4.3 - Web session hijacking over wireless with MITM attack
- To demonstrate this practice, let's start up the Apache server at "kali" machine to have a look at the default page:
- Writing 127.0.1.1 as URL, the Apache default page appears. It will be useful for comparing it with later web search by "roch":
- In order to launch the Web session hijacking attack, the attacker needs to send fake DNS responses that will resolve IP addresess from "roch" to "kali"s own IP. For that purpose, the command dnsspoof is available. As the victim "roch" (192.168.0.15) sends DNS requests (to DNS server 220.127.116.11 provided for the ISP), the attacker records everything at its terminal:
- Now, let's see what happens now when the victim "roch" tries to connect again to "www.ual.es". Because the session is hijacked by DNS spoofed responses, "roch" is able to see only what "kali" allows him to see. In this case, the default page of the Apache server:
- The victim "roch" sends an HTTP request for "www.ual.es", but it actually receives the "kali"s Apache server default page":
- The conclusion of this practice is that the attacker is able to modify data when relaying responses to the victim, being this one unaware of the suffered attack. The tool dnsspoof running on attacker's laptop sends DNS responses to the victim with its own IP address, faking the original one. The victim accepts this responses and sends HTTP requests to the attacker's IP address on port 80. What the responses contains is up to him, whatever the attacker wants the client to believe, maybe a masquerade web site imitating the original or legitimate one, so that the victim introduces credentials, maybe spoofed email, ... , or simply breaking options for the victim to connect to the Internet, in which last case it would be considered a Denial of Service attack.