ARP spoofing using MITMf
In this section, we are going to talk about a tool called MITMf (man-in-the-middle framework). This tool allows us to run a number of MITM attacks. In this section, we are going to use a basic ARP poisoning attack, exactly like we did in the previous section. We are going to be using our Wi-Fi card to do these attacks. We can use Ethernet virtual card instead of Wi-Fi card.
If we do ifconfig just to see our interface, we'll see that we have the wlan0 card connected to the internet network at 10.0.0.11:
Now, run arp -a on the Windows machine to see our MAC address. In the following screenshot, we can see that we have the gateway at 10.0.0.1, and the MAC address ends with 49-df:
So we're going to run ARP poising attack and see whether the MAC address changes and whether we can become the MITM.
To use the MTTMf tool, we're going to put the command first. Then we're going to define the --arp --spoof (ARP poisoning), then we're going to give the gateway which is the IP of the router, then we're going to give the IP of our target, and then give it the interface. The command is as follows:
If we don't specify a target, it will default to the whole network, to the whole subnet. The interface is specifying our wireless card. So, we're just going to hit ENTER, and the tool will be running now:
Now let's go the Window machine, run arp -a, and see whether we managed to become the center of the connection. In the following screenshot, we can see that the MAC addresses have changed from 49-df to 19-32, and that is the same MAC address as the interface that we have in Kali, so it ends up with 19-32:
So, that means we're the MITM at the moment, and the tool automatically starts a sniffer for us. So instead of arpspoof, which only places us in the middle, this tool actually starts a sniffer, which captures the data that is sent by the devices in our network.
We're going to visit on a website that uses HTTP and see how to capture the username and password form that HTTP website.
So, on a Window machine, we're going to go to a website called carzone.ie, and then we are going to go to the login page to log in to an account while the MITM attack is running, and then we are going to use a username and a password. We're going to put the Email address as [email protected], and then we're going to put a Password as 12345. Now, if we go back to the MITMf console, we will see that we have successfully captured the username which is [email protected] and the password which is 12345.
So, basically, we're able to capture any username and password that is entered by the computers that we're ARP spoofing. We are also able to see all the URLs that the person has requested. So, for example, we can see that they requested sell.carzone.ie. We can also see the URLs that carzone.ie requested. These are only the URLs requested by the ads that are displayed on the website.