# IoT SSL/TLS MITM Attack
The following figure depicts the experimental setting.
![](https://i.imgur.com/7qwEB8c.png)
## Ettercap
Install the latest version of Ettercap from its [GitHub repository](https://github.com/Ettercap/ettercap).
Installation details are described in README and INSTALL in the repository.
Edit Ettercap configuration file, so that...
- During operation, Ettercap remains with root privilege.
- SSL/TLS packets are forwarded to the Ettercap SSL dissection component.
```
sudo vim /etc/ettercap/etter.conf
```
![](https://i.imgur.com/m2QQm8c.png)
![](https://i.imgur.com/Ey4yTd1.png)
Run Ettercap with superuser privilege.
- `-L`: log all packets sniffed by Ettercap, together with all the passive information (e.g. host info., useranem, and password) it can collect.
- `-G`: run in GUI mode.
```
sudo /path/to/ettercap -L ettercap -G
```
Note: by default, Ettercap forges SSL certificates in order to intercept HTTPS traffic. This feature can be disabled by specifying `-S` option.
**Start sniffing**
- Choose the network interface to be sniffed.
- Click "Accept" button to start sniffing.
![](https://i.imgur.com/yiQVPSX.png)
**Scan hosts in the LAN**
- Click "Scan for hosts" button.
- Click "Hosts list" button to see the hosts found by Ettercap.
![](https://i.imgur.com/4OvRKLH.png)
**Select targets to be spoofed**
- In the "Host List" tab,
- Select the row which corresponds to the Wi-Fi router, and click "Add to Target 1" button.
- Select the row which corresponds to the IoT device, and click "Add to Target 2" button.
![](https://i.imgur.com/WDOq1hk.png)
- Select "Options" -> "Targets" -> "Current targets" to examine the targets selected.
Note: there is no concept of SOURCE nor DESTINATION. The two targets are intended to filter traffic coming from one to the other and vice-versa (since the connection is bidirectional).
![](https://i.imgur.com/RUljpXU.png)
**Perform ARP spoofing**
- Select "MITM menu" -> "ARP poisoning..."
![](https://i.imgur.com/kjbwMTx.png)
- Tick "Sniff remote connections." checkbox, and click "OK" button.
![](https://i.imgur.com/FgKSIWR.png)
**Stop MITM attack**
1. Click "Stop MITM" button to stop the attack.
![](https://i.imgur.com/2mlpYEV.png)
Examine log files created by Ettercap.
```
etterlog ettercap.ecp
etterlog ettercap.eci
```
## Wireshark
On the attacker machine, use Wireshark to capture packets exchanged between the IoT device and the IoT server.
```
sudo wireshark
```
It can be observed that the authentic server certificate has been replaced by Ettercap with a forged one, and sent to the IoT device.
![](https://i.imgur.com/UNFunLp.png)