.ipv4.ip_forward=1
#- [Optional] Disable Ipv6. Disabling IPv6 is not essential but network packets can take notorious paths and you might want to keep things simple.
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
#- Load the config for the current session
sysctl -p

Step 3— Victim — Configure default route through Sniffer

#- Get a root shell into the Victim
> multipass exec victim -- sudo -i
#- List the routes. There are three routes defined.
root@victim:~# ip route
default via 192.168.64.1 dev enp0s2 proto dhcp src 192.168.64.14 metric 100
192.168.64.0/24 dev enp0s2 proto kernel scope link src 192.168.64.14
192.168.64.1 dev enp0s2 proto dhcp scope link src 192.168.64.14 metric 100
#- Add default route through the Sniffer host
ip route add default via 192.168.64.15 dev enp0s2
#- Delete the original three entries in the route table
ip route delete default via 192.168.64.1

ip route delete 192.168.64.0/24
ip route delete 192.168.64.1

Step 4— Testing — Try to ping google.com from Victim

Image 3.1: Victim is able to ping google.com through the sniffer
Image 3.2: Sniffer redirected Victim directly to the Gateway!

Step 5— Sniffer — Disable ICMP Redirects

#- View ICMP redirect settings on the sniffer
> multipass exec sniffer -- sudo sysctl -a | grep -i send_redirect
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.enp0s2.send_redirects = 1
net.ipv4.conf.lo.send_redirects = 1
#- Get a root shell into the sniffer
> multipass exec sniffer -- sudo -i
#- Edit /etc/sysctl.conf to add the following lines. This will ensure changes persist across reboots.#- Disable ICMP redirects on sniffer.
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.enp0s2.send_redirects = 0
#- Load the config for the current session
sysctl -p

Step 6— Testing (again) — Try to ping google.com from Victim

Image 5.1 — Sniffer host does not show ICMP echo responses!

Step 7— Sniffer — Configure SNAT

  1. Handling Outbound traffic from the Victim — The source IP of the packets coming from the Victim is modified to that of the Sniffer. This ensures that the return traffic is always sent back to the Sniffer. This is the SNAT operation.
  2. Handling Return traffic for the Victim — Since we have rewritten the source IP, the return traffic will always come back to the Sniffer. This traffic ultimately must be sent back to the Victim. So we need to do an un-SNAT i.e. replacing the destination IP with the IP of the Victim.
sudo iptables -t nat -A POSTROUTING -s 192.168.64.14 -o enp0s2 -j SNAT --to-source 192.168.64.15
iptables -t nat -A POSTROUTING -s 192.168.64.14  ! -d 192.168.64.0/24 -o enp0s2 -j SNAT --to-source 192.168.64.15

Step 8— Testing (yet, again) — Try to ping google.com from Victim

  1. The ping from the Victim host is successful.
  2. We are able to capture both the ICMP request and response packets in the Sniffer.
Image 7.1 — Ping from Victim is successful
Image 7.2 — Sniffer is able to see both request and response packets

Step 9—Cleaning up

multipass delete sniffer victim && multipass purge

In Retrospect

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
diyinfosec

diyinfosec

More from Medium

Generating a self-signed certificate for smart card logon using a FIDO2 security key

Initial Server Setup with Ubuntu 20.04

Flipping the Script with Mouseover

The Gateway is wide open — Pwning 40M+ routers