Ettercap, what can be done after ARP poisoning?

January 24th, 2008 mysurface Posted in arp, arping, ettercap, etterlog, Network | Hits: 68231 | 1 Comment »

To protect yourself from security threats, you have to at least know what security threats that happens and how it could harmful to you. In what network environment, you are susceptible to hacker’s attack, spoof, phishers. You have to understand what attacks they can performs, what tools they have used and experience the same tools and techniques that are used against you.

ARP (Address Resolution Protocol)
ARP is a network protocol that use to queries MAC address of an IP, so that data packets can be send across the network through data link layer.

We usually Identify a host through IP, that is under network layer of OSI, but the actual communication between hardware devices (in this case, network adapter) are identify by MAC address. IP is susceptible to change, but MAC address are usually unique (this is actually not the case, so many network cards with no-license are selling everywhere).

Therefore, in order to communicate to a host with only IP known, we need to broadcast the ARP request to the networks, and the one with that specified IP will response back. Let say:

Host A wants to talk to Host B, will broadcast ARP request with Host A MAC address, Host A IP address and also Host B IP address. When host B receives the ARP request, it will response back it’s MAC address to Host A.

While receiving the ARP response, Host A will map the Host IP and MAC to ARP cache table. Lets try to command to experience the process of ARP.

To request MAC address of a host with IP, we can using arping and obtain MAC address from ARP cache we can use arp.

I am 192.168.1.101, I want to know what is your MAC address, if you are 192.168.1.1.

arping -Ieth0 -s 192.168.1.101 192.168.1.1

What if I spoof my IP, I gives others IP 192.168.1.100 instead of 192.168.1.101?

arping -Ieth0 -s 192.168.1.100 192.168.1.1
bind: Cannot assign requested address

Yeah! arping is a decent tool, it does not allows spoofing, but what if we can spoof like that? It will some how cause ARP Storm to host with IP 192.168.1.100.

So now if I wanna check my ARP cache for 192.168.1.1′s MAC address.

arp -a 192.168.1.1

ARP Poisoning
ARP poisoning is also know as ARP spoofing, it is the way of cheating by sending fake ARP messages to an Ethernet LAN. Generally, the aim is to associate the attacker’s MAC address with the IP address of another node (such as the default gateway).

Let say, Host A is the Attacker, Host G is the default gateway of the LAN, Host A will always broadcast the ARP convince other host that he is the default gateway, those fake ARP will eventually overrides the ARP cache of all victim host and all packets will goes to attacker’s machine instead of default gateway.

With that, attacker can manipulate the data before sending forwarding to the real destination, the attacker is in the condition of MITM (man in the middle). Attackers can sniff your username and password, your emails etc. Further more attackers can redirect the web page you request to access. Try to imagine that if you are accessing your ebank account, and its been intercept by MITM hackers that redirects a spoof ebank web page to you, when you are trying to access the bank, you are actually reveals your username and password to them! OUCH!!!!

The dark side of the Force is a pathway to many abilities some consider to be unnatural.
Supreme Chancellor(The Emperor) tells Anakin Skywalker in Star Wars: Episode III – Revenge of the Sith

What tool can be use to perform ARP poisoning?
ettercap, dsniff.

Ettercap supports various MITM attacks and it support filters so you can sniff the packets and manipulate it. Here, let me shows you a simple one on how you can sniff packets of your neighboring host and reveal it in plain text.

DON’T TRY THIS AT PUBLIC OR PEOPLE’S NETWORK, YOU MIGHT GET CAUGHT BECAUSE A LOTS OF INTRUDER DETECTION SYSTEM CAN DETECTS THOSE MITM ATTACKS.

We want to see everything in plain text, show us, ettercap

ettercap -T -ieth0

Its too fast! Record it down and I will look at it later!

ettercap -Tq -ieth0 -Lmylog

Ettercap creates 2 files, mylog.ecp shows all the packets flow and contain in plain text and mylog.eci shows all the remote host it discovered.

etterlog mylog.eci | less
etterlog mylog.ecp | less

Okay until now we didn’t do any ARP poisoning, now I want to perform BAD! poisons those 192.168.1.x network.

ettercap -Tq -ieth1 -L mylog -M arp:remote /192.168.1.1-254/ 

There are so many “unnatural” options you can ask ettercap to do for you, check out it’s man page, but before you go further I would recommend you to read this first.

One Response to “Ettercap, what can be done after ARP poisoning?”

  1. When I originally commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I get four e-mails with the same comment. Is there any way you can remove people from that service? Appreciate it!

Leave a Reply