Ettercap

#apt-cache policy ettercap-gtk ettercap-gtk:
Installed : (none)
Candidate : 1:0.7.3-1.2ubuntu2
Version table :
*** 1:0.7.3-1.2ubuntu2 0
500 http://ch.archive.ubuntu.com feisty/universe Packages
100 /var/lib/dpkg/status


To download and install Ettercap with its graphical interface:

apt-get install ettercap-gtk

To see the Ettercap dependencies:

#apt-cache depends ettercap-gtk

ettercap-gtk
Depends: libatk1.0-0
Depends: libc6
Depends: libcairo2
Depends: libfontconfig1
Depends: libfreetype6
Depends: libglib2.0-0
Depends: libgtk2.0-0
Depends: libltdl3
Depends: libncurses5
Depends: libnet1
Depends: libpango1.0-0
Depends: libpcap0.8
Depends: libpcre3
Depends: libpng12-0
Depends: libssl0.9.8
Depends: libx11-6
Depends: libxcursor1
Depends: libxext6
Depends: libxfixes3
Depends: libxi6
Depends: libxinerama1
Depends: libxrandr2
Depends: libxrender1
Depends: zlib1g
Depends: ettercap-common
Suggests: gksu
Conflicts: ettercap
Replaces: ettercap

In this first tutorial, we will place our Ettercap machine as “man in the middle” after an ARP spoofing attack.

The network scenario diagram is available in the Ettercap introduction page.

The first thing to do is to set an IP address on your Ettercap machine in the same IP subnet than the machine you want to poison. For our tutorial the 192.168.1.100 IP address is used.
See the networking tutorial for detailed explanations about how to set an IP address on your Linux box.

As a reminder, Ettercap will need root access to be launched then it will be supported by the ‘nobody’ user.


1. ARP SPOOFING 2. ARP TRAFFIC 3. ARP TABLES 4. STOPPING THE ARP SPOOFING

1. ARP SPOOFING

Open Ettercap in graphical mode

#ettercap -G
openmaniak ettercap

Select the sniff mode

Sniff -> Unified sniffing
openmaniak ettercap man in the middle attack sniff united sniffing arrow blue
openmaniak ettercap

Scan for host inside your subnet

Hosts -> Scan for hosts

The network range scanned will be determined by the IP settings of the interface you have just chosen in the previous step.

openmaniak ettercap man in the middle attack arrow blue
openmaniak ettercap  man in the middle attack sniff united sniffing

See the MAC & IP addresses of the hosts inside your subnet.

openmaniak ettercap man in the middle attack

Select the machines to poison

We chose to ARP poison only the windows machine 192.168.1.2 and the router 192.168.1.1.
Highlight the line containing 192.168.1.1 and click on the “target 1” button.
Highlight the line containing 192.168.1.2 and click on the “target 2” button.
If you do not select any machines as target, all the machine inside the subnet will be ARP poisoned.

openmaniak ettercap man in the middle attack

Check your targets

openmaniak ettercap man in the middle attack
man in the middle attack openmaniak ettercap

Start the ARP poisoning

Mitm -> Arp poisoning
man in the middle attack openmaniak ettercap arrow blue
man in the middle attack openmaniak ettercap

Start the sniffer

Finally, start the sniffer to collect statistics.

Start -> Start sniffing
man in the middle attack openmaniak ettercap

Top of the page


ARP TRAFFIC:

On the Windows machine, with the help of Wireshark, we can compare the ARP traffic before and after the poisoning:

As a reminder: (See the network diagram)

192.168.1.1
192.168.1.2
192.168.1.100
(Router)
(Windows)
(Pirate)
11:22:33:44:11:11
11:22:33:44:55:66
11:22:33:44:99:99

Before the poisoning
Before being able to communicate together, the router and the Windows machine send an ARP broadcast to find the MAC address of the other.

No
1
2
3
4
Source
11:22:33:44:55:66
11:22:33:44:11:11
11:22:33:44:11:11
11:22:33:44:55:66
Destination
11:22:33:44:11:11
11:22:33:44:55:66
11:22:33:44:55:66
11:22:33:44:11:11
Prot
ARP
ARP
ARP
ARP
Info
who has 192.168.1.1? Tell 192.168.1.2
192.168.1.1 is at 11:22:33:44:11:11
who has 192.168.1.2? Tell 192.168.1.1
192.168.1.2 is at 11:22:33:44:55:66

arrow blue

After the poisoning
The router ARP broadcast request is answered by the Windows machine similarly than in the previous capture.
The difference between the two steps comes from the fact that there is no request coming from Windows (192.168.1.2) to find the MAC address associated to the router (192.168.1.1) because the poisoner continuously sends ARP packets telling the Windows machine that 192.168.1.1 is associated to his own MAC address (11:22:33:44:99:99) instead of the router MAC address (11:22:33:44:11:11).

No
1
2
3
4
Source
11:22:33:44:11:11
11:22:33:44:55:66
11:22:33:44:99:99
11:22:33:44:99:99
Destination
11:22:33:44:55:66
11:22:33:44:11:11
11:22:33:44:55:66
11:22:33:44:55:66
Prot
ARP
ARP
ARP
ARP
Info
who has 192.168.1.2? Tell 192.168.1.1
192.168.1.2 is at 11:22:33:44:55:66
192.168.1.1 is at 11:22:33:44:99:99
192.168.1.1 is at 11:22:33:44:99:99

Top of the page


ARP TABLES:

If we look at the router and Windows machine ARP table, we see that the Ettercap Linux machine poisoned their ARP table and replaced the router or Windows machine MAC addresses by its own MAC address.
This means that the packets between the Windows machine and the router will transit through the Ettercap machine.
Let’s see if we successfully poisoned the router and windows machine ARP table:

——————– Windows machine 192.168.1.2 ——————–

Launch a command line interface window as follow:
Start -> Run -> cmd

C:\Documents and Settings\administrator>arp -a

Interface�: 192.168.1.2 — 0x2

Internet Address
192.168.1.1
192.168.1.100
Physical Address
11-22-33-44-11-11
11-22-33-44-99-99
Type
dynamic
dynamic

arrow blue

Interface�: 192.168.1.2 — 0x2

Internet Address
192.168.1.1
192.168.1.100
Physical Address
11-22-33-44-99-99
11-22-33-44-99-99
Type
dynamic
dynamic
——————– Linux machine 192.168.1.100 ——————–
#arp -a
?
?
(192.168.1.1)
(192.168.1.2)
at
at
11:22:33:44:11:11
11:22:33:44:55:66
[ether]
[ether]
on
on
eth0
eth0
——————– router openmaniak cisco Router 192.168.1.1 ——————–
>show arp
Protocol
Internet
Internet
Address
192.168.1.2
192.168.1.100
Age (min)
194
128
Hardware Addr
1122.3344.5566
1122.3344.9999
Type
ARPA
ARPA
interface
FastEthernet0/0
FastEthernet0/0

arrow blue

Protocol
Internet
Internet
Address
192.168.1.2
192.168.1.100
Age (min)
194
128
Hardware Addr
1122.3344.9999
1122.3344.9999
Type
ARPA
ARPA
interface
FastEthernet0/0
FastEthernet0/0

If you have a Netscreen (Juniper) device, use the following command to display the ARP table:

>get arp

On a Vyatta router:

>show arp

Top of the page


STOPPING THE ARP SPOOFING:

openmaniak ettercap

Ettercap is pretty effective. After the attack, it will “re-arp” the victims. In other words the victims ARP cache will again contain correct entries .

If the cache still contains poisoned IP – MAC address correspondences, you can either wait some minutes, which is the time needed for the entry ARP cache to refresh itself, or, better, clear the ARP cache.

On a Microsoft machine:

C:\Documents and Settings\admin>arp -d *

On an Ubuntu or Debian Linux:

#arp -d ip_address

On a Cisco router:

#clear arp-cache

CONCLUSION

After this tutorial, the ARP table of the router and the Windows machine are poisoned: The Linux machine is now “in the middle”.
To launch attacks, go on with the Ettercap filter tutorial.

Advertisements
Posted in Tips and Tricks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

ABOUT AUTHOR
Rodel Sales is a freelance I.T Professional . Start blogging on May 2013 to share my technical skills to other I.T professionals, and collect imperative guide from the internet world.
Blog Archieve
June 2013
M T W T F S S
« May   Jul »
 12
3456789
10111213141516
17181920212223
24252627282930
%d bloggers like this: