Man in the Middle Attack (MITM) is the type of attack, where an attacker without getting noticed by the two parties, listen to their communication and may alter the information in the packets sent between them, making them believe that the information is authentic and real.
TLS refers to Transport Layer Security, it is advanced version for the SSL (Secure Socket Layer), is a type of cryptographic protocol whose main aim is to provide secure communication over the network, thus providing data integrity and privacy.
SSLStrip was introduced in 2009, in-order to perform MITM. In this attack, the attacker restricts the browser of the victim to upgrade to SSL, thus the connection is established on HTTP rather than HTTPS, thus the data could be eavesdropped and could also be modified which is sent through the network.
In this given lab, the TLS MITM attack is been performed on the XP machine, which opens the website http://fakebook.vlab.local. This is initially running on the secure connection of HTTPS, but in order to perform MITM attack, we use the Kali machine which will act as an attacker on which the ARP gratuitous script will be running, this will make use of SSL stripping and will capture the username and password which will typed by the victim on the XP machine.
Initially, there is a direct connection between the XP and the router, but now, the Kali machine acts a mediator, whereby, all the requests send by XP will be received by Kali. This is done by ARP spoofing, whereby a gratuitous ARP reply packets are been sent by the attacker which links the MAC address of the attacker to the victim’s IP address, this is been sent to the router and also links the attacker’s MAC address to the router which is sent to the victim’s machine, this is termed as ARP cache poisoning whereby the ARP cache table to the router and the victim are getting updated at regular intervals. Now all the data meant for the XP machine will be send to Kali (the attacker), which will capture all the information/data transferred between the XP and the router. Now, the attacker changes the HTTPS format for the website to HTTP so that all the data is transferred in plain text format, thus the username and password will be captured in the SSLstrip.log file.
SSL Strip is a technique used by the attacker to downgrade the website used by the victim from HTTPS to HTTP. The websites using HTTPS protocol uses secure tunnels to transmit data from source to destination, i.e., from server to the client’s computer, this secure tunnel makes use of SSL. In order to perform SSL Strip, the attacker has to perform Man in the Middle Attack, since he needs to reroute the traffic from the client’s (victim’s) machine to the server and from the server to the victim’s machine.
In the given assignment, when the XP machine tries to open the fakebook website, it sends the request to the server (External Router) to get access, this request is transmitted to the attacker (Kali machine, MITM), and he sends the request to the server. The transmission of data between the attacker and the server is secured through the secure tunnel. When the server responds to the request, it returns the response with the HTTPS link to the attacker. Now, the attacker will modify this link and convert the link from HTTPS to HTTP and send it to the victim (XP machine). Thus, when the victim opens up his account on fakebook, all the details, his credentials are been transmitted to the attacker (Kali) in plain text form rather than in encrypted form, which is getting stored in the sslstrip.log file.
The victim will get no idea about whether he is surfing a HTTP website or HTTPS website, since there will not be any certificate errors from the server side, since for the server it received the request for the HTTPS and it returned with the response in HTTPS format only. But since they are connecting through the MITM, all the credentials are accessed and stored with the attacker which he can use for any purpose and victim will not get to know about it.