{"id":589,"date":"2012-07-10T12:02:48","date_gmt":"2012-07-10T04:02:48","guid":{"rendered":"http:\/\/rmohan.com\/?p=589"},"modified":"2012-07-10T12:02:48","modified_gmt":"2012-07-10T04:02:48","slug":"how-to-do-man-in-middle-attack-using-ettercap","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=589","title":{"rendered":"How To do “Man in Middle” Attack using Ettercap"},"content":{"rendered":"

How To do “Man in Middle” Attack using Ettercap<\/h3>\n

 <\/p>\n

“Man in Middle” Attack is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new and modified messages to one or both of them, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle<\/em>). example in form of picture is shown below.<\/p>\n

Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.<\/div>\n

Installation:<\/strong> OpenSuSe 11.1 user can use “1-click” installer to install Ettercap – Here<\/a><\/p>\n

Running Ettercap:<\/strong>You need to select a user interface (no default<\/em>) using -T for Text only, -C for the Ncurses based GUI, or -G for the nice GTK2 interface (e.g) – # ettercap -G<\/p>\n

Open Ettercap in graphical mode: # ettercap -G<\/p>\n

<\/div>\n

Select the sniff mode: Sniff ?<\/strong> Unified sniffing and Scan for host inside your subnet Hosts ?<\/strong> Scan for hosts<\/p>\n

See the\u00a0 MAC and\u00a0 IP addresses of the hosts inside your subnet: Hosts ?<\/strong> Hosts List, from this list Select the machines to poison<\/p>\n

We chose to ARP poison only the windows machine 192.168.1.2 and the router 192.168.1.1.
\nHighlight the line containing 192.168.1.1 and click on the “target 1” button.
\nHighlight the line containing 192.168.1.2 and click on the “target 2” button.<\/p>\n

<\/div>\n

Start the ARP poisoning: Mitm ?<\/strong> Arp poisoning and start the sniffer to see the activities<\/p>\n

<\/div>\n

ARP TRAFFIC before the poisoning:<\/strong>
\nAs you can see that the router and the Windows machine send an ARP broadcast to find the MAC address of the other.<\/p>\n\n\n\n
No
\n1
\n2
\n3
\n4<\/td>\n		<\/td>\nSource
\n11:22:33:44:55:66
\n11:22:33:44:11:11
\n11:22:33:44:11:11
\n11:22:33:44:55:66<\/td>\n		<\/td>\nDestination
\n11:22:33:44:11:11
\n11:22:33:44:55:66
\n11:22:33:44:55:66
\n11:22:33:44:11:11<\/td>\n		<\/td>\nProt
\nARP
\nARP
\nARP
\nARP<\/td>\n		<\/td>\nInfo
\nwho has 192.168.1.1? Tell 192.168.1.2
\n192.168.1.1 is at 11:22:33:44:11:11
\nwho has 192.168.1.2? Tell 192.168.1.1
\n192.168.1.2 is at 11:22:33:44:55:66<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

ARP TRAFFIC after the poisoning<\/strong>
\nThe router ARP broadcast request is answered by the Windows machine similarly than in the previous capture.<\/p>\n

The difference between the two steps comes from the fact that there is no request coming from Windows (192.168.1.2) to find the MAC address associated to the router (192.168.1.1) because the poisoner continuously sends ARP packets telling the Windows machine that 192.168.1.1 is associated to his own MAC address (11:22:33:44:99:99) instead of the router MAC address (11:22:33:44:11:11).<\/p>\n\n\n\n
No
\n1
\n2
\n3
\n4<\/td>\n		<\/td>\nSource
\n11:22:33:44:11:11
\n11:22:33:44:55:66
\n11:22:33:44:99:99
\n11:22:33:44:99:99<\/td>\n		<\/td>\nDestination
\n11:22:33:44:55:66
\n11:22:33:44:11:11
\n11:22:33:44:55:66
\n11:22:33:44:55:66<\/td>\n		<\/td>\nProt
\nARP
\nARP
\nARP
\nARP<\/td>\n		<\/td>\nInfo
\nwho has 192.168.1.2? Tell 192.168.1.1
\n192.168.1.2 is at 11:22:33:44:55:66
\n192.168.1.1 is at 11:22:33:44:99:99
\n192.168.1.1 is at 11:22:33:44:99:99<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

How To do “Man in Middle” Attack using Ettercap <\/p>\n

 <\/p>\n

“Man in Middle” Attack is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection when in fact the entire […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/589"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=589"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/589\/revisions"}],"predecessor-version":[{"id":590,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/589\/revisions\/590"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=589"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=589"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=589"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}