How do I change the default networking interface for ETTERCAP

[baronobeefdip]

The machine that I am using to run some penetration tests on a network has two networking interfaces, one of them is onboard but I am unable to remove it so I added another interface in one of the expansion slots and everything started working fine. But when it came to using ettercap to run some man in the middle tests, nothing worked. This test wasn't successful since ettercap seems to only work with the default networking interface for man in the middle attacks and I am not using the default (the on board NIC) interface because the one I added is much quicker. This penetration test is useless without a successful man in the middle attack and since ettercap only does successful man in the middle attacks with the default interface it looks like it won't get done.

I really appreciate all of the help

[rastamouse]

Can't you just specify the interface you want using the -i option in ettercap?

[baronobeefdip]

Yes but since it's not the default interface the man in the middle attacks won't work, this is what the -i option said in the man page

Code:

-i, --iface <IFACE>
              Use  this  <IFACE> instead of the default one. The interface can
              be unconfigured (requires libnet >= 1.1.2), but in this case you
              cannot use MITM attacks and you should set the unoffensive flag

the entry says that when you tell it to use the interface that isn't the "Default One" then the man in the middle attacks won't work. How do I remedy this problem?

Due to my failed attempts at getting ettercap to work I started to seek alternatives, I found the dsniff suite and started playing around with arpspoof, and dnssniff. I first enabled forwarding on the interface

Code:

echo "1" > /proc/sys/net/ipv4/ip_forward

then I selected my targets (the gateway and a windows machine I have setup somewhere) and I did these commands.

Code:

arpspoof -i eth1 -t 192.168.1.81 192.168.1.1
arpspoof -i eth1 -t 192.168.1.1 192.168.1.81

The I fired up wireshark and surfed the internet for a few minutes on the target machine and I was able to capture stiff as they surfed. Arpspoof may not be as intelligent as ettercap but it gets the job done (I mean intelligent as in ettercap starts spoofing when it senses traffic on the network between the targets it was told to spoof for, while arpspoof just keeps sending arp requests without any knowing of what happens on the network, this is easier to detect on an ids than the one with ettercap)

The man in the middle attack worked like a charm now I am able to experiment with IPTables and SNORT to setup some customized rules for these types of attacks (for educational purposes). Now I started experimenting with dnsspoof. I made a hosts file and put something like this in it.

Code:

# located in /root/spoofed-addresses.conf
192.168.1.78        *.google.com

This setup would try to spoof the DNS requests to the 192.168.1.78 address before it gets to the DNS server that the client was assigned to by the DHCP server. Heres the command I used.

Code:

dnsspoof -i eth1 -f /root/spoofed-addresses.conf

Now for the moment of truth I did an nslookup for google on the windows machine and the request came back as the authentic DNS server response instead of the spoofed address I entered in the hosts file for dnsspoof, Dnsspoof is the only problem I have left here. Is there a more effective command for dnsspoof that I need to run in my scenario.