Follow these instructions to get started:
mitm
on the hacker laptop using airbase-ng
. We run the following command:airbase-ng --essid mitm –c 11 mon0
The output of the command is as follows:
airbase-ng
, when run, creates an interface at0
(a tap interface). Think of this as the wired-side interface of our software-based access point mitm
:eth0
) and wireless interface (at0
). The succession of commands used for this is as follows:brctl addbr mitm-bridge
brctl addif mitm-bridge eth0
brctl addif mitm-bridge at0
ifconfig eth0 0.0.0.0 up
ifconfig at0 0.0.0.0 up
ifconfig mitm-bridge 192.168.0.199 up
We can then try pinging the gateway 192.168.0.1
to ensure that we are connected to the rest of the network.
echo 1 > /proc/sys/net/ipv4/ip_forward
The output of the command is as follows:
mitm
. It will automatically get an IP address over DHCP (the server running on the wired-side gateway). The client machine in this case receives the IP address 192.168.0.197
. We can ping the wired-side gateway 192.168.0.1
to verify connectivity:airbase-ng
terminal on the hacker's machine:at0
interface:192.168.0.1
from the client machine. We can see the packets in Wireshark (apply a display filter for ICMP), even though the packets are not destined for us. This is the power of man-in-the-middle attacks:We successfully created the setup for a wireless Man-in-the-Middle attack. We did this by creating a fake access point and bridging it with our Ethernet interface. This ensured that any wireless client connecting to the fake access point will perceive that it is connected to the Internet via the wired LAN.
In the previous exercise, we bridged the wireless interface with a wired one. As we noted earlier, this is one of the possible connection architectures for an MITM. There are other combinations possible as well. An interesting one would be to have two wireless interfaces, one that creates the fake access point and the other interface that is connected to the authorized access point. Both these interfaces are bridged. So, when a wireless client connects to our fake access point, it gets connected to the authorized access point through the attacker's machine.
Please note that this configuration would require the use of two wireless cards on the attacker's laptop.
Check whether you can conduct this attack using the in-built card on your laptop along with the external one—bear in mind, you may not have the injection drives required for this activity. This should be a good challenge!