- Intercept with Ettercap
- View TCP streams with Wireshark
I'm going to use Ettercap to perform a MITM with ARP poisoning. I will log onto a website without HTTPS on a remote workstation and intercept the username and password required to log onto the site from my desktop.
To get started I'm going to click Sniff -> Unified Sniffing. It will ask to select an interface in my case I’m going to use my eth0.
- Click Start -> Start sniffing
- Clicks Hosts -> Scan for hosts
When it finds hosts on your network, it will display the results underneath
Go to Hosts -> Host list. This will show you all the IP and MAC addresses that have been found.
My target is 192.168.1.248, so I click Add to Target 1;
Now to perform the ARP poisoning;
- Click Mitm -> Arp poisoning
- Then click Sniff remote connections -> OK
Ettercap will confirm this in the box below.
When I open an HTTP connection to a website and login, Ettercap will intercept the traffic and show the username and password that was used.
It will display something like the following;
HTTP:x.x.x.x:80 -> USER: XXXX PASS: XXXX INFO: XX.com
You can view all of this information and more with Wireshark;
If we second click the HTTP traffic and select Follow TCP Stream, we will be-able to find the username and password;
Click find and enter user;