Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Inquisitor is a multithreaded, Python-based tool using libpcap to perform full-duplex ARP poisoning between two specified IPv4 hosts on a local network. Once active, it can capture and analyze FTP traffic, providing real-time insights into file transfers.

Notifications You must be signed in to change notification settings

ftTower/Inquisitor

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 

Repository files navigation

INQUISITOR

"In a Man-in-the-Middle attack, trust is the first victim."

header


Table of Contents

  1. Virtual Machine Setup
  2. VM Network Configuration
  3. Preparation for Attack Demo
  4. Setting Up the Attacker VM (Inquisitor)
  5. Man-in-the-Middle Attack

Virtual Machine Setup

This project requires three virtual machines:

  • Target VM: Runs the FTP server.
  • Source VM: Acts as the FTP client.
  • Inquisitor VM: Used as the attacker.

Recommended OS: Debian 12.11.0
Virtualization Software: Oracle VM VirtualBox

Tip: Install VirtualBox Guest Additions to enable clipboard sharing and drag-and-drop functionality.

Shared Clipboard Configuration

Enable clipboard sharing for each VM:

  1. In VirtualBox, go to Devices > Shared Clipboard > Bidirectional.

Root Access

Switch to the root user to avoid modifying the sudoers file:

su -

VM Network Configuration

Creating a NAT Network

  1. In VirtualBox, go to File > Tools > Network Manager > NAT Networks and create a new NAT network.
    Screenshot of VirtualBox NAT Network

  2. For each VM, go to Machine > Settings > Network, set "Attached to" as NAT Network, and select the network you created.
    Screenshot of VM Network Settings

Configuring DHCP for NAT Network

Ensure all VMs use DHCP for the NAT network:

sudo bash -c 'cat <<EOF > /etc/network/interfaces
# Network interfaces configuration

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet dhcp
EOF'
sudo systemctl restart networking
clear && ip a

Testing Connectivity Between VMs

  1. Get the IP addresses of each VM:

    ip a
  2. Test connectivity by pinging the other VMs:

    ping -c 1 <ip-of-source>
    ping -c 1 <ip-of-target>

Enabling Promiscuous Mode for the Attacker VM

  1. In VirtualBox, go to Machine > Settings > Network > Advanced > Promiscuous Mode.
  2. Set it to Allow All.

Promiscuous


Preparation for Attack Demo

Setting Up the FTP Server (Target VM)

Install and configure the FTP server:

sudo apt update && sudo apt install git vsftpd vim -y
sudo systemctl start vsftpd
sudo systemctl enable vsftpd
sudo systemctl status vsftpd
sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.original

Edit /etc/vsftpd.conf to improve security and enable passive mode. Ensure these lines are present:

anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=NO
pasv_enable=YES
pasv_min_port=40000
pasv_max_port=50000
xferlog_enable=YES
log_ftp_protocol=YES

Edit the file with:

sudo vim /etc/vsftpd.conf
sudo systemctl restart vsftpd

Create a dedicated FTP user and set up the directory:

sudo adduser ftpuser
sudo mkdir -p /home/ftpuser/ftp_files
sudo chown ftpuser:ftpuser /home/ftpuser/ftp_files
sudo chmod 755 /home/ftpuser/ftp_files
sudo systemctl restart vsftpd

Note: Remember the password you set for ftpuser—you will need it for FTP access.


Testing the FTP Client (Source VM)

On the source VM, install the FTP client and create a test file:

sudo apt install ftp -y
echo "This is a test file from the client." > ~/client_test.txt

Connect to the FTP server (replace <Target_IP> with the target VM's IP):

ftp <Target_IP>

Login credentials:

  • Username: ftpuser
  • Password: (password set earlier)

Test file upload:

cd ftp_files
put client_test.txt
ls

put


Setting Up the Attacker VM (Inquisitor)

Install required packages and clone the project repository:

sudo apt-get update && sudo apt-get upgrade -y
sudo apt-get install net-tools iputils-ping iproute2 vim git -y
sudo sysctl -w net.ipv4.ip_forward=1
git clone https://github.com/ftTower/Inquisitor.git Inquisitor
cd Inquisitor
echo "Setup complete."
source venv/bin/activate

Man-in-the-Middle Attack

illustration

Gathering Network Information

On the Source VM, get the IP and MAC addresses:

ip a
  • IPv4 Address: inet <Source_IP_Address>
  • MAC Address: link/ether <Source_MAC_Address>

On the Target VM, get the IP and MAC addresses:

ip a
  • IPv4 Address: inet <Target_IP_Address>
  • MAC Address: link/ether <Target_MAC_Address>

Running Inquisitor

Start the attack tool on the Inquisitor (Attacker) VM:

./ft_malcolm <source_ip> <source_mac_address> <target_ip> <target_mac_address>

Replace the placeholders with the actual values:

  • <source_ip>: Source VM's IP address
  • <source_mac_address>: Source VM's MAC address
  • <target_ip>: Target VM's IP address
  • <target_mac_address>: Target VM's MAC address

Flushing ARP Cache on VMs

To clear the ARP cache and force the VM to send a new one, use:

ip -s -s neigh flush all && ping -c 1 <ip_address_of_source_vm>

To view the ARP cache and compare with the other VM's MAC address:

clear && ip a && echo && ip neigh show

Normally, Inquisitor will replace both MAC addresses mapped to the other IPs with the attacker's MAC address.

arp cache


Capturing FTP Packets

Once Inquisitor has poisoned both the target and source (see above screenshot), reconnect to the FTP server from the source VM:

ftp connection

You will see traffic passing through the Inquisitor VM:

captured packets

To capture file exchanges, upload a file from the source VM to the FTP server:

captured files

That's it!

About

Inquisitor is a multithreaded, Python-based tool using libpcap to perform full-duplex ARP poisoning between two specified IPv4 hosts on a local network. Once active, it can capture and analyze FTP traffic, providing real-time insights into file transfers.

Topics

Resources

Stars

Watchers

Forks