Wednesday, 13 November 2013

Ettercap: ARP poisoning

 

Objectives:

  • Intercept with Ettercap
  • View TCP streams with Wireshark 

Ettercap


I'm going to use Ettercap to perform a MITM with ARP poisoning. I will log onto a website without HTTPS on a remote workstation and intercept the username and password required to log onto the site from my desktop.

To get started I'm going to click Sniff -> Unified Sniffing. It will ask to select an interface in my case I’m going to use my eth0.

  • Click Start -> Start sniffing
  • Clicks Hosts -> Scan for hosts

When it finds hosts on your network, it will display the results underneath

Go to Hosts -> Host list. This will show you all the IP and MAC addresses that have been found.

http://imgur.com/0EZwtCp

My target is 192.168.1.248, so I click Add to Target 1;


Now to perform the ARP poisoning;
  • Click Mitm ->  Arp poisoning
  • Then click Sniff remote connections -> OK

Ettercap will confirm this in the box below.

When I open an HTTP connection to a website and login, Ettercap will intercept the traffic and show the username and password that was used.

It will display something like the following;

HTTP:x.x.x.x:80 -> USER: XXXX PASS: XXXX INFO: XX.com

Wireshark


You can view all of this information and more with Wireshark;

http://imgur.com/lP3hbkL

If we second click the HTTP traffic and select Follow TCP Stream, we will be-able to find the username and password;

Click find and enter user;

http://imgur.com/ovMAadU

No comments:

Post a Comment