So before talking about Ettercap, its installation, and workflow, let’s talk about the category in which it falls. Have you ever heard about MITM? No, so let me give you a brief about it. As a penetration tester or security personnel, one should know about MITM or Man In The Middle attacks. But let’s just consider that we are not one of them.
We will go to the basics first.
Man-In-The-Middle Attack: It is a form of active attack where the attacker makes a connection between the sender and receiver. This activity is done so perfectly that both the sender and receiver are unaware of this and think that they are talking to each other directly. The attacker establishes a secure connection on the direct connection between the sender and receiver.
He can sniff packets and alter them as well. He can also monitor the traffic between the users. Protocols like SSL can prevent MITM. A hacker may use the software listed below:
- Cain and Abel
- Air Jack
Let’s introduce you all to a popular tool with the name Ettercap. it is a free and open-source tool that can launch Man-In-The-Middle attacks. You can use this tool for network analysis and security auditing and it can run on various OS, like Linux, Windows, and Mac OS X.
Ettercap can work on these four models:
- IP-based: Filter packets by IP address.
- MAC-based: Filter packets by MAC address.
- ARP-based: It sniffs packets between two hosts on a switched ntework.
- PublicARP-based: It sniffs packets from a user to all hosts.
Some important features of Ettercap are:
- HTTPS support
- OS fingerprinting
- Passive scanning
- Hijacking DNS
Installing Ettercap On Linux
SO to install Ettercap on Ubuntu, use the below commands:
sudo apt update
sudo apt install ettercap-common
Working Of Ettercap
STEP 1: Firstly, connect to a network which we are targeting. We can connect via ethernet which is a pretty tough job. Or we can connect via the wireless network adapter.
STEP 2: Start Ettercap. Search and select the application Ettercap.
STEP 3: Click on the sniff menu item and then select Unified sniffing. A new dialog box will pop up asking you to select the network interface you want to sniff. Select the network interface currently connected to the network you’re attacking.
After this, you’ll see more advanced menu options such as Targets, Hosts, Mitm, Plugins, etc. before using any of the options, we need to identify our target on the network.
STEP 4: To find the device we want to attack on the network, click on Hosts, then Scan for hosts. A scan will execute and Ettercap will make hosts list. To see the list, click on Hosts, then Hosts list.
STEP 5: Now we want to sniff packets of someone. We’ll be telling Ettercap that we want to designate that IP address as one we want to pretend to be. By doing that, we’ll receive messages which are sent to the receiver by the sender. Go to the Hosts screen, and select the IP address of the target. Click on the IP address to highlight it, then click on Target followed by Target list to see the list of devices. Now go to Mitm menu to start our attack on that target.
STEP 6: Click the Mitm menu and select ARP poisoning. A popup will open and select Sniff remote connections to begin sniffing. This will work only on websites that are using the HTTP protocol. To try another attack, click on Plugins, then Load plugins, and select the type of attack you want to perform.
Caution: The above information is for knowledge purposes only. Do not misuse otherwise, you will face consequences under Section 43 and 66 of the IT Act.
For more information on Ettercap, click here.