Tuesday, December 6, 2016

Bettercap : MITM attack for sniffing traffic and passwords

Contents

  • Installation
  • Sniffing Traffic
  • Getting password
We will be installing Bettercap, doing a quick sniffing exercise, and then a more detailed section on grabbing the password. Will demonstrate the password grabbing on outlook.com, which seems to be particularly vulnerable to this attack.

Installing bettercap

Installation is simple-
apt-get update
apt-get dist-upgrade
apt-get install bettercap
The above three commands will leave you with latest versions of Kali and bettercap.

PS: I am writing this tutorial from a location with slow internet connection, and hence didn't perform the dist-upgrade step. However, bettercap seems to be running mostly fine. There may be a few difference in what you observe and what I show in this demo due to this difference in versions. For those who want to know the versions of various utilities that I'm using, take a look below. If you are unfamiliar with Linux, you're best off using the latest versions of everything, which can be obtained by running the three commands I mentioned earlier.

new@kali:~$ uname -a
Linux kali 4.7.0-kali1-amd64 #1 SMP Debian 4.7.6-1kali1 (2016-10-17) x86_64 GNU/Linux

new@kali:~$ bettercap -v
bettercap 1.5.8

new@kali:~$ ruby -v
ruby 2.3.1p112 (2016-04-26) [x86_64-linux-gnu]

Not on Kali?

The readme on github repository of bettercap is quite comprehensive, and would help you install bettercap on most linux distributions. After installation the process should be same for Kali or any other Linux distribution.


Sniffing Traffic

There's nothing special about the usual sniffing traffic functionailty of bettercap. Bettercap can easily performing sniffing on your local area network. It also lets you write the output to a pcap file and later analyze it with WireShark or some other tool of your choice. I'll just give a simple demo here. The real fun is in the capturing passwords section.

Run the command-
bettercap --sniffer
Sniffing traffic: Screenshot shows my lenovo smartphone's
requests to truecaller being sniffed

 You'll see all the websites being visited by all the devices on the network. Press ctrl+c to stop.

Take a look at the help manual for more commands, or read the wonderful documentation.


Internet stopped working

There are plenty of open issues on the github page of bettercap. The one problem I faced was that after bettercap had finished running, the internet connection on the attacker machine (Kali) would be killed. I fixed it by simply turning restarting the wlan0 interface (turn it off and on from the gui or use ifconfig commands). Some people reported that Bettercap killed internet connection for all hosts. If you face a different issue, take a look here and see if you can find a solution.



Capturing passwords

The fun part lies here. Bettercap uses sslstrip to change https webpages to simple http ones, which ensures that the passwords are transferred in clear text, and you can read them without any issues. I will be targeting my lenovo phone from my Kali machine. First, you must find the IP of your target. This can be done by simply running bettercap and waiting for all machines on your network to show up. Once they do, you can identify the one you're trying to attack, and note it's IP. Then use this IP as the target IP. Let's look at the steps first.
PS: I'm assuming you connected to the network you are attacking using the wlan0 interface. If not, specify your interface using the -I option.

  1. Run the command bettercap on the terminal
  2. Wait for bettercap to acquire targets.
  3. When bettercap discovers the target you're looking for, note down it's IP address. Let's call it TARGET_IP.
  4. Press ctrl+c to stop bettercap (if internet connectivity is lost, as was in my case, restart your wlan0 interface)
  5. Run this command - bettercap -T TARGET_IP --proxy -P POST (replace TARGET_IP with the appropriate IP)
In  my case, my target was my Lenovo smartphone. It was detected by bettercap,
and i noted down it's IP. 192.162.2.2 is what I'll use as my TARGET_IP
Now your attacker machine is ready and listening for traffic on the network. Once your victim opens any login page, bettercap will use sslstrip to remove the https from the URL, and once the target enters his/her login credentials, you will see them in cleartext.

Let's look at a demo run of the above procedure.

Capturing passwords entered on Outlook by smartphone user on same LAN/WLAN

This section is simply going to be a set of pictures with captions below them explaining stuff. It should be easy to follow I hope.

Starting bettercap using the command I specified earlier.
Then I proceed to open outlook.com on my smartphone
SSLStrip detects that I'm trying to access outlook, removes the https from the page
This is the login page that my smartphone sees. Notice the address in the URL.
This is what the address should look like, with HTTPS. The URL on the smartphone lacks
HTTPS, and has extra Ws in www. I enter the username here. Meanwhile,
bettercap detected that username was entered and shows that to me. 

Bettercap shows me the username. In the smartphone, I am at the password stage after entering username.

I now enter the password. Let's see what happens on the attacker machine
I entered the password as "wrongpass" on my smartphone, and
bettercap is able to detect it.

Limitations

From this test run, here are the limitations of the tool that I observed-
  1. The biggest problem - It does not work on all sites. Before trying outlook, I tried to see if I could carry out this MITM attack over Facebook, Gmail, Twitter, etc. Unfortunately, I wasn't able to. It only seems to work with some websites.
  2. The difference in the URL if easily visible. Anyone who knows what https is, will notice the lack of it. I, for one, would never enter my credentials on an http page.The extra Ws in the www don't help eitheir.
  3. The tool isn't perfect. There are a few bugs.
Update : Giorgio's comment on the tutorial addresses the first and the third issues. The reason why Facebook and Gmail don't give in to the attack is because they don't have an http version of their websites. Bettercap can't force Facebook to replace it's https page with an http one, simply because there is no http version of Facebook. Secondly, Yahoo looks buggy because it's CSS files (ones hostel by google) are served over https, and an attempt to get an http version would yield nothing, since http versions aren't available. Hence, the CSS files are missing, and while the parts of the page which operate over http load well, the ones which are exclusively https do not.

Facebook seems immune to the attack
Yahoo's response is buggy, but you'll notice
that sslstrip did it's job, the page is regular http now
The tutorial ends here, a few personal insights ahead, not very important.

How to be safe

This demo must scare you. I, for one, wasn't sure if this tool would work at all. However, it did work very well with outlook, and somewhat worked with yahoo as well (not shown in demo). Facebook and Gmail seem to be immune to it, but I didn't really try hard to get them, and after writing this post, I'll try to see if I can get the tool to grab Facebook and gmail logins as well. Regardless, we see how easy it can be for someone to grab your credentials if they are on the same network as you. So how can you be safe?

Here are some pointers-
  1. Never enter your credentials on a non-https page. Also, if there's some flaw with the https, your browser usually will point that out to you. 
  2. Be extra careful on public wireless networks.

By clicking on details, you can see exactly how your connection to
a website is encrypted.
Chrome provides detailed breakdown of the cipher used and the validity of certificate

Things to do

This tutorial is supposed to serve as an introduction to sniffing, MITM and bettercap. I have observed that posts with too much theory don't perform too well, so I just demonstrated the functionality of the tool. However, this was a very basic exercise, and for both me you, there are things to do-

  1. Try other functionalities offered by this tool.
  2. Try to get it to work with Facebook and Gmail. I'll have to approach facebook and Gmail in a different manner, read the comment by Giorgio below for more information.
If I am able to get it to work with Facebook/Gmail, I'll write another tutorial, showing you how you can do it too.

7 comments:

  1. Thank you for thia guide and for this blog: I hope that many people will read it and learn about the basics of IT security.
    I think what prevents this attack on Google, Facebook (not sure about twotter) and some other sites is that they only accept protected (https) connections. They simply don't have an http version, so you cannot connect to them via plain http.
    My guess about the Yahoo thing instead is that they make use of Google-hosted css/js (like Google fonts). Those files are served through https and in experience trying to access them via http will result in an error being thrown, therefore when you force yahoo to use http you prevent those files from loading.
    I don't know if this could be feasible, but depending on how Bettercap was implemented it could be possible to add a whitelist of sites which should be left with https.

    ReplyDelete
    Replies
    1. Thank you for the valuable insights.

      I was able to realize from Yahoo's appearance that it's CSS file(s) failed to loaded, and suspected something along the lines of what you said.

      However, I had no clue why Facebook and Gmail wouldn't bulge. Your answer makes perfect sense. If they don't have an http version, there's nothing that bettercap/sslstrip can do to make them serve one. A simple yet elegant solution.

      Next step for me would be to replace the Facebook login page with my phishing page. I did something along those lines in an earlier tutorial (2 years ago - http://www.kalitutorials.net/2014/05/social-engineering-toolkit-kali.html), but let me see if I can get my phishing page to open if one types in facebook.com in the URL bar (instead of the IP of my attacker machine, as was the case in the aforementioned tutorial).

      I do not yet code in Ruby, but will try to look at Bettercap's source code on Github and see if I can understand how it works, maybe even contribute to it.

      Delete
    2. Phishing is a really strong weapon, however if you redirect the victim to your fake page then there is no need to run bettercap nor sslstrip anymore as he would be sending data directly to you anyway.
      As far as Facebook.com instead of the IP address you should look into DNS spoofing, it'quite messy to make it work, but extremely effective if you manage to do it.

      Delete
    3. I'll look into DNS spoofing, that seems to be quite an interesting topic at first glance.

      However, I was thinking about using ARP spoofing/ ARP poisoning (what bettercap does). That seems to be quite straightforward and works without many issues.

      Let me elaborate on what I intent to do.

      What I (or bettercap :) ) did in this tutorial puts us in a position where the victim machine thinks that the attacker machine is the router and hence sends requests to the attacker machine for fetching web pages from the internet. The attacker then forwards the request to the router, get the response and returns the response back to the victim. In this way, we have sniffed all the traffic, by ensuring it passes through us.

      But, rather than harmless sniffing, we could modify things as well. Instead of forwarding the request to the router, we could return whatever web page we please (a local phishing page for example). I think the browser on the victim will complain about untrusted certificates, but apart from that, this seems to be doable.

      Delete
    4. sslstrip can maintain upstream HTTPS connections between attacker > real service, then relay the data onto the victim/test machine via HTTP; in this way, content only available upstream via HTTPS (be it CSS or an entire site) can still be represented as HTTP on the victim/test machine.

      The only issue you will face here is the 'On Ramp' so to speak. SSLStrip needs to see a cleartext page with a link to a HTTPS page (or a login form etc) that it can re-write to HTTP (even though SSLStrip with keep the attacker>service connection HTTPS). It may not do this out of the box, but www.facebook.com DOES provide a response, a simple redirect to HTTPS://www.facebook.com, so in theory you could have your MITM proxy simply return the 200OK + Content it's pulled from the https upstream facebook, direct to the user as HTTP, rather than the redirect.

      Delete
  2. Giorgio, I found your insight and knowledge on this matter to be most enlightening. I followed your instructions to the tee and I was very impressed by the results. I'm a simple script kiddy; but in my defense the best way to learn is to do. I also read up on some of the basics you linked in this thread, thank you again for that.

    Shashwat Chaudhary, I'd really like to learn more about phishing and other forms of social hacking. Any response would be greatly appreciated.

    ReplyDelete
    Replies
    1. My winter semester has started but I'll try to post more on social engineering soon. Also, sorry for the late response, your comment was wrongly marked as spam.

      Delete

© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.
Bitcoin: 1B5aLqJcMW7zznffTxQwta8JTZsxBDPguC