I HOPE YOU ALL LIKE MY PREVIOUS TUTORIAL ON "HOW TO HACK FACEBOOK USING COOKIE STEALING"
Ettercap is a tool made by Alberto Ornaghi (ALoR) and Marco Valleri (NaGA) and is basically a suite for man in the middle attacks on a LAN. For those who do not like the Command ike Interface (CLI), it is provided with an easy graphical interface.
Ettercap is able to perform attacks against the ARP protocol by positioning itself as "man in the middle" and, once positioned as this, it is able to:
- infect, replace, delete data in a connection
- discover passwords for protocols such as FTP, HTTP, POP, SSH1, etc ...
- provide fake SSL certificates in HTTPS sections to the victims.
- etc ...
Plugins are also available for attacks such as DNS spoofing.
What is a "man in the middle" attack?
This is an attack where a pirate put its machine in the logical way between two machines speaking together as shown in the picture below.
Once in this position, the pirate can launch a lot of different very dangerous attacks because he/she is in the way between to two normal machines.
There are several kinds of attacks to become "man in the middle", we will see in this tutorial attacks based on the ARP protocol.
The ARP protocol is a layer 3 protocol used to translate IP addresses (ex:192.168.1.1) to physical network card addresses or MAC addresses (ex:0fe1.2ab6.2398).
When a device tries to access a network resource, it will first send requests to other devices asking for the MAC address associated with the IP it wants to reach. The caller will keep the IP - MAC association in its cache, the ARP cache, to speed up new connections to the same IP address.
The attack comes when a machine asks the other ones to find the MAC address associated with an IP address. The pirate will answer to the caller with fake packets saying that the IP address is associated to its own MAC address and in this way, will "short-cut" the real IP - MAC association answer coming from another host. This attack is referred as ARP poisoning or ARP spoofing and is possible only if the pirate and the victims are inside the same broadcast domain which is defined on the host by an IP address and a Subnet mask, for example: 192.168.1.1 255.255.255.0
In our tutorial, we will use the case study below where a machine with IP 192.168.1.2 reaches internet resources from a local network. After the ARP poisoning attack, The Ettercap machine with IP 192.168.1.100 is set as "man in the middle".
Please note the following things about the Ettercap machine behaviour:
The goal of our tutorial is to provide warning about the danger of "man in the middle" attacks by ARP spoofing. In the ARP poisoning tutorial, we will explain how to configure the Ettercap machine as "man in the middle", then, in the filtering tutorial, we will show you some attacks. Finally, some countermeasures are given to fight against these damned ARP poisoning attacks.
Ettercap is a tool made by Alberto Ornaghi (ALoR) and Marco Valleri (NaGA) and is basically a suite for man in the middle attacks on a LAN. For those who do not like the Command ike Interface (CLI), it is provided with an easy graphical interface.
Ettercap is able to perform attacks against the ARP protocol by positioning itself as "man in the middle" and, once positioned as this, it is able to:
- infect, replace, delete data in a connection
- discover passwords for protocols such as FTP, HTTP, POP, SSH1, etc ...
- provide fake SSL certificates in HTTPS sections to the victims.
- etc ...
Plugins are also available for attacks such as DNS spoofing.
What is a "man in the middle" attack?
This is an attack where a pirate put its machine in the logical way between two machines speaking together as shown in the picture below.
Once in this position, the pirate can launch a lot of different very dangerous attacks because he/she is in the way between to two normal machines.
There are several kinds of attacks to become "man in the middle", we will see in this tutorial attacks based on the ARP protocol.
The ARP protocol is a layer 3 protocol used to translate IP addresses (ex:192.168.1.1) to physical network card addresses or MAC addresses (ex:0fe1.2ab6.2398).
When a device tries to access a network resource, it will first send requests to other devices asking for the MAC address associated with the IP it wants to reach. The caller will keep the IP - MAC association in its cache, the ARP cache, to speed up new connections to the same IP address.
The attack comes when a machine asks the other ones to find the MAC address associated with an IP address. The pirate will answer to the caller with fake packets saying that the IP address is associated to its own MAC address and in this way, will "short-cut" the real IP - MAC association answer coming from another host. This attack is referred as ARP poisoning or ARP spoofing and is possible only if the pirate and the victims are inside the same broadcast domain which is defined on the host by an IP address and a Subnet mask, for example: 192.168.1.1 255.255.255.0
In our tutorial, we will use the case study below where a machine with IP 192.168.1.2 reaches internet resources from a local network. After the ARP poisoning attack, The Ettercap machine with IP 192.168.1.100 is set as "man in the middle".
 |
 |
Please note the following things about the Ettercap machine behaviour:
| - - - | Every time Ettercap starts, it disables IP forwarding in the kernel and begins to forward packets itself. It can slow down the network performances between the two hosts because of the packets' machine process time. Ettercap needs root privileges to open the Link Layer sockets. After the initialization phase, the root privileges are not needed anymore, so Ettercap drops them to UID = 65535 (nobody). Since Ettercap has to write (create) log files, it must be executed in a directory with the right permissions. |
An interview about the Ettercap authors can be found on the newsforge website. It is slightly out of date (2004) but remains interesting.
ETTERCAP INSTALATION
o see the Ettercap version available:
ettercap-gtk:
Installed : (none)
Candidate : 1:0.7.3-1.2ubuntu2
Version table :
*** 1:0.7.3-1.2ubuntu2 0
500 http://ch.archive.ubuntu.com feisty/universe Packages
100 /var/lib/dpkg/status
To download and install Ettercap with its graphical interface:
To see the Ettercap dependencies:
ettercap-gtk
Depends: libatk1.0-0
Depends: libc6
Depends: libcairo2
Depends: libfontconfig1
Depends: libfreetype6
Depends: libglib2.0-0
Depends: libgtk2.0-0
Depends: libltdl3
Depends: libncurses5
Depends: libnet1
Depends: libpango1.0-0
Depends: libpcap0.8
Depends: libpcre3
Depends: libpng12-0
Depends: libssl0.9.8
Depends: libx11-6
Depends: libxcursor1
Depends: libxext6
Depends: libxfixes3
Depends: libxi6
Depends: libxinerama1
Depends: libxrandr2
Depends: libxrender1
Depends: zlib1g
Depends: ettercap-common
Suggests: gksu
Conflicts: ettercap
Replaces: ettercap
o see the Ettercap version available:
| #apt-cache policy ettercap-gtk |
Installed : (none)
Candidate : 1:0.7.3-1.2ubuntu2
Version table :
*** 1:0.7.3-1.2ubuntu2 0
500 http://ch.archive.ubuntu.com feisty/universe Packages
100 /var/lib/dpkg/status
To download and install Ettercap with its graphical interface:| apt-get install ettercap-gtk |
To see the Ettercap dependencies:| #apt-cache depends ettercap-gtk |
Depends: libatk1.0-0
Depends: libc6
Depends: libcairo2
Depends: libfontconfig1
Depends: libfreetype6
Depends: libglib2.0-0
Depends: libgtk2.0-0
Depends: libltdl3
Depends: libncurses5
Depends: libnet1
Depends: libpango1.0-0
Depends: libpcap0.8
Depends: libpcre3
Depends: libpng12-0
Depends: libssl0.9.8
Depends: libx11-6
Depends: libxcursor1
Depends: libxext6
Depends: libxfixes3
Depends: libxi6
Depends: libxinerama1
Depends: libxrandr2
Depends: libxrender1
Depends: zlib1g
Depends: ettercap-common
Suggests: gksu
Conflicts: ettercap
Replaces: ettercap
No comments:
Post a Comment