The interception and man-in-the-middle manipulation of communications between two parties in ignorance is technically referred to as a Man-in-the-Middle attack. One such tool that is hugely in use due to its capability of intercepting traffic on a network is Ettercap. General overview of how to perform a MITM attack using Ettercap follows.
In this chapter, we’ll look at how to use Ettercap to capture credentials, specifically usernames and passwords, from a target via HTTP and FTP.
If the target is using two unencrypted protocols, such as HTTP and FTP, this is possible. We have a Linux and a Windows 10 system in the setup, and we’re going to use Ettercap to put ourselves in the middle of the default gateway, which is the Windows host machine.
To obtain the default gateway address, enter “ip route” into a terminal. In my case, the default gateway is 192.168.100.1, but whatever address you have, this is the main information that Ettercap requires.
If you want, you can put yourself between everyone on a subnet and the default gateway or individual target. In this scenario, we will stand between everyone and the default gateway.
Go to “Applications” in Kali Linux, then scroll down and select “Sniffing and Spoofing,” then select “Ettercap-g.” Ettercap’s graphical user interface (GUI). Once the GUI is open, select “sniff,” then “unified sniffing,” which will open the next window.
In the new window that has opened, titled “ettercap Input,” you will be asked which network interface you want to sniff on. On our Kali machines, there is only one NIC, or network interface card, which is what unifies sniffing.
As a result, whatever interface is displayed should be used, so click “ok.” Next, we must configure the target before inserting ourselves into the middle with Ettercap. To do so, go to “hosts” and then “scan for hosts.”
This will perform a scan of the subnet in which your target is located. Only “arp poisoning,” which is what we’ll use, allows you to put yourself in the middle of a given subnet.
When the scan is finished, go back and select “hosts,” then “hosts list,” and in the new window, you should see the IP addresses found in the previous scan. You should also be able to find your default gateway’s IP address here, which in my case is 192.168.100.1.
You must now create targets, so click on the IP address 192.168.100.1 or the IP address of your default gateway, then select “Add to Target 1.”
Next, if you have more IP Addresses listed and want to target them as well, highlight them by clicking on them again, and then click on “Add to Target 2.
Once you’ve decided on your targets, go to the top window and select “Mitm,” which stands for “man in the middle.” From there, you can choose “arp poisoning.” Once you’ve selected these, a new window will appear, in which you should check the box next to “Sniff remote connections” and click “OK.”
If you’re in the middle, or if the Kali Linux machine is in the middle between the Windows 10 machine and the default gateway, the MAC address for IP address 192.168.100.1 should be the Kali Linux machine’s MAC address. To confirm this, open the command prompt on your Windows 10 machine and type “arp- a”
Arp stands for Address Resolution Protocol, and it translates Mac addresses to IP addresses. When you run that command on Windows, you should see a list of IP addresses with their associated MAC addresses.
By the way, to avoid confusion, Windows refers to IP addresses as “Internet Addresses” and MAC addresses as “Physical Addresses.”
As you can see, “Physical Addresses” is technically incorrect because you simply changed the Mac Address of your default gateway using Ettercap, but to be certain, you can also verify the Kali Linux mac address.
To do so, return to the Kali Linux terminal and type “ifconfig.”
In the output of this command, look for the term “ether,” which refers to the MAC or “physical address” of your Kali Linux Ethernet address.
Once you’ve verified that the Kali ether address matches the Windows default gateway, you’ll know you’re in the middle with Ettercap. The good thing about Ettercap is that when you’re in the middle, all you have to do is run it.
If it sees any credentials passed in clear-text within your Ettercap window, it will capture them to that window.
The username will be displayed next to “USER” and the password will be displayed next to “PASS” in the Ettercap window.
It will appear on the left side automatically, so you won’t have to do much. For example, unlike Wireshark, you don’t have to sit there and examine all of the traffic because both the username and password are displayed.
Ettercap captures any username and password if unencrypted protocols are used, so instead of HTTP, use HTTPS, and instead of FTP, use SFTP or SCP to transfer files.
Because there are no warning banners that appear to the user while you are in the middle, the end user will not notice if you perform a layer 2 man-in-the-middle attack with Ettercap.
- The Qatar Olympic Committee Data Breach: A Wake-Up Call for Sports Cybersecurity
- Data Breaches in Academia: The NSRIT Case Exposes Risks and Lessons for Universities
- Tata AIG Insurance Data Leak: 1.2 Million Records Exposed on Telegram
- Verizon PTT Service Allegedly Breached: 328GB of Sensitive Data Exposed
- Massive Data Breach: 3.95 Million Israeli Citizens’ Data Leaked on Dark Web by Qursan12 Group