MITM Using ettercap in backtrack 5 by Anil016


More Info
The man-in-the-middle attack (also known as a bucket-brigade attack and abbreviated
MITM) is a form of active eavesdropping in which the attacker makes independent
connections with the victims and relays messages between them, making them believe
that they are talking directly to each other over a private connection when in fact the
entire conversation is controlled by the attacker.

1.1. Ettercap
Ettercap is a suite for man in the middle attacks on LAN (local area network). It features
sniffing of live connections, content filtering on the fly and many other interesting
tricks. It supports active and passive dissection of many protocols (even ciphered ones)
and includes many feature for network and host analysis. In this tutorial i will explain
how to sniff (user names,passwords) in LAN using Ettercap

1.1.1. Configuring Ettercap for the Attack
We will be using Ettercap to perform the MiTM attack, but to do so, we will have to set
up Ettercap to use IPTables to forward traffic. To do so, open up a terminal session and
type the following (everything after the #)

root@bt:~ # echo 1 > /proc/sys/net/ipv4/ip_forward

This enables IP forwarding. Then, type the following:

root@bt:~ # kedit /usr/local/etc/etter.conf

     This will open up a new window within which is a text file that holds all the
configuration settings for Ettercap. Look for the following lines in the file, and
uncomment them by removing the hashes (except for the one next to “if”, then save it
and close it:
# if you use iptables:
#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -
j REDIRECT --to-port %rport"
#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -
j REDIRECT --to-port %rport"

to this:

# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j
REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j
REDIRECT --to-port %rport"

We are now ready to proceed to the attack stage.
     There are several kinds man in the middle attacks that we can perform, But in this
tutorial we will see attacks based on the ARP protocol

1.1.2. ARP Poisoning
Address Resolution Protocol (ARP) spoofing, also known as ARP flooding, ARP
poisoning or ARP Poison Routing (APR), is a technique used to attack an Ethernet
wired or wireless network. ARP Spoofing may allow an attacker to sniff data frames on
a local area network (LAN), .

1.2. Man in the Middle Attack using Ettercap
    1. First start the ettercap: It is located in Backtrack >Privilege Escalation >Sniffers
       >Network Sniffers > ettercap-gtk

2. After installation open Ettercap, select sniff mode> unified sniffing and select
   your network interface as shown

3. Now scan for hosts in your sub net by going to Hosts —> scan for hosts

4. Now open host list from hosts tab and select the IP address of the victim as target
   1 and IP address of the router as target 2

5. You can see the targets we have selected by going to the Target menu> Current
   target you will see the screen like this.

6. Now start ARP poisoning by going to mitm —> ARP Poisoning

7. Finally start the sniffer by going to start —> start sniffing . Now if victim logs
   into gmail , face book yahoo mail…etc .we will get the user name and password

8. You will see the username name and password in the bottom window as shown

9. You can cross check the ARP cache by typing “arp –a” in the terminal/command
   promt to confirm whether the ARP cache has been modified or not.


To top