Wednesday, 13 November 2013

Ettercap: ARP poisoning



  • Intercept with Ettercap
  • View TCP streams with Wireshark 


I'm going to use Ettercap to perform a MITM with ARP poisoning. I will log onto a website without HTTPS on a remote workstation and intercept the username and password required to log onto the site from my desktop.

To get started I'm going to click Sniff -> Unified Sniffing. It will ask to select an interface in my case I’m going to use my eth0.

  • Click Start -> Start sniffing
  • Clicks Hosts -> Scan for hosts

When it finds hosts on your network, it will display the results underneath

Go to Hosts -> Host list. This will show you all the IP and MAC addresses that have been found.

My target is, so I click Add to Target 1;

Now to perform the ARP poisoning;
  • Click Mitm ->  Arp poisoning
  • Then click Sniff remote connections -> OK

Ettercap will confirm this in the box below.

When I open an HTTP connection to a website and login, Ettercap will intercept the traffic and show the username and password that was used.

It will display something like the following;



You can view all of this information and more with Wireshark;

If we second click the HTTP traffic and select Follow TCP Stream, we will be-able to find the username and password;

Click find and enter user;

No comments:

Post a Comment