Download link : http://idws.us/babfhbe

1. ARP SPOOFING

Open Ettercap in graphical mode

#ettercap -G
openmaniak ettercap

Select the sniff mode

Sniff -> Unified sniffing
openmaniak ettercap man in the middle attack sniff united sniffing arrow blue
openmaniak ettercap

Scan for host inside your subnet

Hosts -> Scan for hosts

The network range scanned will be determined by the IP settings of the interface you have just chosen in the previous step.

openmaniak ettercap man in the middle attack arrow blue
openmaniak ettercap  man in the middle attack sniff united sniffing

See the MAC & IP addresses of the hosts inside your subnet.

openmaniak ettercap man in the middle attack

Select the machines to poison

We chose to ARP poison only the windows machine 192.168.1.2 and the router 192.168.1.1.
Highlight the line containing 192.168.1.1 and click on the “target 1” button.
Highlight the line containing 192.168.1.2 and click on the “target 2” button.
If you do not select any machines as target, all the machine inside the subnet will be ARP poisoned.

openmaniak ettercap man in the middle attack

Check your targets

openmaniak ettercap man in the middle attack

 

man in the middle attack openmaniak ettercap

Start the ARP poisoning

Mitm -> Arp poisoning
man in the middle attack openmaniak ettercap arrow blue
man in the middle attack openmaniak ettercap

Start the sniffer

Finally, start the sniffer to collect statistics.

Start -> Start sniffing
man in the middle attack openmaniak ettercap

Top of the page


ARP TRAFFIC:

On the Windows machine, with the help of Wireshark, we can compare the ARP traffic before and after the poisoning:

As a reminder: (See the network diagram)

192.168.1.1
192.168.1.2
192.168.1.100
(Router)
(Windows)
(Pirate)
11:22:33:44:11:11
11:22:33:44:55:66
11:22:33:44:99:99

Before the poisoning
Before being able to communicate together, the router and the Windows machine send an ARP broadcast to find the MAC address of the other.

No
1
2
3
4
Source
11:22:33:44:55:66
11:22:33:44:11:11
11:22:33:44:11:11
11:22:33:44:55:66
Destination
11:22:33:44:11:11
11:22:33:44:55:66
11:22:33:44:55:66
11:22:33:44:11:11
Prot
ARP
ARP
ARP
ARP
Info
who has 192.168.1.1? Tell 192.168.1.2
192.168.1.1 is at 11:22:33:44:11:11
who has 192.168.1.2? Tell 192.168.1.1
192.168.1.2 is at 11:22:33:44:55:66

arrow blue

After the poisoning
The router ARP broadcast request is answered by the Windows machine similarly than in the previous capture.
The difference between the two steps comes from the fact that there is no request coming from Windows (192.168.1.2) to find the MAC address associated to the router (192.168.1.1) because the poisoner continuously sends ARP packets telling the Windows machine that 192.168.1.1 is associated to his own MAC address (11:22:33:44:99:99) instead of the router MAC address (11:22:33:44:11:11).

No
1
2
3
4
Source
11:22:33:44:11:11
11:22:33:44:55:66
11:22:33:44:99:99
11:22:33:44:99:99
Destination
11:22:33:44:55:66
11:22:33:44:11:11
11:22:33:44:55:66
11:22:33:44:55:66
Prot
ARP
ARP
ARP
ARP
Info
who has 192.168.1.2? Tell 192.168.1.1
192.168.1.2 is at 11:22:33:44:55:66
192.168.1.1 is at 11:22:33:44:99:99
192.168.1.1 is at 11:22:33:44:99:99

ARP TABLES:

If we look at the router and Windows machine ARP table, we see that the Ettercap Linux machine poisoned their ARP table and replaced the router or Windows machine MAC addresses by its own MAC address.
This means that the packets between the Windows machine and the router will transit through the Ettercap machine.
Let’s see if we successfully poisoned the router and windows machine ARP table:

——————– Windows machine 192.168.1.2 ——————–

Launch a command line interface window as follow:
Start -> Run -> cmd

C:\Documents and Settings\administrator>arp -a

Interface�: 192.168.1.2 — 0x2

Internet Address
192.168.1.1
192.168.1.100
Physical Address
11-22-33-44-11-11
11-22-33-44-99-99
Type
dynamic
dynamic

arrow blue

Interface�: 192.168.1.2 — 0x2

Internet Address
192.168.1.1
192.168.1.100
Physical Address
11-22-33-44-99-99
11-22-33-44-99-99
Type
dynamic
dynamic

 

——————– Linux machine 192.168.1.100 ——————–
#arp -a
?
?
(192.168.1.1)
(192.168.1.2)
at
at
11:22:33:44:11:11
11:22:33:44:55:66
[ether]
[ether]
on
on
eth0
eth0
——————– router openmaniak cisco Router 192.168.1.1 ——————–
>show arp
Protocol
Internet
Internet
Address
192.168.1.2
192.168.1.100
Age (min)
194
128
Hardware Addr
1122.3344.5566
1122.3344.9999
Type
ARPA
ARPA
interface
FastEthernet0/0
FastEthernet0/0

arrow blue

Protocol
Internet
Internet
Address
192.168.1.2
192.168.1.100
Age (min)
194
128
Hardware Addr
1122.3344.9999
1122.3344.9999
Type
ARPA
ARPA
interface
FastEthernet0/0
FastEthernet0/0

If you have a Netscreen (Juniper) device, use the following command to display the ARP table:

>get arp

On a Vyatta router:

>show arp

STOPPING THE ARP SPOOFING:

openmaniak ettercap

Ettercap is pretty effective. After the attack, it will “re-arp” the victims. In other words the victims ARP cache will again contain correct entries .

If the cache still contains poisoned IP – MAC address correspondences, you can either wait some minutes, which is the time needed for the entry ARP cache to refresh itself, or, better, clear the ARP cache.

On a Microsoft machine:

C:\Documents and Settings\admin>arp -d *

On an Ubuntu or Debian Linux:

#arp -d ip_address

On a Cisco router:

#clear arp-cache

 

http://openmaniak.com/ettercap_arp.php