Why Man In The Middle (MITM) is not working with my Huawei router?

Man-in-the-Middle is not working with my router (Huawei) on my Windows machine/any device.

But it works with another router on my same Windows machine/any device.

When I doing MITM with Huawei router:

Linux MAC: a0:af:bd:c5:21:87   Router's MAC: 7c-11-cb-1f-ad-85 

My Windows ARP table before doing MITM on it:

c:\Users\acer>arp -a  Interface: 192.168.1.113 --- 0x4  Internet Address        Physical Address      Type  192.168.1.1             7c-11-cb-1f-ad-85     dynamic  192.168.1.255           ff-ff-ff-ff-ff-ff     static  224.0.0.022             01-00-5e-00-00-16     static 

arpspoof script to do MITM:

1st terminal:

arpspoof -i wlan0 -t 192.168.1.113 192.168.1.1 

2nd terminal:

arpspoof -i wlan0 -t 192.168.1.1 192.168.1.113 

Then the Widows machine ARP table is:

c:\Users\acer>arp -a  Interface: 192.168.1.113 --- 0x4  Internet Address        Physical Address      Type  192.168.1.1             7c-11-cb-1f-ad-85     dynamic  192.168.1.112           a0:af:bd:c5:21:87     dynamic  192.168.1.255           ff-ff-ff-ff-ff-ff     static  224.0.0.022             01-00-5e-00-00-16     static 

I tried with bettercap, ettercap, my own python script and I done ‘echo 1 > /proc/sys/net/ipv4/ip_forward’ in Linux. It is still not working! Not capturing anything.

The expected ARP table on Windows:

Interface: 192.168.1.113 --- 0x4  Internet Address        Physical Address      Type  192.168.1.1             a0:af:bd:c5:21:87     dynamic  192.168.1.255           ff-ff-ff-ff-ff-ff     static  224.0.0.022             01-00-5e-00-00-16     static 

Burp Proxy vs MITM

I have recently started using Burp as a proxy for hunting bugs on websites and I see many submissions where people have intercepted and modified requests/responses to exploit certain logic flaws in web applications. However, this is possible only because we have installed Burp’s certificate in our browser that allows it to decrypt the traffic to and from the web application. However, in a realistic scenario, the attacker would have to conduct a MITM attack to intercept/modify traffic. This makes me wonder what the point is of traffic interceptions using Burp.

Is it possible to craft a certificate signing chain that thwarts MITM corporate VPNs?

Some companies install corporate VPNs which also come with a root certificate installed on all employees’ machines. This allows for encrypted traffic to be decrypted by technology installed on the VPN. Some companies even have to do this to meet certain auditing and compliance requirements.

Is it possible for a website to set up a certificate signing chain in a way that if root cert that signed it is replaced by the corporate VPNs root cert, it would either fail to load the website, or prevent it from being overwritten by the root cert entirely in the first place?

Or, if there’s a root cert installed on a machine, is it impossible to prevent TLS intercepting by a MITM party?

DNS spoofing via ssl (https) by mitm with own wlan server

Problem: I have a local machine (IoT, lets call it MCC) which connects via SSL to a website (mcc.com) to get some JSON data. I would like to send modified JSON from my own server.

Idea: Setup a local device (lets call is rasp) which opens a wifi hotspot. The MCC should then connect to the rasp. The rasp answers with a certificate from the public server mcc.com, but sends the modified JSON data.

I am not familiar with DNS, but I expect this to be difficult as we do not own the public key of mcc.com. Does someone know some solution here? The MCC does not use some kind of DNS over https.

MITM Attack on Gmail’s SSL in 2011

I have read these posts: https://www.cnet.com/news/fraudulent-google-certificate-points-to-internet-attack/

https://support.google.com/mail/forum/AAAAK7un8RU3J3r2JqFNTw/?hl=en&gpf=d/category-topic/gmail/share-and-discuss-with-others/3J3r2JqFNTw

As far as I know, a certificate should be installed on a server.

So I don’t quite understand how issuing a fraudulent certificate for *.google.com (the spelling of the common name is correct – it is not phishing) could trigger these browser warnings without installing it on a server.

I understand that a private key is in their hands but how did they manage to throw this certificate from the official Google website to users?

Did they install it on a Gmail server?

Could you explain, please?

Screenshot of certificate error in Chrome

weird things in traffic with wireshark (mitm ?)

I’m searching a malware in my laptop but I’m not sure if it’s within or outside (I mean on the router). Anyway I started to capture the traffic from my pc with wireshark and I found really a lot of weird packets. They’re colored of black and are:

  • [TCP retrasmission] <— a lot
  • [TCP out-of-order]
  • [TCP Dup ACK]
  • [TCP Spurious Retrasmission]
  • [TCP ACKed unseen segment]

Those errors could be signs of some kind of mitm attack ?

Intercepting TCP traffic through MITM attack

I’m trying to capture TCP requests through Burp Suite with this hacky method.

Basically it listens for user selected protocol requests (TCP/UDP) and then forwards them to Burp Suite (or any other tool, if you want to) just like they’re HTTP requests. All this by setting a proxy, and Burp Suite will listen to that proxy IP/Port.

However, what I need to do is listening to a website which sends TCP packets, so I should see HTTP/HTTPS requests too. This is what I tried:

sudo python mitm_relay.py -l 0.0.0.0 -p 127.0.0.1:8081 -r tcp:80:example.com:80 

where 0.0.0.0 listens to any local interface, proxy listener has been set to 127.0.0.1:8081 and example.com hostname will be converted to his IP address I will send TCP packets to (port set to 80). However, I’ve set my default Firefox proxy to 127.0.0.1:8081 and when I navigate to example.com I can’t see any packet being sniffed under my terminal.

Also this is not an HTTP request, so I’ve generated my server.pem and server.key just exactly it’s been described here:

~/mitm_relay/ $   ls | grep -iE 'ca|ser' cacert.cer cacert.pem cacert.srl cakey.cer cakey.pem server.csr server.key server.pem 

(those are all generated files through those commands).

  1. How can I intercept TCP requests to example.com on port 80?
  2. How can I intercept any domain TCP request on port 80?
  3. What’s an example command of intercepting SSL data (like HTTPS) through that script with those generated certificate files?
  4. Is setting Burp to listen to 127.0.0.1:8081 proxy enough for applying the 3 precedent questions?

Does HSTS prevents MITM using a valid certificate?

Let’s consider this scenario:

An attacker got a valid certificate for a HSTS protected domain https://example.com. Can he still perform a man-in-the middle attack even if the website is already loaded in the browser HSTS list?

I remember using Burp suíte once and getting a strict transport security related error for a valid certificate, so I would suppose the HSTS list also contain the certificate fingerprint, although I could not find anything about it in the RFC