This article describes how to capture traffic between a client and the network with a passive “Man in the Middle”. In the example below, we use eth0 and eth1 as a bridge.

Configure the MitM interfaces as “link only” interfaces.

/etc/network/interfaces

auto eth0 iface eth0 inet manual

auto eth1 iface eth1 inet manual

bring physical interfaces up

ifconfig eth0 up
ifconfig eth1 up

clear ip addresses on physical interfaces

ip addr flush eth0
ip addr flush eth1

Configure the MitM interfaces as an bridge

build bridge

brctl addbr br0
brctl stp br0 off (turn off spanning tree)
brctl addif br0 eth0
brctl addif br0 eth1

bringing bridge up

ifconfig br0 up

Clear and flush ebtables

ebtables -F
ebtables -t nat -F

disable traffic from bridge itself

ebtables -A OUTPUT -s <mac address interface eth0 bridge> -j DROP
ebtables -A OUTPUT -s <mac address interface eth1 bridge> -j DROP
ebtables -A OUTPUT -s <mac address interface br0> -j DROP

In case of 802.1X network access, to forward EAP messages on MitM:

echo 8 > /sys/class/net/br0/bridge/group_fwd_mask

Now we can start Wireshark on MitM and capture traffic on eth0, eth1 and/or br0.

Note: any actions you take upon the information in this article is strictly at your own risk!

Tags: 802.1X, ebtables, linux, MitM

kooijmans

MitM (802.1x)

Configure the MitM interfaces as “link only” interfaces.

Configure the MitM interfaces as an bridge

Now we can start Wireshark on MitM and capture traffic on eth0, eth1 and/or br0.

Note: any actions you take upon the information in this article is strictly at your own risk!