Ettercap Automates the Malicious Middleman

By Paul Rubens | Jan 30, 2008 | Print this Page
http://www.enterprisenetworkingplanet.com/netos/article.php/3724916/Ettercap-Automates-the-Malicious-Middleman.htm
Paul Rubens

Man in the middle (MITM) attacks can be devastatingly effective, providing hackers with all kinds of confidential information and, just as seriously, giving them the opportunity to feed false information to victims.

These attacks involve a hacker diverting packets which are meant to flow between a victim's computer and another machine - usually an Internet gateway – so that they flow through the attacker's computer, where they can be inspected and changed before being passed on.

The easiest and most effective way to achieve a MITM attack is though an Address Resolution Protocol (ARP) spoofing attack. Recall that on an Ethernet network local IP addresses are associated with hosts' network adapter MAC addresses, and that hosts send out ARP requests to find out the MAC address that any arbitrary local IP address has been assigned to. These requests take the form "who-has 192.168.1.150, tell 192.168.1.1". Since ARP responses, in the form "192.168.1.150 is 00:11:22:33:44:55" do not get authenticated and will be acted on even if there has not previously been an ARP request, it is possible to send a spoof ARP response telling the victim's machine that the gateway IP address 192.168.1.1 is associated with the MAC address of the attacker's machine, and to send one to the gateway effectively informing it that all traffic for the victim's IP address should be sent to the adapter with the attacker's MAC address, not the victim's.

All that's then needed is for the attacker to forward the packets on to their intended destinations, and the victim will be none the wiser – any delay due to this diversion is usually far too small to be detectable.

Let's think about the implications of a MITM attack. Any packets sent from the victim's machine to the gateway go through the attacker's machine, where they can be inspected. The sorts of packets the attacker may be after include POP, SMTP and FTP logins and passwords, or any other type of data that is not encrypted.

It's possible to carry out an ARP poisoning MITM attack manually using Wireshark (Ethereal) to intercept and edit ARP requests, but actually it's very easy for anyone who can get on to your network (using Aircrack-ng to get on wirelessly, for example) to carry out such an attack using automated open source tools. The best known one of these is called Ettercap.

Taking Ettercap for a Spin

Let’s take a look at how Ettercap works. You can install the GTK GUI version of Ettercap from Synaptic in Ubuntu, and you'll also find it pre-installed in BackTrack 2 and 3 beta. To start Ettercap open a console window and, as root, type:

    Ettercap –G

(You can do this in Ubuntu using the sudo command)

The rather empty Ettercap GUI will start, ready for you to begin. The first step is to click the "Sniff" menu, choose "Unified sniffing", and select the network interface you want from the dropdown box – probably eth0 for a wired connection, or something like wifi0, wlan0 or ath0 for a wireless one.

Next it's time to see what other hosts are on the network, by clicking the "Hosts" menu, and choosing "Scan for hosts". You may want to do this twice, to ensure that no hosts are missed, before displaying Ettercap's findings by clicking the "Hosts" menu again and choosing "Hosts list". (Figure 1)

To choose a victim machine, click on its IP address, and click on "Add to Target 1." Then select the Internet gateway, and click "Add to Target 2." Any packets flowing between Target 1 and Target 2 will now travel via Ettercap, once the attack is launched by choosing the "MITM" menu and choosing "Arp poisoning," selecting "Sniff remote connections," and finally clicking "Start sniffing" from the "Start" menu.

To see the power of an attack like this, simply check e-mail from the victim machine. In the bottom half of Ettercap, you'll immediately see the user name and password that's been used on the victim machine, along with the IP address of the server. Everything you need, in fact, to snoop on the victim's e-mail. Connect to an FTP site and the same thing happens. (This is not the case when you check using a secure connection, however.)

Things get more insidious when, instead of just snooping on passing traffic, we change the packets that are requested by the victim. One way to do this is through DNS spoofing. Using this attack, we can intercept DNS requests, and change the IP addresses returned for certain domains. A victim's browser sending a DNS request to resolve the domain "bigbank.com" could be given the IP address of a phishing site that looks identical to the bank's real site, and since the victim has actually typed "www.bigbank.com" in to his browser, he or she is unlikely to suspect that anything is amiss.

Ettercap has a ready made module for DNS spoofing, accessed from the "Plugin" menu. But the first step is to open the etter.dns file located in /usr/share/ettercap and edit it to point the domains you want to divert to the IP addresses you want to divert them to. You can open the file by typing, as root:

    nano /usr/share/ettercap/etter.dns

make the changes you want E.g.

    bigbank.com         A       198.111.222.333
    *.bigbank.com       A       198.111.222.333
    www.bigbank.com     PTR     198.111.222.333

and save the file again. (Note you'll have to be root or use sudo to do this.) Now click the Plugins menu, and choose "Manage plugins," and double click on "dns_spoof. "

Scarily, that's it! Try to go to anywhere on the domain you spoofed (bbc.co.uk in the illustration) and your browser will take you to the IP address you specified in etter.dns . Note that the address that appears in the browser's address bar is the bbc address, even though the page displayed is completely different "www.enterprisenetworkingplanet.com" ( If the change doesn't work immediately then wait a few minutes and try again – sometimes the address will already have been cached and you'll need to wait till it expires. )

Bundled With Badness

There are plenty of other harmful Ettercap plugins bundled with the software which do everything from launching a denial of service attack against a particular IP address to reporting on the URLs visited by the victim's browser. Ettercap can also filter packets and change individual words – you can set up filters to scan every web page requested by the victim, replacing a particular telephone number with the hacker's own, for example.

By now it should be pretty clear that, thanks to tools like Ettercap, anyone accessing your network can wreak havoc with your users, stealing passwords and altering the information they receive over the Internet. So how do you defend against MITM attacks launched with Ettercap?

The answer is that it is very difficult – preventing unauthorized network access is easier than preventing a hacker with network access from carrying out such attacks. But the good news is that Ettercap offers some lines of defence against itself.

One useful Ettercap plugin bundled with the application is arp_cop, which is designed to report suspicious ARP activity by passively monitoring ARP requests and replies. It can report ARP poisoning attempts, or simple IP-conflicts or IP-changes. Changes in IP – MAC address associations may be an indication that ARP spoofing is going on. There are also other open source tools (for example arpwatch) which monitor ARP requests and e-mail administrators when anything fishy is going on.

Another useful Ettercap plugin is find_ettercap. This plugin tries to identify Ettercap packets traversing the LAN, and so can be used to detect if an intruder is using Ettercap. However, since it only looks for certain packets, it can not always detect when Ettercap is being used. Search_promisc can also be a useful plug-in to try – it attempts to discover if any host on the network is sniffing the network in promiscuous mode, which normal users would not normally need to do.

Another possible way of defending against ARP spoofing is to configure your hosts with static ARP tables, which can’t be changed by spoofed ARP replies. In Windows, from a command prompt, you can do this by typing something like:

    arp -s 192.168.0.1   11-22-33-44-55-66

or in Linux using

    arp -s 192.168.0.1 11:22:33:44:11:11

changing the IP and MAC addresses as appropriate. The command for your router will depend on your router manufacturer. Unfortunately, static ARP tables are not very convenient for an administrator to set up, and cause problems with laptops which are moved from one network to another.

What Ettercap demonstrates quite clearly is that there are open source tools out there which can be used as formidable weapons to attack your network. But by becoming familiar with them you can use them defensively to prevent hackers causing havoc on your network. Hopefully this article has demonstrated how easily an ARP spoofing attack can be carried out by anyone who gains access to your network and how devastating they can be. Preventing unauthorized access to your network is the best form of defense, but knowing how to detect an ARP spoofing attack could end up saving the company.