Skip to main content

MitM: Using driftnet to View the Target's Graphics Files

Using MiTM  with driftnet to View the Target's Images
In each of our previous MiTM attacks, we have been able to place ourselves between two users and to view their traffic. This traffic can been seen by using such tools as Wireshark and other packet sniffers. As we can see below, Wireshark shows us with great detail each packet going over the wire.  We can use Wireshark to capture these packets for later detailed analysis.
When we use the Wireshark filter for "HTTP", we can see only the HTTP traffic and we know that this traffic has images in the packets. The problem is that we can't see them or reconstruct them as the images are often fragmented across multiple packets.
The problem comes when we want to see pictures, photos, jpg, png and other graphic files in this stream of traffic. By using Wireshark and other sniffing tools we can see that pictures and other graphic files are passing over the wire or air, but we can't  see what those images are.
Our Scenario
Let's assume that are task is to check to see whether someone we suspect is spying for a foreign government is sending secret images or receiving secret images from their computer. These images might include maps, plans, intellectual property, pictures of other spies, etc.. These images include top secret information that we may  need to view to protect our nation. How can we do it?
First, we need to place ourselves in the middle between the target and their router. In that way, all their traffic must come through us. After doing that, we need to use a tool called "driftnet" that is  specially designed to identify, capture and reconstruct  images. After doing so, it will store them on our computer and display them on our screen.
Step #1: Use arpspoof to place ourselves in the middle
We have used both arpspoof and Ettercap to place ourselves in the middle in the classic MiTM attack. You can use either for this purpose, but in this lesson I will be using arpspoof.  Although Ettercap may be easier to use due to its intuitive GUI, I find that arpspoof is more reliable.
To set up the arpspoof,  remember we need three terminals. In the first one type;
kali > arpspoof -i eth0 -t 192.168.1.1 192.168.1.115
Where:
                -i eth0 is the interface we want to sniff and arpspoof on
                -t target
                192.168.1.1 is the IP address of the router
                192.168.1.115 is the suspected spy's IP
It's worth noting here that if we were doing this MiTM on a wireless network, we could simply replace the "-i eth0" with " -i wlan0".
Then, arpspoof the other end of the connection by reversing the IP addresses.
kali > arpspoof -i eth0 192.168.1.115 192.168.1.1
Finally, we need to set up IP forwarding.
kali > echo 1 > /proc/sys/net/ipv4/ip_forward
Now, we have placed ourselves successfully between our suspected spy and the router. All of his traffic, both coming and going to the Internet, must go through our computer! This opens up a lot of interesting possibilities for us!
Step #2: Set up driftnet
Now, that we have placed ourselves between the spy and his router, we should be able to see all the images that he is sending or receiving over the Internet. Our next step is to activate driftnet. We do this simply by typing driftnet from any terminal in Kali (don't use the open terminals with the arpspoof running as that will terminate the arpspoof).
kali > driftnet
Notice that when we do this, a small window opens up below our terminal. In my case here, it opened to the lower left, but it may open on any free screen real estate.  Maximize this window, as this is where driftnet displays the images it finds and reconstructs.
Step #3: View the Images in Real Time
Now, whenever our spy sends or receives any Internet traffic, it will traverse our system and we can filter, reconstruct, view and save the images.
Now, we simply wait for our suspected spy to go to the Internet.
Suddenly, pictures begin to appear on our screen in the driftnet window!
Looks like our spy is a sports fan! He navigated to www.espn.com and the driftnet app captured and displayed the pictures. This doesn't mean he wasn't up to something nefarious, so we will keep driftnet open to capture more images as he continues to surf the Internet or send files.
Step #4: Find the Stored Images
Although these first images appear to be  innocuous, we still may want to save them for further analysis. In addition, if we leave our MiTM in place and driftnet running, it will continue to capture images.
If we go back to the driftnet command terminal, we will see that driftnet tells us where it is saving the images.
Note that driftnet is saving the images to the /tmp directory with a randomly chosen subdirectory. Interestingly, the subdirectory is misspelled (drifnet rather than driftnet). This can sometimes be confusing. When looking for the images, of course, you must be certain to misspell the directory as well.
Let's navigate to that directory and see what driftnet has captured and saved for us.
kali > cd /tmp/drifnet-1Ilw8b
As you can see, in just a few short seconds, driftnet has captured, reconstructed and saved numerous images. These are all jpeg and gif files, but driftnet is capable of capturing and reconstructing other image files as well, including MPEG and audio files.


from hackers-arise full article here

Popular posts from this blog

Chaos in a cup: When ransomware creeps into your smart coffee maker

When the fledgling concept of the Internet of Things (IoT) was beginning to excite the world almost a decade ago, perhaps no coffee lover at that time would've imagined including the coffee machine in the roster of internet-connected devices—even in jest. True, the simple, utilitarian coffee machine may not be as popular now as it used to back in the day, but its continued availability within office premises and private home kitchens, plus inherent risks—much like any IoT device—may be in equal footing with your smart speaker , smart doorbell , or smart light bulb . Cybersecurity issues surrounding internet-connected coffee machines are further punctuated by the latest news about how Martin Hron, a reverse engineer from Avast, tinkered his Smarter coffee maker to not only beep and spew out hot water but also deprive you of a nice, morning brew and display a short ransom note. Courtesy of Dan Goodin, Ars Technica Yes, Hron turned his coffee maker into a ransomware mach
Read more

A week in security (December 10 – 16)

Last week on Labs, we took a look at some new Mac malware , a collection of various scraped data dumps , the protection of power grids , and how bad actors are using SMB vulnerabilities .   Other cybersecurity news Millions affected by Facebook photo API bug: An issue granted third-party apps more access to photos than should normally be granted, including images uploaded but not published. (source: Facebook) Bomb threats may be a hoax: An email in circulation urging ransom payments in Bitcoin lest bombs across the US be detonated may well be a fake , according to US law enforcement. (source: The Register) Man jailed for fraud offenses: A man in the UK has been jailed for taking part in fraudulent activities. The main point of interest is surely the spectacular device he built. (source: Met Police) Another Google Plus bug: For six days, developer were able to access profile data not made public by the users. (source: Google) Windows 10 data collection: Reddit use
Read more

Skimmer acts as payment service provider via rogue iframe

Criminals continue to target online stores to steal payment details from unaware customers at a rapid pace. There are many different ways to go about it, from hacking the shopping site itself, to compromising its supply-chain. A number of online merchants externalize the payment process to a payment service provider (PSP) for various reasons, including peace of mind that transactions will be handled securely. Since some stores will not process payments on their own site, one might think that even if they were compromised, attackers wouldn't be able to steal customers' credit card data. But this isn't always true. RiskIQ previously detailed how Magecart's Group 4 was using an overlay technique that would search for the active payment form on the page and replace it with one prepped for skimming. The one we are looking at today adds a bogus iframe that asks unsuspecting customers to enter their credit card information. The irony here is that the s
Read more