Man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two devices who believe that they are directly communicating with each other. In order to perform man in the middle attack, we need to be in the same network as our victim because we have to fool these two devices. Now lets initiate the attack by running our tools which is bettercap. To run bettercap we can simply open up terminal and type bettercap -iface [your network interface which connected to the network]. To know which network interface is used we can simply type ifconfig and here is what it shows us.
In my case it is wlan0, so im just gonna type bettercap -iface wlan0 and press enter.
As you can see now we already inside the tool, but it’s just a blank space without any information. In order to make our work easier we can type help and then press enter here is what it shows us.
Now we have some information about this tool, but our concern here is the module. For more information we can type help followed by module’s name for example help net.probe.
So, this module consist of several parameter, but for now let just keep it default and turn on the module by typing net.probe on.
Now the module is already running, what actually happen is the module scanning all the devices connected to the same network as our pc, including it’s ip address, mac address and vendor’s name. To make things clearer we can type net.show for further information.
So, Raspberry Pi is my device used to perform this attack and my ip address is 192.168.1.4. The router ip address is 192.168.1.1 knew it by Name column that is shows gateway and the rest is client connected to this network. Now we can choose which one to be our victim, for example im gonna choose 192.168.1.3 which is my own laptop running windows 10. Now lets see the module named arp.spoof.
Just like previous module it’s consist of several parameter. First lets take a look at arp.spoof.fullduplex parameter. In order to be the man in the middle we need to fool both the victim and the router by telling the router that victim’s mac address is our mac address and telling victim that router’s mac address is our mac address. So we need to set this parameter to true by typing set arp.spoof.fullduplex true. Secondly we need to set arp.spoof.targets parameter by simply giving it ip address of our victim. So in my case it will be set arp.spoof.targets 192.168.1.3.
After setting these 2 parameter we are ready to fire up this module by typing arp.spoof on. But wait a second lets go to windows 10 and type arp -a.
Like we already know when we type net.show command that my router ip’s is 192.168.1.1 and its mac is e4:**:**:**:**:e4 which is the real one. So weird thing have not happened. Lets go back to raspberry pi and fire up arp.spoof by typing arp.spoof on.
Now we already in the middle of our victim which is my windows 10 and my router. To make sure lets open up cmd on windows 10 and type arp -a, here is what it shows us.
As we can see that the mac address of our router changed to b8:**:**:**:**:08 which is my raspberry pi mac addresses, in other word we successfully fools windows 10 by telling it that ‘i am the router’ so that every request windows 10 make will go through raspberry pi. Now we can do packet sniffing using net.sniff module, so lets turn it on by typing net.sniff on.
Press enter and then im gonna move to windows 10 and open vulnweb.com.
Nothing is weird on the browser everything is just fine. Now if we move to raspberry pi here is what we will see.
Yeah! we know that our victim is accessing vulnweb.com as i just did on my windows 10.
Long story short we are just the third person in a harmonic relationship :(
Don’t forget to enjoy your life :)
Previously published at https://medium.com/@luthfir96/man-in-the-middle-attack-with-bettercap-24ac2d412769