Ettercap is a tool made by Alberto Ornaghi (ALoR) and Marco Valleri (NaGA) and is basically a suite for man in the middle attacks on a LAN. For those who do not likethe Command ike Interface (CLI), it is provided with an easy graphical interface.Ettercap is able to perform attacks against the ARP protocol by positioning itself as"man in the middle" and, once positioned as this, it is able to:- infect, replace, delete data in a connection- discover passwords for protocols such as FTP, HTTP, POP, SSH1, etc ...- provide fake SSL certificates in HTTPS sections to the victims.- etc ...Plugins are also available for attacks such as DNS spoofing.What is a "
" attack?This is an attack where a pirate put its machine in the logical way between twomachines speaking together as shown in the picture below.Once in this position, the pirate can launch a lot of different very dangerous attacks because he/she is in the way between to two normal machines.There are several kinds of attacks to become "man in the middle", we will see in thistutorial attacks based on the
.The ARP protocol is a layer 3 protocol used to translate IP addresses (ex:192.168.1.1)to physical network card addresses or MAC addresses (ex:0fe1.2ab6.2398).When a device tries to access a network resource, it will first send requests to other devices asking for the MAC address associated with the IP it wants to reach. Thecaller will keep the IP - MAC association in its cache, the ARP cache, to speed upnew connections to the same IP address.The attack comes when a machine asks the other ones to find the MAC addressassociated with an IP address. The pirate will answer to the caller with fake packetssaying that the IP address is associated to its own MAC address and in this way, will"short-cut" the real IP - MAC association answer coming from another host. Thisattack is referred as ARP poisoning or
and is possible only if the pirateand the victims are inside the same broadcast domain which is defined on the host byan IP address and a Subnet mask, for example: 192.168.1.1 255.255.255.0In our tutorial, we will use the case study below where a machine with IP 192.168.1.2reaches internet resources from a local network. After the ARP poisoning attack, TheEttercap machine with IP 192.168.1.100 is set as "man in the middle".