ARP POISONING USING ETTERCAP

In this first tutorial, we will place our Ettercap machine as "man in the middle" after an ARP spoofing attack.

The network scenario diagram is available in the Ettercap introduction page.

The first thing to do is to set an IP address on your Ettercap machine in the same IP subnet than the machine you want to poison. For our tutorial the 192.168.1.100 IP address is used.
See the networking tutorial for detailed explanations about how to set an IP address on your Linux box.

As a reminder, Ettercap will need root access to be launched then it will be supported by the 'nobody' user.

---

1. ARP SPOOFING

2. ARP TRAFFIC

3. ARP TABLES

4. STOPPING THE ARP SPOOFING

---

 1. ARP SPOOFING

 Open Ettercap in graphical mode

#ettercap -G

 Select the sniff mode

Sniff -> Unified sniffing

 Scan for host inside your subnet

Hosts -> Scan for hosts

The network range scanned will be determined by the IP settings of the interface you have just chosen in the previous step.


 See the MAC & IP addresses of the hosts inside your subnet.



 Select the machines to poison

We chose to ARP poison only the windows machine 192.168.1.2 and the router 192.168.1.1.
Highlight the line containing 192.168.1.1 and click on the "target 1" button.
Highlight the line containing 192.168.1.2 and click on the "target 2" button.
If you do not select any machines as target, all the machine inside the subnet will be ARP poisoned.


 Check your targets



 Start the ARP poisoning

Mitm -> Arp poisoning

 Start the sniffer

Finally, start the sniffer to collect statistics.

Start -> Start sniffing

 Top of the page

---

 ARP TRAFFIC:

On the Windows machine, with the help of Wireshark, we can compare the ARP traffic before and after the poisoning:

As a reminder: (See the network diagram)

192.168.1.1 192.168.1.2 192.168.1.100

(Router) (Windows) (Pirate)

11:22:33:44:11:11 11:22:33:44:55:66 11:22:33:44:99:99

 Before the poisoning
Before being able to communicate together, the router and the Windows machine send an ARPbroadcast to find the MAC address of the other.

No 1 2 3 4

Source 11:22:33:44:55:66 11:22:33:44:11:11 11:22:33:44:11:11 11:22:33:44:55:66

Destination 11:22:33:44:11:11 11:22:33:44:55:66 11:22:33:44:55:66 11:22:33:44:11:11

Prot ARP ARP ARP ARP

Info who has 192.168.1.1? Tell 192.168.1.2 192.168.1.1 is at 11:22:33:44:11:11 who has 192.168.1.2? Tell 192.168.1.1 192.168.1.2 is at 11:22:33:44:55:66

                                        

 After the poisoning
The router ARP broadcast request is answered by the Windows machine similarly than in the previous capture.
The difference between the two steps comes from the fact that there is no request coming from Windows (192.168.1.2) to find the MAC address associated to the router (192.168.1.1) because the poisoner continuously sends ARP packets telling the Windows machine that 192.168.1.1 is associated to his own MAC address (11:22:33:44:99:99) instead of the router MAC address (11:22:33:44:11:11).

No 1 2 3 4

Source 11:22:33:44:11:11 11:22:33:44:55:66 11:22:33:44:99:99 11:22:33:44:99:99

Destination 11:22:33:44:55:66 11:22:33:44:11:11 11:22:33:44:55:66 11:22:33:44:55:66

Prot ARP ARP ARP ARP

Info who has 192.168.1.2? Tell 192.168.1.1 192.168.1.2 is at 11:22:33:44:55:66 192.168.1.1 is at 11:22:33:44:99:99 192.168.1.1 is at 11:22:33:44:99:99

 Top of the page

---

 ARP TABLES:

If we look at the router and Windows machine ARP table, we see that the Ettercap Linux machine poisoned their ARP table and replaced the router or Windows machine MAC addresses by its own MAC address.
This means that the packets between the Windows machine and the router will transit through the Ettercap machine.
Let's see if we successfully poisoned the router and windows machine ARP table:

--------------------

Windows machine 192.168.1.2

--------------------

Launch a command line interface window as follow:
Start -> Run -> cmd

C:\Documents and Settings\administrator>arp -a

Interface�: 192.168.1.2 --- 0x2

Internet Address 192.168.1.1 192.168.1.100

Physical Address 11-22-33-44-11-11 11-22-33-44-99-99

Type dynamic dynamic

              

Interface�: 192.168.1.2 --- 0x2

Internet Address 192.168.1.1 192.168.1.100

Physical Address 11-22-33-44-99-99 11-22-33-44-99-99

Type dynamic dynamic

--------------------

Linux machine 192.168.1.100

--------------------

#arp -a

? ?

(192.168.1.1) (192.168.1.2)

at at

11:22:33:44:11:11 11:22:33:44:55:66

[ether] [ether]

on on

eth0 eth0

--------------------

Router 192.168.1.1

--------------------

>show arp

Protocol Internet Internet

Address 192.168.1.2 192.168.1.100

Age (min) 194 128

Hardware Addr 1122.3344.5566 1122.3344.9999

Type ARPA ARPA

interface FastEthernet0/0 FastEthernet0/0

              

Protocol Internet Internet

Address 192.168.1.2 192.168.1.100

Age (min) 194 128

Hardware Addr 1122.3344.9999 1122.3344.9999

Type ARPA ARPA

interface FastEthernet0/0 FastEthernet0/0

If you have a Netscreen (Juniper) device, use the following command to display the ARP table:

>get arp

On a Vyatta router:

>show arp

 Top of the page

---

 STOPPING THE ARP SPOOFING:


Ettercap is pretty effective. After the attack, it will "re-arp" the victims. In other words the victims ARP cache will again contain correct entries .

If the cache still contains poisoned IP - MAC address correspondences, you can either wait some minutes, which is the time needed for the entry ARP cache to refresh itself, or, better, clear the ARP cache.

On a Microsoft machine:

C:\Documents and Settings\admin>arp -d *

On an Ubuntu or Debian Linux:

#arp -d ip_address

On a Cisco router:

#clear arp-cache

---

 CONCLUSION

After this tutorial, the ARP table of the router and the Windows machine are poisoned: The Linux machine is now "in the middle".