In a modern world we are constantly connected to a IOT device connected to a network , weather its at home , at the office or at a public star bucks and how they can ARP spoof the router everyone is connected to to sniff your traffic and potentially steal credentials. This was tested to focus a iPhone15 to look at the APP and safari traffic i could monitor and or manipulate for credentials. And this will be done on my trusy Parrot OS as it has an amazing plethora of tools already pre-installed.

Next on Parrot we will use a tool called airgeddon , think of it like the Airmon0n suit all in one.

After airgeddon starts it will prompt for the user to select a chip set or whatever you are using to grab a inernet connection.

In this use / example we will be using Evil twin attacks but the main pourpose is to Deauth the user and wait for reconnect there wont be any cloning of networks.

For this instance we will be doing this specific attack due to it requiring monitor mode to be on , realistically a threat actor wont have any Wifi Connection to proximity routers when trying to pentest one so enabling it in monitor mode is the attack vector any threat actor would use / default to as well ass you need it enabled regardless to sniff the beacons and wifi acces points to see which one to attack.

After enabling monitor mode then threat actors would go through with 9 as its default for monitor mode to be off and the main goal is to deauth a target to capture a four way handshake.

After that selection it then prompts the User to be aware to press Ctrl + C to stop capturing network IDS.

After that is put in play on the top right hand side a console appears and it is scanning for all wifi routers it can scan for. To stop it press CTR + C for it to stop scanning and display all the networks it has found.

After pressing the 2 buttons the massive list will appear of all the networks found categorized but BSSID , Channel , ESSID etc, for some privacy reason ill be blurring out some network names to prevent being doxxed.

After then looking through the list a target is selected to then continue the attack.

After selecting the network then then user will be prompted for 3 options but the point for this attack vector is a deauth so

Then on the top right and bottom left 2 consoles appear one is trying to de authenticate and the other to capture the 4 way handshake.

After waiting for some time it appears it was able to deauth a user and as that user reconnected on the top right corner we can see it was able to capture a handhsake with that handshake we will be able to decrypt the password.

After saving the handshake locally heading back to the airgeddon menu proceeding to option 6 Offline WAP / WAP2 decrypt to the brute force the password.

After Proceeding selecting crunch attack is a viable option as it brute forces passwords offline by generating random letters , string and or special charecters to get in and there is not lock out.

And after waiting a while if the password isnt as complex or complicated it can possibly be crunch attack cracked very quickly. And BOOM just like that threat actor has the password to the wifi location and access to the network.

After getting acces to any network weather its through this method or social engnineering to get on the Wifi any threat actor would start nmaping the enviroment and others would immeditly try to MITM attacks to devices on the same network and thats just what we will demonstrate with a tool called Bettercap and we will go ahead and start it.

Once bettercap is running setting net.probe to be on that way it can start scanning other devices on the router for possible attack vectors. As well as doing net.show to see the table of devices.

After pulling up the table I pointed to 2 ips on this table , one was my Desktop the bottom one was my iPhone but then I decided to conduct the rest of this POC on my iphone due to this device is one of the MOST used in the world and showing this example on any wifi network should be appliable to about anyone.

Now in this section this is demonstarting a threat actor only wanting to sniff traffic to see what their target is doing whether its a spuse spying on the network traffic or anyone this is an example. After targeting and adding the iPhone internal IP to the targets list then enable arp.spoof on and well as net.sniff to on, and now any APP or website they visit all the traffic will be captured. In the image we see the device went to X (twitter) to browse for a minute and then as well their BUMBLE?. Nah thats sus they cheating.

And then after even more waiting if they go to Safari or any web browser no matter the website it will show it as well as its details... if ya know what i mean

NOW after that is all said and done we can see that Capturing traffic and seeing activity is possible BUT I wanted to take it a step further and started to think of ways to capture credentials inside and that brings us to another tool called Zphisher a tool mainly used to create advanced phishing templates and using Cloudflare proxys to temporary create a HTTPS phishing page that stays up for only so long BUT with this attack method we can javascript inject the phishing page to force redirect the browser to go to it.

For now we will go ahead and select the Instagram option as for a Iphone user that is a APP / login alot of prople are use to seeing and being redirected internally many wont think much of it so that one was selected although there are many choices to choose from.

Also while it offers differnet types of login pages we proceed with the normal one.

Furthermore it then shows 3 option we proceed with "cloud flared" as it creates the HTTPS phsing link we will be using for redirect.

Then the link is created that we will now create a short javascript script in VScode that we will inject into bettercap for url redirect.

Now navigating to VScode threat actors can create a script like the one below that can be used for an attack.

Heading back to bettercap in the red lines we then tell it to inject the javascript and then the filepath of the script we worked on.

Now usually for these MITM redirect websites usually work only on HTTP:// Websites so the site/link we are sending like the image below is a normal http site , but noone will click it right?

Now what happens now? Threat actor would most likely use a URL shortner that hides the HTTP:// site and automatically redirect it to the phishing site.

The following was tested on my IPhone 15 LATEST IOS after clicking on the SHORTENED URL link it auto redirected to "que-pqrtnerships-impressive-clicking.trycloudflare.com" which was the phishing link generated which thenn appears to be a instagram login page

For the porpose of testing i went ahead and UNHID the credentials i typed as well as the email before i click the login button Disclaimer: The credentials and email were made up and random. I don't know or have any association with the email or aliases mentioned.

After submitting the request it appears to redirect back to real instagrams login page again.

And when looking back to Zphisher it has logged and recorded the Usernames & Passwoords to the accoing and threat actor can now login.

NOW What was the poing of all of this ? the following showed is very possible in every network public or private. Using a VPN will protect you from these attacks by encrypting your traffic even if they are in the network to protect from MITM attacks as well this is as well to show the dangers that can happen in public wifi networks and make you think twice before connecting without a VPN.