Ettercap has been around for ages. It's currently on version 0.7.4.1, is available at: http://ettercap.sourceforge.net, and is included in Backtrack. For those of you who have no idea what Ettercap is, or what a packet sniffing program is, just think wiretapping. There's a lot more to it than just putting a tape recorder inside an analog phone, but the general idea is close.
In their own words:
Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.
There are a ton of websites out there which purport to give tutorials on how to use Ettercap. Go ahead and find them, and read them. Or better yet, run:
because basically, most of the sites I could find are just a regurgitation of Ettercap's own manual.
Be very careful when learning about, and using Ettercap. Even if you do it right, you can screw up the performance on a large network. If you do it wrong, you can DOS the whole subnet, and even adjacent subnets on other switches.
Ettercap is capable of operating in bridged mode, which is almost invisible. The monitoring is physically in between A and B, and all traffic passes through the bridge freely, meaning no ARP poisoning or other active attack is required.
The command to run Ettercap in bridged mode is quite simple:
# ettercap -Tq -i eth0 -B eth1
However, when running this, I was getting an error 99, cannot assign address, about IP addresses not being assigned. I came across an article with the answer to this problem. In addition, it also suggested making your own bridge, and then running Ettercap on the bridge you just made instead of relying on Ettercap's bridge mode code.
# brctl addbr mitm-bridge
# brctl addif mitm-bridge eth0
# brctl addif mitm-bridge eth1
# ifconfig eth0 0.0.0.0 up
# ifconfig eth1 0.0.0.0 up
# ifconfig mitm-bridge <GATEWAYIP> up
Turn on IP forwarding:
# echo 1 > /proc/sys/net/ipv4/ip_forward
Start sniffing:
# ettercap -Tq -i mitm-bridge
Now unplug the nic of the Target, and move the cable to eth0 of the Monitor machine. Then connect eth1 of the Monitor to the nic of the Target. The Target machine should have no idea what just happened, apart from a brief network disconnection. The Monitor machine should now be able to pick up all traffic to and from the Target machine.
1 comments:
so bridge mode is only recommended if you have physical access to the network's wiring, am I get it right? thanks for the article btw
Post a Comment