How to Spy on Another Person’s Browser: Man-in-the-Middle Attacks

I dusted off Ettercap the other day and started playing with it again. With Ettercap, you can very easily perform Man-in-the-Middle attacks with ARP poisoning. In layman’s terms, ARP poisoning is simply placing your machine between the target machine and the internet, so you can view all the traffic of the target.

This is done by altering the ARP cache so the target PC thinks you are the router, and the router thinks you are the target PC. Several programs offer ARP poisoning, but Ettercap offers some interesting modules and filters that you can use that do different functions.

Today, I want to look at the “Remote Browser Attack” feature of Ettercap. This basically allows you to remotely spy on a target PC and a copy of the website they are visiting will be displayed on your computer.

To do this attack there are just a couple of settings to change in the Ettercap config file.

Ettercap Instructions in Backtrack 4:

Edit the “/etc/etter.conf” file.
Under the [privs] section,
EC_uid =65534
EC_gid = 65534
EC_uid = 0      #65534
EC_gid = 0       #65534

And, scroll down to the [Strings] section.

If the target is using Firefox, change:
remote_browser = “Mozilla -remote openurl(http://%host%url)”
remote_browser = “firefox -remote openurl(http://%host%url)”

Now start up Ettercap-GTK. 

When it starts up, pick “Sniff” and then “Unified Sniffing” and then pick your network card.

Now, just select “Hosts” and scan the network for hosts. Next, click “Hosts” and “Host list”. A list of the available host’s IP addresses will appear. 

Click on the target PC, then click on “Add to Target 1”, then click on the router, then click “Add to Target 2”.

Click on the “Plugins” menu. Select “Manage the plugins”. Scroll down the list and Double click on “Remote_browser”. An asterisk will appear in front of it when it is selected. Next click the “Mitm” menu tab and select “ARP Poisoning”.

Then just hit “Start” and “Start Sniffing”

Finally, make sure you open the Firefox browser on your Backtrack attacker machine. The webpage for every website your target visits will show up in your Firefox browser.

That’s it, just go to the target machine and surf the web. On the attacker machine, you can see that Ettercap is capturing the target’s surfing:

As the target surfs to different webpages, the Firefox on the attacking machine will also auto-update with the page they are on:

Notice the tabs in Firefox on the attacking machine. These are a history of all the pages that the target has visited since the attack began.

For targets, I used an updated version of Windows 7 and Windows XP SP 3 in this test. Ettercap is an older program, and has not been updated in a while.  This attack used to work very well against older versions of Windows XP. On XP Service Pack 3, normal pages show up fine, but encrypted webpages would not show up on the attacker machine. So, for example, you could go to and login to Gmail on the target machine, but only the login page would show up on the attacker browser.

Also, many of Ettercap’s older password sniffing functions no longer work on updated machines and websites.

Windows 7 fared the best against the Ettercap attack. With just using the ARP poisoning attack, Windows 7 would not allow you to open SSL encrypted sites at all. It sensed something was wrong and gave this error:

If you tried to continue, the web address would turn red and a message came up saying due to security issues the page would not be displayed.

Also, when trying to run the remote browser module attack against the Windows 7 machine, as soon as you tried to surf to any webpage, standard or encrypted, the internet connection would drop completely.

Okay, how to defend against these types of attacks. Man-in-the-Middle attacks are possible because of Arp Poisoning, if your ARP cache could not be modified, this attack would not be possible. Unfortunately, it appears that changing your ARP cache to static is not feasible or practical on many networks.

Some internet security programs protect the ARP cache from being changed. Also many IDS systems will detect when a program tries to change the ARP cache. If you a network manager and are not familiar with these types of attacks, check into it to see what is the best solution for your system. For home users, a quick solution is do not share your wireless router with your neighbors, lock it down!

Windows 7 with its more advanced security features held up better against these attacks than Windows XP SP3 did. It just may be time to consider upgrading from XP to Windows 7.


US Government Web Traffic diverted through Chinese Computers

One of the most effective attacks in the cyber security world is the “man-in-the-middle” attack. Basically this means to place your attacking computer in between the communication of two or more target machines. As the attacker, you get full access to the data traveling from point “a” to point “b”.

This is basically what happened to 15% of the world’s internet traffic last April, including traffic from the US Government. According to Foxnews, a report will be released to congress tomorrow that states:

“.gov and .mil websites were affected by the redirection, including websites for the Senate, all four military services, the office of the Secretary of Defense, the National Oceanic and Atmospheric Administration and “many others,” including websites for firms like Dell, Yahoo, IBM and Microsoft.

According to National Defense Magazine, Dmitri Alperovitch, McAfee’s vice president of threat research said, “This is one of the biggest – if not the biggest hijacks – we have ever seen.” And it could happen again, anywhere and anytime. It’s just the way the Internet works, he explained. “What happened to the traffic while it was in China? No one knows”

How did it happen? Internet packets are always looking for the fastest path to travel when going from point “a” to point “b”. What happened, purposely or not, China Telecom Corporation told the world’s internet service providers that they had the fastest route to send data.

And for 18 minutes, a good chunk of the world’s internet traffic diverted and flowed through China. Wow, simple and effective.

But encrypted data would be safe right? Not necessarily, says Yoris Evers, director of worldwide public relations at McAfee:

If China telecom intercepts that [encrypted message] and they are sitting on the middle of that, they can send you their public key with their public certificate and you will not know any better,” he said. The holder of this certificate has the capability to decrypt encrypted communication links, whether it’s web traffic, emails or instant messaging, Alperovitch said. “It is a flaw in the way the Internet operates,”

For a couple of years now, Moxie Marlinspike has shown that SSL encrypted data is not safe during a man in the middle attack. During one of his presentations he showed the results of using a program called “SSLStrip” on a Tor exit node. SSLStrip was able to retrieve numerous encrypted credit cards numbers and passwords in plaint text.

China’s diversion of traffic really exposed a detrimental weakness to the way the internet functions. Why do a denial of service attack, that in many circumstances is just a nuisance, when you can just divert a large chunk of a country’s data through your systems and then store it and analyze it later for information.

Internet Routers need to be changed so that when the destination and source are in the same country, the packets should never leave that nation.

DNSSEC, Secure DNS for Internet on the Way

DNSSEC (DNS Security Extensions), a more secure DNS protocol is to be implemented on May 5th. With the rise of DNS Poisoning and Man-in-the-Middle attacks rising, the Domain Name System will be going to a secure version of DNS next month.

The changes will add digital signatures to the DNS protocol.  This will reduce the risk that users will be redirected to rogue sites masquerading as the real deal. But these changes are being implemented with caution. Normal DNS packets are under 512 bytes. According the The Register, the new secure DNS packets will be much larger than 512 bytes and some existing firewalls could reject them:

Because of this, some pieces of network gear are configured out of the box to reject any UDP packet over 512 bytes on the basis that it’s probably broken or malicious. Signed DNSSEC packets are quite a lot bigger that 512 bytes, and from 5 May all the DNS root servers will respond with signed DNSSEC answers.

The changes are being implemented at the ISP level, so home user/small business routers should not be at risk. “Should not” being the key words there. For more information on DNSSEC, see wikipedia.

Arp Poisoning: Man-in-the-Middle Attacks

One of the most dangerous attack against networks is the “Man-in-the-Middle” attack (MITM). In this attack, the intruder inserts his computer between your system and the rest of the network. As you communicate, the intruder eavesdrops on all your messages as they are transmitted on the web.

Network switches were supposed to stop attacks like this. Instead of blindly retransmitting every packet that a switch gets, it will only send packets on the line that are bound to to a specific machine or network, so all the traffic does not reach every node on the switch. The switch in this case acts like a traffic cop, directing traffic to its destination. So, if switches will only transmit data bound for the destination machines, how do people intercept this traffic?

This intelligent data flow is compromised by a weakness in the Address Resolution Protocol (ARP). Each computer keeps a map of which network address corresponds to what physical network card. So network address 1 belongs to the switch, address 2 belongs to the user Bill and address 3 belongs to our attacker Joe. Bill’s machine communicates to and from the switch.


Now, Joe, our attacker, modifies or poisons the ARP tables on Bill’s machine and the Switch. He tells the switch that he is Bill at address 2. He then tells Bill’s machine that he is the switch located at address 1. So, all data transmitted from Bill will now go to Joe’s machine and all data from the switch headed for Bill will go to Joe’s machine. Joe’s machine passes all traffic back and forth, placing himself in the middle between Bill and the Router. Thus the name, “Man-in-the-Middle” attack.

Joe is now able to intercept all of Bill’s traffic. He is able to view websites that Bill is on, grab passwords, login credentials and with the right tools, he can even intercept and read encrypted data from Bill.

This is just a simple explanation of the Man-in-the Middle attack. In the near future we will cover some of the attackers tools used and how to defend against this type of attack. For more information on MITM attacks, see wikipedia.

D. Dieterle