BetterCap and the First REAL DoubleDirect ICMP Redirect Attack

2016-01-10

bettercap, double direct, doubledirect, icmp, icmp redirect, icmp spoofing, routing, routing table, spoofer, spoofing, zimperium

The next release of bettercap will include a new spoofer module as an alternative to the default ARP spoofer.
The new module performs a fully automated and full duplex ICMP Redirect MITM attack, what my collegues at Zimperium discovered and called a DoubleDirect attack.

BetterCap will be the very first MITM framework to have this feature 100% working without any additional spoofers.

If you’re thinking about ettercap ICMP spoofer which was released (I think) years ago, let me remind you what its documentation says about it:

Obviously you have to be able to sniff all the traffic. If you are on a switch you have
to use a different mitm attack such as arp poisoning.

So yeah, unless you’re already able to sniff network traffic ( in which case, why would you even need to do a MITM attack?!?!?! ), ettercap’s ICMP module is completely useless.

lulz

On the other hand, MITMf is not that much better, if you look closely at its code, you will find that the ICMP spoofer only does this:

def build_icmp(self):
   pkt = IP(src=self.gateway, dst=self.target)/ICMP(type=5,code=1, gw=self.ip_address) /\
              IP(src=self.target, dst=self.gateway)/UDP()

   return pkt

Which basically will only reroute traffic to the gateway.

derp

In order to have a real and full duplex MITM using ICMP Redirect packets, you have to reroute the gateway and every other address that the target/victim is requesting, which is why I used
a DNS watcher thread just like described on Zimperium’s blog post.

imsexy

So stay tuned guys, the next release is close!

Become a Patron!