Ettercap is a tool made by Alberto Ornaghi (ALoR) and Marco Valleri (NaGA) and provides a suite for man in the middle attacks on a LAN. It comes with both Command like Interface (CLI) and Graphical User Interface (GUI). It performs attacks against the ARP protocol by positioning itself as "man in the middle“. A “Man In The Middle Attack” is an attack where a pirate put its machine in the logical way between two machines speaking together and then tracks the complete information flowing in the communication. Also the pirate can launch a lot of different very dangerous attacks because he/she is in the way between to two normal machines.
What is
Man in the middle attack?
The ARP protocol, provided with network layer, is a 3 layer protocol used to translate IP addresses (ex: 192.168.1.1) to physical network card addresses or MAC addresses (ex: 0fe1.2ab6.239
. When a device tries to access a network resource, it will first send requests to other devices asking for the MAC address associated with the IP it wants to reach. The caller will keep the IP - MAC association in its cache, the ARP cache, to speed up new connections to the same IP address. The Man in the middle attack comes when a machine asks the other ones to find the MAC address associated with an IP address. The pirate will answer to the caller with fake packets saying that the IP address is associated to its own MAC address and in this way, will "short-cut" the real IP - MAC association answer coming from another host. Such an attack is referred as ARP poisoning or ARP spoofing. Such attack is possible only if the pirate and the victims are inside the same broadcast domain which is defined on the host by an IP address and a Subnet mask.
How Ettercap works?
Every time Ettercap starts, it disables IP forwarding in the kernel and begins to forward packets itself. It can slow down the network performances between the two hosts because of the packets' machine process time. Ettercap needs root privileges to open the Link Layer sockets. After the initialization phase, the root privileges are not needed anymore, so Ettercap drops them to UID = 65535 (nobody). Since Ettercap has to write (create) log files, it must be executed in a directory with the right permissions.
The first thing to do is to set an IP address on your Ettercap machine in the same IP subnet than the machine you want to poison and then follow the below steps.
1. Open Ettercap in GUI mode
2. Select the sniff mode
3. Scan the hosts for subnets
4. See the hosts in your subnet
5. Select your victims
6. Start the ARP poisoning
7. Start the sniffer
8. Analyze the result
9. Stop the sniffer
After analyzing the various results you can examine any connection. Stop the connection you feel unsafe where man in the middle attack can occur.