Revision as of 19:37, 21 August 2016

Note: also see Bettercap

What Ettercap Is

Ettercap is a tool for executing Man in the Middle attacks.

Ettercap can be used in unified mode, or in bridge mode.

Unified mode means Ettercap uses a single network interface for sending/receiving to the client as well as to the server, and sniffs all relevant traffic at the single interface.

Bridge mode means Ettercap is using two bridged network interfaces, one connecting to the client and one connecting to the server, and is sniffing traffic crossing that bridge.

What Ettercap Actually Does

Ettercap is basically a tool for automating different steps in a man-in-the-middle attack. While you could perform the attack yourself, it would require a lot of windows, switching between scripts, and some really deep technical knowledge of the ARP protocol, packet-forging tools, and how to craft and send ARP packets in the right proportions.

Ettercap saves you from having to manually mount the man-in-the-middle attack. Be aware of the tradeoffs that Ettercap presents - while it gives you a simple interface for conducting man in the middle attacks, it may also do things you don't understand or want, things that can draw the attention of network administrators onto you.

Installing/Building

To install Ettercap from source you'll need a few things first:

$ apt-get install cmake libncurses5 libncurses-dev libidn11 libidn11-dev librtmp-dev bison flex

Now download Ettercap from Github (v 0.8.2): https://github.com/Ettercap/ettercap

Make it with Cmake:

$ unzip ettercap*.zip
$ cd ettercap*
$ mkdir build/
$ cd build/
$ cmake ../
$ make clean-all
$ cmake /path/to/ettercap

Unified Sniffing in Ettercap Text

You can check the man page for the many options available with ettercap:

$ man ettercap

Ettercap has two independent functions: one is a traffic sniffer and filter, and the other is a man in the middle attack tool. These two purposes are independent, so several attacks can be launched simultaneously.

The key flag for running in text mode is -T, with the -q flag helping to keep things quiet.

Sniffing vs Man in the Middle

It's important to distinguish between Ettercap's sniffing functionality, and its man in the middle attack functionality. These two functionalities are independent.

The sniffing functionality is Ettercap's default behavior. Sniffing assumes packets are getting to Ettercap, somehow, someway, the sniffing process does not care how, it only cares about sniffing the packets.

The man in the middle attack functionality is additional Ettercap functionality intended to hijack streams of packets intended for non-attacker destinations and redirect them to Ettercap.

Short version: The man in the middle grabs packets. The sniffer reads them.

Basic Sniffing Attack

To run a basic sniffing attack in text only mode, you just need to specify the internet device to sniff:

$ ettercap -Tq -i eth0

Remember that unless you're on a network hub, you won't see traffic intended for other parties - you'll only see traffic intended for you. To see all the traffic, you'll need to perform a man in the middle attack.

Man in the Middle

A basic man-in-the-middle attack using its text-based interface is specified using the -M flag and looks like this:

$ ettercap -Tq -i eth0 -M arp /10.0.0.1/ /10.0.0.75/

Here we specify the type of MITM attack as ARP poisoning. Other MITM attacks available include icmp and dhcp, for replacing gateway; port, for port stealing; ndp, for ndp hijacking.

Note that the target is of the form MAC/IPs/PORTs, in this case the leading/trailing blanks mean any MAC and any port.

Also see Kali/Layer 4 Attacks and Man in the Middle.

Unified Sniffing in Ettercap GUI

If you are trying to perform a MITM attack by sniffing/sending traffic from a single network device, you can use the unified sniffing mode in Ettercap to perform your man-in-the-middle attack.

The physical arrangement required for this type of attack is that you are on the same subnet as the target - typically connected to the same router.

Ettercap ARP Poisoning

Now we'll actually perform the ARP poisoning with Ettercap. Start the Ettercap GUI with the command

$ ettercap -G

Sniffing Type in Ettercap

Now we'll specify the type of sniffing we want Ettercap to do. As mentioned above, we'll use Unified mode.

Ettercap can either sniff in Bridged mode or Unified mode. Bridged mode means the attacker has multiple networking devices, and is sniffing as traffic crosses a bridge from one device to another. Unified uses a single network device, where the sniffing and forwarding all happens on the same network port.

Select Sniff > Unified Sniffing from the menu.

Finding Hosts in Ettercap

Once we've picked our sniffing method, we need to pick a target and then start our attack.

We can run a quick scan of different hosts acting as parties in network traffic. Click Hosts > Scan for Hosts to run a quick scan and get a list of host targets. You should see Ettercap populate a list of host IP and MAC addresses.

If you don't see the list of hosts, click View > Connections.

Select Ettercap Poison Target

Now that you have a list of hosts, find your target in the list and click on it. (Or, if you want to attack every computer on the network, don't select any list item.)

Remaining Questions

Several questions remain about this process. Here are a few:

Where do the sniffed goodies get printed and logged to? Are they saved by default? Where?
Does or can ettercap create pcap files?

Start MITM Attack

Click Mitm > Arp Poisoning to select the Arp Poisoning attack.

This will print a message letting you know that the ARP Poisoning attack is beginning. As interesting/juicy information shows up on the wire, Ettercap will extract it and display it, just in case you don't capture it or find it with Wireshark.

Make sure and check "sniff remote connections" before you start the attack.

Your man in the middle attack is now running on the local network. By monitoring traffic on your device eth0, you can see all of the traffic passing through the device and on to the sheep.

Watching in Wireshark

If you watch in Wireshark, you'll notice, among other things, a bunch of black packets. This is because your computer is duplicating every packet that reaches it, by forwarding it:

This is something that is symptomatic of every Man in the Middle attack that involves ARP spoofing, and is the reason why a physical network tap (a Layer 1 bridge) is much preferred to ARP spoofing (a Layer 2/Layer 3 bridge).

Bridge Sniffing in Ettercap GUI

A bridge is a way of hooking up two network interfaces such that all packets sent to one are forwarded to another.

Before you can sniff a bridge, you have to build it. In this example, I'll build a bridge between two wifi cards. One wifi card will spoof the sheep, the other will spoof the gateway.

Role        IP              Example MAC
Gateway     192.168.0.1     11:11:11
Sheep       192.168.0.7     22:22:22
Attacker    192.168.0.8     AA:AA:AA

Ettercap Sniffing and MITM

Change MACs

$ ifconfig wlan1 down
$ macchanger -r wlan1 
$ ifconfig wlan1 up

$ ifconfig wlan2 down
$ macchanger -r wlan2 
$ ifconfig wlan2 up

Start Ettercap GUI

$ ettercap -G

Sniffing Type

Select bridged mode for sniffing type. This will utilize two network interfaces and create a bridge between them. The bridge device can then be sniffed.

Select Sniff > Bridged sniffing from the menu.

Finding Hosts

Once you pick your sniffing method, pick your targets to start your attack.

...?

Flags

@@ Line 124: / Line 124: @@
 Now that you have a list of hosts, find your target in the list and click on it. (Or, if you want to attack every computer on the network, don't select any list item.)
+=Remaining Questions=
+Several questions remain about this process. Here are a few:
+* Where do the sniffed goodies get printed and logged to? Are they saved by default? Where?
+* Does or can ettercap create pcap files?
 ===Start MITM Attack===

Ettercap: Difference between revisions

From charlesreid1