Using MiTM with driftnet to View the Target's Images
In each of our previous MiTM attacks, we have been able to place ourselves between two users and to view their traffic. This traffic can been seen by using such tools as Wireshark and other packet sniffers. As we can see below, Wireshark shows us with great detail each packet going over the wire. We can use Wireshark to capture these packets for later detailed analysis.
When we use the Wireshark filter for "HTTP", we can see only the HTTP traffic and we know that this traffic has images in the packets. The problem is that we can't see them or reconstruct them as the images are often fragmented across multiple packets.
The problem comes when we want to see pictures, photos, jpg, png and other graphic files in this stream of traffic. By using Wireshark and other sniffing tools we can see that pictures and other graphic files are passing over the wire or air, but we can't see what those images are.
Let's assume that are task is to check to see whether someone we suspect is spying for a foreign government is sending secret images or receiving secret images from their computer. These images might include maps, plans, intellectual property, pictures of other spies, etc.. These images include top secret information that we may need to view to protect our nation. How can we do it?
First, we need to place ourselves in the middle between the target and their router. In that way, all their traffic must come through us. After doing that, we need to use a tool called "driftnet" that is specially designed to identify, capture and reconstruct images. After doing so, it will store them on our computer and display them on our screen.
Step #1: Use arpspoof to place ourselves in the middle
We have used both arpspoof and Ettercap to place ourselves in the middle in the classic MiTM attack. You can use either for this purpose, but in this lesson I will be using arpspoof. Although Ettercap may be easier to use due to its intuitive GUI, I find that arpspoof is more reliable.
To set up the arpspoof, remember we need three terminals. In the first one type;
kali > arpspoof -i eth0 -t 192.168.1.1 192.168.1.115
-i eth0 is the interface we want to sniff and arpspoof on
192.168.1.1 is the IP address of the router
192.168.1.115 is the suspected spy's IP
It's worth noting here that if we were doing this MiTM on a wireless network, we could simply replace the "-i eth0" with " -i wlan0".
Then, arpspoof the other end of the connection by reversing the IP addresses.
kali > arpspoof -i eth0 192.168.1.115 192.168.1.1
Finally, we need to set up IP forwarding.
kali > echo 1 > /proc/sys/net/ipv4/ip_forward
Now, we have placed ourselves successfully between our suspected spy and the router. All of his traffic, both coming and going to the Internet, must go through our computer! This opens up a lot of interesting possibilities for us!
Step #2: Set up driftnet
Now, that we have placed ourselves between the spy and his router, we should be able to see all the images that he is sending or receiving over the Internet. Our next step is to activate driftnet. We do this simply by typing driftnet from any terminal in Kali (don't use the open terminals with the arpspoof running as that will terminate the arpspoof).
kali > driftnet
Notice that when we do this, a small window opens up below our terminal. In my case here, it opened to the lower left, but it may open on any free screen real estate. Maximize this window, as this is where driftnet displays the images it finds and reconstructs.
Step #3: View the Images in Real Time
Now, whenever our spy sends or receives any Internet traffic, it will traverse our system and we can filter, reconstruct, view and save the images.
Now, we simply wait for our suspected spy to go to the Internet.
Suddenly, pictures begin to appear on our screen in the driftnet window!
Looks like our spy is a sports fan! He navigated to www.espn.com and the driftnet app captured and displayed the pictures. This doesn't mean he wasn't up to something nefarious, so we will keep driftnet open to capture more images as he continues to surf the Internet or send files.
Step #4: Find the Stored Images
Although these first images appear to be innocuous, we still may want to save them for further analysis. In addition, if we leave our MiTM in place and driftnet running, it will continue to capture images.
If we go back to the driftnet command terminal, we will see that driftnet tells us where it is saving the images.
Note that driftnet is saving the images to the /tmp directory with a randomly chosen subdirectory. Interestingly, the subdirectory is misspelled (drifnet rather than driftnet). This can sometimes be confusing. When looking for the images, of course, you must be certain to misspell the directory as well.
Let's navigate to that directory and see what driftnet has captured and saved for us.
kali > cd /tmp/drifnet-1Ilw8b
As you can see, in just a few short seconds, driftnet has captured, reconstructed and saved numerous images. These are all jpeg and gif files, but driftnet is capable of capturing and reconstructing other image files as well, including MPEG and audio files.