Page 1 of 2 12 LastLast
Results 1 to 10 of 25

Thread: Ettercap With ARP Poisoning

Hybrid View

  1. #1
    Senior Member micole's Avatar
    Join Date
    Jan 2010
    Location
    Charleston, SC
    Posts
    121

    Post Ettercap With ARP Poisoning

    Hey guys. I'm in a new ethical hacking class for my college and coming up with Exercises for the class and decided to post them on here whenever I come up with new ones. Some of the wording would be awkward because I'm just copying it over from my papers so I might refer to you as a student or "us" or "we". I also try to explain to the best of my knowledge what is going on. (I'm sure other people could add to what I already have) If I ever post anything that's wrong let me know so I can edit it.

    Assuming you have a clean install of BT4 with no edits:

    Ettercap:

    Ettercap is a tool for network protocol analysis and security auditing. It has the ability to intercept traffic on a network, capture passwords, and conduct active eavesdropping against common protocols.

    For this exercise I will be using ARP Poisoning to sniff the LAN for passwords that use SSL (Hotmail, Gmail, Etc.)

    ARP:

    “Address Resolution Protocol”: As defined by Wikipedia: ARP is a computer networking protocol for determining a network host's link layer or hardware address when only its Internet Layer (IP) or Network Layer address is known. This function is critical in local area networking as well as for routing internetworking traffic across gateways (routers) based on IP addresses when the next-hop router must be determined.

    So in normal terms ARP is the way that we get a MAC address of a Host or Node from the IP address.


    ARP Spoofing:

    This is the technique we will use to attack a wired or a wireless network. ARP Spoofing allows the attacker to sniff data frames from the LAN, then gives you the ability to modify the traffic (good for redirecting to your own computer to download an exploit to victim), or stop the traffic from entering the network, or a specific computer (good for local DOS Attacks on a Local Area Network).

    The idea behind the attack is to send a fake (AKA “Spoofed”) ARP message to the LAN. Any traffic on the network meant for that IP address that you attacked (whole network if you want) will be sent to the attacker. The attacker (you) can choose to forward the traffic to the actual gateway (Passive Sniffing) or modify the data before forwarding it (Man in the Middle).

    How we will do it for this exercise:

    Edit a file:

    We first have to edit one file (Don’t worry, we just have to delete two # signs to “uncomment” them).

    The file we will be editing is called etter.conf and it can be found under the etc folder. (Full Path = /etc/etter.conf)

    We need to change the part under the “redir_command_on/off” section. It is under the Linux sub heading.

    MAKE SURE YOU ONLY UNCOMMENT THE TWO LINES UNDER “if you use iptables” NOTICE: IPTABLES, Not Chains.

    The Linux subsection will look like this when done:

    Code:
    #---------------
    #     Linux 
    #---------------
    
    # if you use ipchains:
       #redir_command_on = "ipchains -A input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport"
       #redir_command_off = "ipchains -D input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport"
    
    # if you use iptables:
       redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
       redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

    Notice how there are no Pound (#) signs in front of the last two lines.

    Run Ettercap:

    Now we can start Ettercap-GTK (This is a pretty version of the shell program, it gives us a nice GUI to play with). Ettercap-GTK can be found under: Menu -> Backtrack -> Privilege Escalation -> Spoofing -> Ettercap-GTK

    Setting up Sniffing:

    Sniff -> Unified Sniffing

    Eth0 -> OK ………………………..(This runs Sniffing on your first Ethernet card)

    Hosts -> Scan for hosts ………… (Scans the network for targets)

    Hosts -> Hosts List ………………….(Opens your hosts list

    Now, you have all the computers on the network on the host list. If you want to only scan one computer (its better and quicker for us to just do the one) then click on the default gateway first, and click the target 1 button.

    After you do the default gateway, then click your computer you are attacking and make it “Target 2” by selecting it and clicking the “target 2” button.

    After setting up the sniffing:

    Mitm -> ARP poisoning -> Select “Sniff remote connections” Hit OK

    Start -> Start Sniffing

    Your done! Now you are sniffing the computer for passwords onto certain websites that use SSL for their security. When you are done go to: Start -> Stop Sniffing, and then go to Mitm -> Stop mitm attack(s)


    Problems:

    When you run this, the SSL certificates on some websites will not be valid, so the user has to constantly hit yes for the attack to run successfully. For most users this won’t be a problem seeing as how they “Trust” the site usually and will hit yes.


    Protect yourself:

    Don’t hit yes for all of the SSL certificates when you know the website should be up to date because you know your being attacked.

    Link to a good Detection and Prevention paper from San Jose Stat University: http://www.cs.sjsu.edu/faculty/stamp...lky_report.pdf
    Last edited by micole; 03-10-2010 at 06:37 AM. Reason: "protect yourself" changes

  2. #2
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    3

    Thumbs up Re: Ettercap With ARP Poisoning

    Hi micole,

    Nice work.. Keep up the knowledge sharing.. continue posting..

    Thanks
    Mi2

  3. #3
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: Ettercap With ARP Poisoning

    I would make one suggestion for you. Don't use wikepedia if you can help it. That is not one of the best sources for accurate information.

  4. #4
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    1

    Default Re: Ettercap With ARP Poisoning

    Good post, thanks for the share. As for the suggestion about Wikipedia, I thought most classes didn't allow you to put that as a source ;-)

  5. #5
    Senior Member micole's Avatar
    Join Date
    Jan 2010
    Location
    Charleston, SC
    Posts
    121

    Default Re: Ettercap With ARP Poisoning

    Thanks Archangel. I'll try to stay away from wikipedia. (I only wrote this in a timespan of 2 hours, and I wanted to just give a brief idea of what ARP was and such for people who didn't know.

    Moh, I'm going to keep posting information as long as people want me to

    If anyone has anything they want me to try and write about just let me know and I'll add it to my Ethical Hacking paper. Who knows, eventually I might upload the whole document on here when its done. (for free of course, I might sell it to a book publisher, but I know that the internet is where my bread is buttered )
    Common Knowledge: Username, "root". Password, "toor". "startx" gives you a GUI, and "fix-vesa" will fix BT if you have no GUI. Start networking with "/etc/init.d/networking start" and check your IP settings with "ifconfig -a". "dhclient" will automatically use DHCP for your IP. Google is your friend.

  6. #6
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    1

    Default Re: Ettercap With ARP Poisoning

    Great work. Very good explanation.
    I will be waiting your next thread.

  7. #7
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    1

    Default Re: Ettercap With ARP Poisoning

    Nice tutorial, well done !

  8. #8
    Just burned his ISO R3104d's Avatar
    Join Date
    Jan 2010
    Location
    Texas
    Posts
    8

    Default Re: Ettercap With ARP Poisoning

    Great job man! I wish my school would take from yall as an example and let us focus more on security. Keep up the good work up there.

  9. #9
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    1

    Talking

    Hye there,i just had succesfully install ettercap in vmware Linux. When i select unified sniffing>eth0>scan host>host list,
    it list out just 2 IP, One i am sure is default gateway inside vmware, another address is UNKNOWN (which i found isn't ifconfig and ipconfig in vmware and my vista PC). I using NAT for vmware, is it a problem??pls help. Is my final year project research.Thanks for reading.

    Helo there,
    I am using vmware Linux installed ettercap. I want to perform arp poisoning.I using NAT for vmware network setting
    Vmware network setup(ifconfig): NAT. IP : 192.168.106.129, broadcast IP: 192.168.106.255 netmask 255.255.255.0

    PC (ipconfig) : Wirless LAN adapter connection: IP 10.73/35.250, default gateway: 10.73.39.254 netmask 255.255.248.0
    I am connected to campus network.

    In Linux vmware, I choose unified sniffing>eth0>scan for host>host list
    the host list is : 192.168.106.2 and 192.168.106.254 I don't know which target Ip i shall enter for target 1 and 2.And so, i direct run the arp poisoning for all host in list , with optional parameter is> sniff remote connection.

    It says start sniffing, but what i shall i do next?I don'tknow hw to sniff gmail or hotmail pasword since i don't know who is 192.168.1.2..shall I do it in my own LAN?
    Is my research of fyp ..hope get help from ur's here.Thanks for reading. After this i would like to try on dns spoofing too.
    thanks again..
    Last edited by lupin; 03-19-2010 at 09:44 AM. Reason: Merging... get rid of quote of original post

  10. #10
    Junior Member
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    79

    Default Re: Ettercap With ARP Poisoning

    here is a website with the EXACT same info but with pictures! Com.org - Only the best links ...

Page 1 of 2 12 LastLast

Similar Threads

  1. ARP Poisoning 101 (Not sniffing info...)
    By Whiskey in forum Beginners Forum
    Replies: 12
    Last Post: 07-15-2010, 02:12 AM
  2. Troubles with Ettercap
    By TheFunk in forum Beginners Forum
    Replies: 2
    Last Post: 02-10-2010, 12:30 AM
  3. ettercap browser
    By minicoop78 in forum Beginners Forum
    Replies: 5
    Last Post: 01-29-2010, 09:27 PM
  4. ettercap + own plugin
    By Falcon(TFSoft) in forum Beginners Forum
    Replies: 0
    Last Post: 01-23-2010, 08:16 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •