MITM/Wired/ARP Poisoning with Ettercap

From charlesreid1

Revision as of 09:57, 27 August 2015 by Admin (talk | contribs) (→‎The Attack)

Setup

Network Configuration

Caveman ASCII art of my network configuration: 

--------------------         --------------
|     Router       |---------|  kronos    |
|                  |         | 10.0.0.19  |
|                  |         --------------
|                  |         --------------
|     10.0.0.1     |---------|   jupiter  |
|                  |         | 10.0.0.75  |
--------------------         --------------

Attacker/Sheep

In this scenario, the attacker Kronos 10.0.0.19 will be attacking the sheep Jupiter 10.0.0.75

Both are running Kali Linux.

The Attack Overview

As described on the ARP Poisoning attack page, this attacks the lookup table that every router has that maps IP addresses to MAC addresses. If an attacker can modify entries in that table, they can receive all traffic intended for another party, make a connection to that party, and forward it along, tampering with the sheep's information.

The attack will use Ettercap to automate the process of sending the right ARP packets. This will trick the router into updating its list of MACs and IPs, and will try sending traffic to the attacker's MAC too.

Implementation

Install Tools

The attacker will use a couple of different tools to perform the man in the middle attack.

The attacker will absolutely need Ettercap and Wireshark to get the attack up and running.

The attacker may want to use Driftnet to analyze traffic during the attack.

Install these using your method of choice - package manager or source.

Ettercap: ARP Poisoning

The next step is to actually perform the ARP poisoning with Ettercap. Start the Ettercap GUI with the command 

$ ettercap -G

Sniffing Type

Now we'll specify the type of sniffing we want to do.

Ettercap can either sniff in Bridged mode or Unified mode. These names refer to the configuration of the network devices on the attacking computer. Bridged mode means the attacker has multiple networking devices, and is sniffing as traffic crosses a bridge from one device to another. Unified is good for a single network device, where the sniffing and forwarding all happens on the same network port.

We'll be doing unified sniffing. Select Sniff > Unified Sniffing from the menu.

Finding Hosts

We can run a quick scan of different hosts acting as parties in network traffic. Click Hosts > Scan for Hosts to run a quick scan and get a list of host targets. You should see Ettercap populate a list of host IP and MAC addresses.

Select Poison Target

Now that you have a list of hosts, find your target in the list and click on it. (Or, if you want to attack every computer on the network, don't select any list item.)

Click Mitm > Arp Poisoning to select the Arp Poisoning attack.

Wireshark for Traffic Analysis

Now fire up Wireshark so that we can do a packet capture of our man-in-the-middle session. Start a capture on the eth0 network interface (which is a network cable connected to the router, the same router that the sheep is connected to).

Once the packet capture has started, find a website that requires login credentials but that uses

Driftnet for Image Traffic Analysis

One of the neat tools you can use in a man in the middle attack is Driftnet, which will automatically search the stream of web traffic and pick out images and stills from video, and show them to you. This is a quick way to get a visual sense of what a target is up to during a man-in-the-middle attack.


Notes

Warnings

When using this method of man-in-the-middle in a naive way, the user is apt to notice. Each time they visit an HTTPS site, they will see a warning notifying them that the site's certificate couldn't be verified. This would be reasonable to expect to see perhaps once, but if it shows up repeatedly (and many websites use HTTPS versions), the MITM attack would be painfully obvious.

To beat this problem, you can use SSLStrip in your MITM attack, which allows you to only create ONE warning notifying the user that the site certificate could not be enabled. Once they accept and store that exception, even once, then you are home free, and any secure connection they make after that point can be seen by the attacker.


References

http://www.revo-brain.com/2015/08/hack-username-password-wireshark-ettercap.html



Defcon.png
monkey in the middle attacks
in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker.

MITM

Wireless Attacks: MITM/Wireless

Wired Attacks: MITM/Wired


Layer 1 and 2 MITM Attacks:

MITM/Layer 1 and 2

Network Tap: MITM/Wired/Network Tap

Evil Twin Attack: Evil Twin  · MITM/Evil Twin


Layer 3 and 4 MITM Attacks:

MITM/Layer 3 and 4

Traffic Sniffing: MITM/Sniffing

ARP Poisoning: MITM/ARP Poisoning

Traffic Injection/Modification: MITM/Traffic Injection

DNS Attacks: MITM/DNS  · Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2

DHCP Attacks: MITM/DHCP

WPAD MITM Attack: MITM/WPAD

Port Stealing: MITM/Port Stealing

Rushing Attack: MITM/Rushing Attack

Attacking HTTPS: MITM/HTTPS


Layer 5 MITM Attacks:

Session Hijacking: MITM/Session Hijacking


Toolz:

Ettercap  · Bettercap  · MITMf  · EvilFOCA

Wireshark  · Aircrack

Dsniff  · Arpspoof  · Dnsspoof

SSLSniff  · SSLStrip  · Frankencert

Driftnet  · Karma


MITM Labs: {{MITMLabs}}


Category:MITM  · Category:Attacks  · Category:Kali Attack Layers

Template:MITMLabs  · Template:MITMFlag

Flags  · Template:MITMFlag  · e




Retrieved from "https://charlesreid1.com/w/index.php?title=MITM/Wired/ARP_Poisoning_with_Ettercap&oldid=8377"