Man in the middle attacks have been around since the early 1980s, it generally uses fake networks, also commonly referred to as clone networks, to collect or manipulate traffic intended to be sent to the original network. Now the real kick is that the information isn't stolen outright, for example that Instagram login information that you just sent to the Starbucks public Wi-Fi can be extracted with a MITM attack fairly easily without you being any the wiser.
Now onto the juicy stuff, how could YOU set up a fake access point and get right to sniffing packets? Before we move on to a MITM attack, we need to address a few base concepts first. Firstly, sniffing. Sniffing is the act of grabbing all of the traffic that passes you over the wired or wireless communication. Second, you'll need an aditional wireless adapter. A wireless adapter is a hardware device that is attached to a computer or laptop and allows it to connect to a wireless network. Finally you'll need a machine with the most updated version of Kali Linux installed. There are a number of tools that will enable you to sniff for packets effectively. Most famously, Wireshark, but also tcpdump, dsniff, and a handful of others. In order to see and grab this web traffic you've now been given access to, you need to first put your NIC or wireless adapter into promiscuous mode (called monitor mode in wireless), meaning that it will pick up ALL traffic, not just that intended for your MAC/IP address.
To conduct this MITM attack, you're going to need to open three individual terminals, so go ahead and open those now. Our goal is to get a client on our network to believe we are the server and the server to believe we are the client. The application 'arpspoof' can do this for us by replacing the MAC address of the client and the server with our MAC address in the ARP table. Let's start with the client. We want to replace the MAC address of the server with our MAC address.
arpspoof 192.168.1.101 192.168.1.105
Where:
192.168.1.101 is the IP of the client
192.168.1.105 is the IP of the server
In this step, we're telling the client that we are the server. Now we want to replace the MAC address of the client with our address, so we reverse the order of the IP addresses in the previous command.
arpspoof 192.168.1.105 192.168.1.101
Here, we are telling the server that we are the client.
Now execute both of these commands. When we do this, the client will think we are the server and the server will think we are the client! Now that we are impersonating both the client and server, we need to be able to pass or forward the packets to the other machine. We do this in Linux by using the ip_forward. Linux has a built-in functionality to forward packets it receives. By default, it's turned off, but we can turn it on by changing its value to 1. We simply echo a 1 and direct (>) it to /proc/sys/net/ipv4/ip_forward, thereby turning on ipforwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward
Now our system, in the middle, is forwarding the traffic it receives to both ends of this connection, client and server.
Now that we have all the traffic coming from the client to the server and the server to the client going through our computer, we can sniff and see all the traffic! To do this, we could use a number of different sniffing tools, including Wireshark or tcpdump, but in this case we'll use Dug Song's dsniff.
To activate dsniff, we simply type:
dsniff
dsniff responds that it is listening on eth0.
Now we wait until the client logs into the ftp server. When he does so, dsniff will grab his credentials and display them to us.
dsniff should have now grabbed the ftp credentials or whatever else you could've been sniffing for. It's important to note that users and administrators often use that same username and password on all services and systems. (and yes, that's really all you have to do)