i Penetration Test – Ettercap – ARP Poisoning ( Part 2 ) – All things in moderation

Penetration Test – Ettercap – ARP Poisoning ( Part 2 )

In the previous post, I think you guys knew the first thing about ARP Poisoning and what we could do with Cain & Abel. Today, I will show you my favourite tool in this field – Ettercap. You could download it from here. And here is a quick look about this tool.

pentest ettercap

This tool attacks base on ARP Cache Poisioning ( the last thing I haven’t mentioned in my previous post ). This type of attack is pretty easy to undertand. For example:

  • In the first place:
    HOST 1: MAC Address: 01:01:01:01:01:01, IP Address: 192.168.0.1
    ATTACKER HOST: MAC Address: 03:03:03:03:03:03, IP Address: 192.168.0.3
    HOST 2: MAC Address: 02:02:02:02:02:02, IP Address: 192.168.0.2

  • After that, we will send ARP REPLY packets to:
    HOST 1 telling that 192.168.0.2 is on 03:03:03:03:03:03
    HOST 2 telling that 192.168.0.1 is on 03:03:03:03:03:03
    Now they are poisoned, they will send their packets to us.

  • Then if receive packets from:
    HOST 1 we will forward to 02:02:02:02:02:02
    HOST 2 we will forward to 01:01:01:01:01:01

Now, we will play with this tool. 😀

1 . To turn on this tool in graphic, we use this command:

ettercap -G

pentest_ettercap

2 . We choose “Sniff->Unified Sniffing”. It will show us the list of avaiable network interfaces. Choosing the network interface you want to capture, then click OK.

pentest ettercap

3 . Now, we need to find out how many hosts are there in our network. We choose “Hosts–> Scan for hosts”.

pentest ettercap

And here is the result.

pentest ettercap

You could see that we have 11 hosts on our network.

4 . But before doing anything, we should have a quick look the host that we want to check. I usually use NMAP for this purpose. We take 192.168.10.118 as our example:

nmap -A -Pn 192.168.10.118

Then we could see some ports has opened on this computer.

pentest_ettercap

And his Operating System also.

pentest ettercap

5 . To Start Sniffing, we have to do some steps below:
– Go to Host List ( Ctrl + H ), use right click to add your gateway ( 192.168.10.1 ) as target 1, and your victim ( 19.168.10.129 ) as target 2.

pentest ettercap

  • Mitm –> Arp Poisoning –> Sniff Remote Connections –> OK

  • Pluggins –> Manage the Plugins. It will show you many things you could do with Ettercap, then we choose dns_spoof ( double clicks )

pentest ettercap

  • Then we choose: Start –> Start Sniffing.

6 . In this example, I take this site for example:

pentest ettercap

Then when the victim log in, we could see their credential information through Wireshark:

pentest ettercap

7 . But this ARP Poisioning technique has some drawbacks also.

  • For small networks, static ARP entries can be unchanging, so any tries by hackers to change the mapping fails. This is good for small networks but not for big networks as mapping for every new device added to network needs to be done manually. That would be the pain in the ass.

  • For a large network, the port security features of network switches can be turned on. Some features when turned on force the switch to allow only one MAC address for each physical port on switch. This feature makes sure that machines cannot change their MAC address and cannot map more than one MAC to their machine hence preventing attacks like ‘man in middle’.

  • In general, Local Network Administrator could use some monitoring tools like ARPwatch can be deployed to get alerts when some malicious ARP activity takes place on your network.

Now, you guys could understand how dangerous ARP Poisoning is in your local network. I think you guys should try it today in your network but with learning purposes only. 😀

Leave a Reply