HTTP downgrade attacks with BetterCAP ARP/DNS spoofing
For this scenario, we'll fall back on our handy ARP poisoning attack. A fun assignment to sharpen your skills is to pull off this same attack with the malicious access point described in the previous chapter.
First, make sure Kali is established on the LAN with your target. Use your standard enumeration method to find the target – better yet, let BetterCAP sniff it out for you.
When you have your target IP, fire off this command. We'll use 192.168.108.92 as our target.
# bettercap --proxy -T 192.168.108.92 -P POST
That's it. BetterCAP starts poisoning ARP tables for your target and the gateway, which it has automatically established, and it conducts a full duplex attack automatically. As the target browses, you'll see BetterCAP lighting up your Terminal window with juicy information:
Let's take a look at this command:
- --proxy creates an HTTP proxy and seamlessly directs captured HTTP traffic to it.
- -T defines our target. BetterCAP already figures out the gateway and takes care of the ARP attack for us.
- -P is the parser to parse out packets containing some targeted data; in this case, we're going with POST to find logins. Some other juicy options to consider, depending on the context of your attack, include RLOGIN, SQL, RADIUS, and so on.
Let's attack a Federal Credit Union website and see what the victim's browser looks like, then we'll take a peek at BetterCAP parsing out the login attempt.
As you can see, the URL has extra w's, and Chrome is advising that it's plain HTTP. Different browsers will show this differently. For this to work, we rely on the user's complacency:
On the attacker's end, we see all the fields laid out nicely for us, including PasswordField (the username field is off the screen):