Ettercap and Ethereal -Manu Garg manugarg at gmail dot com
Problem Statement- To gain access to main switch of our compan using a machine in the same !A"# Tools used- Ettercap$ Ethereal Techniques Used- Arp spoofing and Sniffing
How can we achieve our goal? Most of the network administrators use telnet to login to a cisco machine# Telnet is a clear-te%t protocol & so$ if ou can sniff the packets ou can get to know what is other person talking to the machine# Easy then, I will just sniff the packets from the wire and get into my switch. Hey, I dont see any traffic on the wire. What could be the reason? 'ou are in switched network and switches don(t do an fa)or to the hackers# The transmit data onl *etween the talking machines# ut this is not fair. !hey said I am on ethernet. "re they not supposed to use #$%"&#' then? Ethernet has grown up *udd# +t(s ,switched ethernet( now#
Hey wait! Dont get disappointed too soon. We hackers are not supposed to get defeated by a switch. Right? Right# -ur elite masters who designed T./0+/ protocols didn(t forget us# The left an otherwise in)isi*le path which can *e seen * onl their enlightened students# $o what is that path? +t(s the path of arp spoofing# 1 using this techni2ue ou can fool our target machines to send data through our attacking machine and then ou can sniff it on our attacking machine#
ARP SPOOF!"## How does it wor$? Target 3 +/4 356#378#3#3 Hw4 99499499499499493 Target 6 +/4 356#378#3#399 Hw4 99499499499499496 AM :Attacking Machine; +/4 356#378#3#363 Hw4 9949949949949949< Switch Switch forwarding traffic *ased on MA. address %e&ore Attac$''((
9949949949949943= 356#378#3#36< 99499499499499496 356#378#3#399 T3:356#378#3#3;4 T6:356#378#3#399;4 9949949949949943= 356#378#3#36< 99499499499499493 356#378#3#3 1efore attack$ T3 and T6 are talking to each other onl# 1elow is the arp ta*le of the machines# The switch understands onl MA. addresses and forwards the packets to the right machines *ased on this MA. address# What if we manipulate the arp ta*les :this is called arp poisoning; on T3 and T6 so that the target MA. address in all the packets *eing e%changed *etween them$ *ecomes the MA. address of our attacking machine# 'ou got it right# Then switch will forward the packet to the attacking machine# So after attack arp ta*le should look like something *elow4 9949949949949943= 356#378#3#36< 9949949949949949< 356#378#3#399 T34 9949949949949943= 356#378#3#36< 9949949949949949< 356#378#3#3 T64 Where 9949949949949949< is the MA. address of attacking machine#
ARP SPOOF!"## How does it wor$? Target 3 +/4 356#378#3#3 Hw4 99499499499499493 Target 6 +/4 356#378#3#399 Hw4 99499499499499496 AM :Attacking Machine; +/4 356#378#3#363 Hw4 9949949949949949< Switch Switch forwarding traffic *ased on MA. address A&ter Attac$''(( "ote4 >on(t forget to ena*le ip?forwarding on our attacking machine otherwise ou(ll *reak down traffic *etween 6 machines#
O)( guess* now +ou $now what ARP s,oo&ing is( !ow the bigger question - How do we ,oison ARP table on T- and T.? E%planation starts from another 2uestion# How do the hosts *uild this arp ta*le@ This ta*le is *uilt using arp protocol# AR/ protocol has 6 kinds of packets & AR/ re2uest and AR/ repl# When a machine :sa$ A; wants to know MA. address of another machine :sa$ 1;$ it sends an AR/ re2uest asking Awho has +/ address 1B# This is a *roadcast$ i#e# sent to CC4CC4CC4CC4CC4CC# +t is picked up * all the machines in the !A" and onl the machine possessing +/ address 1 sends an AR/ repl# +t is sent to machine A onl# Machine A stores this MA. address in it(s AR/ ta*le# "ow ou must *e getting some clue# 'es$ we are going to poison AR/ ta*le of T3 and T6 * sending them AR/ replies# Most of the machines are generous enough and respect the AR/ repl packet e)en when there was no re2uest for particular +/ address# There are some machines$ for e%ample Sun-S$ which make an AR/ entr onl if there is a re2uest for the one or if that ip is alread in the AR/ ta*le# We can make them re2uest for particular +/ address * sending them an +.M/ Echo packet from that +/ address#
(k. $o you want me to create these ")* replies myself and manage all this. "o dude# We ha)e *lessings of our fellow hackers# Al*erto -rnaghi :a#k#a# A!oR; and Marco Dalleri :a#k#a# "aGA; from Milan ha)e created a nice tool called /tterca, *ased on e2uall cool li*rar ,libnet( from Mike# Ettercap is prett )ersatile and tool of choice for M+TM attacks including AR/ spoofing# Ettercap also has sniffing capa*ilities$ *ut + prefer to use it onl for spoofing# Cor sniffing$ + prefer using /thereal# Main reason for this is the use of pcap format for storing packets * ethereal# /cap is a prett old format and there are man tools a)aila*le to analEe pcap files# So$ use ettercap for arp spoofing# Ena*le ip forwarding in kernel to maintain the connection *etween )ictim machines# And start sniffing using tethereal :te%t interface to ethereal;# That(s all ou need to do#
Reci,e +ets try to do e,erything said till now. +ets look at our problem once again We want to get into the main switch of our compan# This will allow us to configure the switch ports the wa we want# Cirst task$ find out ip address of the switch# +n m case it is 356#378#3#399# 'ou can use "map(s -S detection feature to guess it# "ow find out how network admin communicates with the switch# +n m case network admin sits offsite# So$ he connects to the switch through WA" and the re2uests come through the gatewa# + use another machine in the same su*set to o*ser)e the traffic for sometime and find out that all incoming traffic to the su*net comes through the router 356#378#3#6 and all outgoing traffic goes through the router 356#378#3#3# So$ when network gu from 356#378#393#<= logs into cisco console$ packets are routed through the routers 356#378#3#3 and 356#378#3#6#
Routers 0R1 356#378#3#3 Hw Addr# 99499499499499493 Attac$ed Switch 0S1 .isco .atalst F999 series 356#378#3#399 Hw# Addr# 99499499499499496 Attac$ing 2achine 021 RHE! AS =#9 356#378#3#363 Hw Addr 4 9949949949949949< Same su*net Rest of the network Routers 0R1 356#378#3#6 Hw Addr# 9949949949949949=
As ou can guess$ + need to put attacking machine in the path *etween 356#378#3#3 - 356#378#3#399 to tap outgoing packets and 356#378#3#6 & 356#378#3#399 to tap incoming packets# So$ + need to tell the router 356#378#3#6 that 356#378#3#399 is at 9949949949949949< which is the MA. address of attacking machine# At the same time also tell switch i#e# 356#378#3#399 that 356#378#3#3 is at 9949949949949949<# 1efore in)iting packets to our machine$ make sure ou ha)e path for them to reach their destination i#e# don(t forget to ena*le ip forwarding# +n linu% ou can ena*le ip forwarding using following command4 echo - 34,roc4s+s4net4i,v54i,6&orward Reci,e '
To start arp spoofing using ettercap4 etterca, -o -T -P re,oison6ar, -2 ar,7remote 4-8.(-9:(-(-;;4 4-8.(-9:(-(--.4 -o 4 onl spoofing no sniffing# -T 4 te%t mode -/ repoison?arp !ells it to load plugin repoison-arp. !his plugin re.poisons arp table at some inter,als -M arp4remote 0356#378#3#3990 0356#378#3#3-60 !ells it to start %I!% attack with /01./23././44 in first target group and /01./23././, /01./23./.1 in second target group. +(ll suggest ou to run ettercap in screen terminal$ so that ou can detach from screen and forget a*out it for some time# + used Aettercap "G-9#G#6B# 'ou can download it from http400ettercap#sourceforge#com# Start s,oo&ing'(
Start Sni&&ing ' "ow ou are all set to start sniffing# Use following command to start sniffing and write packets to a file4 < tethereal -a&ilesi=e7-;;;;; -w 4tm,4cisco(,ca, -& >host -8.(-9:(-(-;; and not ar, and not icm,? -afilesiEe4399999 limits the file siEe to 399M1# -w 0tmp0cisco#pcap writes packets to 0tmp0cisco#pcap -f Ahost 356#378#3#399 and not arp and not icmp? is the filter string# +t tells to collect the packets either coming from or going to 356#378#3#399 and not to collect an arp or icmp packets#
Use some social engineering# Cind out when network team is going to work on the switch or an other host which ou want to *reak into# !ea)e our tools running while the do it# !ater on ou can analEe the capture file * opening it in ethereal and ou can Hust follow the telnet stream to find out the password# That(s all it takes# A person is smart# *eople are dum*$ panick$ dangerous animals and ou know it# --Ed Solomon