Welcome back, my rookie cyber warriors!
Man-in-the-Middle attacks can be among the most productive and nefarious attacks. If the attacker/hacker can place themselves between two systems (usually client and server) they can control the flow of traffic between the two systems. In this way they can eavesdrop on the traffic, delete the traffic, inject malware and even alter the traffic (imagine altering email!). In previous tutorials, I showed you how to arpspoof and dnsspoof to execute a MiTM attack, but in this tutorial we will use a GUI MitM tool known as Ettercap.
Ettercap is probably the most widely used MiTM attack tool (followed closely behind by Cain and Abel, which we will look at in the later tutorial).
Ettercap was developed by Albert Ornaghi and Marco Valleri. It basically a suite of tools to simplify MiTM attacks. It can be used either from the command line (CLI) or the graphical user interface (GUI). In this lesson, we will use the GUI.
Ettercap enables us to place ourselves in the middle between two machines and then;
infect the traffic with malware
delete traffic
sniff passwords
provide fake certificates for HTTPS
DNS spoof
The principles and techniques of a MiTM attack remain the same as with arpspoof with the small exception of the ip_forward. Unlike arpspoof, ettercap does not use ip forwarding in the Linux kernel, but instead uses it own module to forward IP packets.
It important to note that ettercap requires root privileges to open its Layer 2 (datalink) sockets. In addition, as you might expect, it can slow down communication between the two target systems as it does its own processing.
Ettercap is GUI based tool built into Kali so need to download and install anything, so let's get started doing a MiTM attack with Ettercap.
Step #1: Start ettercap
Let's view the help file for ettercap by typing;
kali > ettercap -h
As you can see, ettercap has a significant help file for running it from a command line, but the only thing we need from here is the switch to run it in graphical mode. In the bottom line of the screenshot (not the bottom line of the actual help file as I have truncated it in the interest of space), you can see the -G switch. This after the command ettercap will launch the ettercap GUI.
kali > ettercap -G
When we do, the ettercap GUI will start as seen below.
The first step in launching our MiTM attach is to start sniffing. Go to pulldown menu that says "Sniff" and click on "Unified Sniffing".
When we do that, it opens a new window asking us what interface we want to use and defaults to eth0.
When we click "OK", ettercap launches it sniffing and loads its plugins.
Our next step to find the hosts on the network. Click on the "Hosts" tab and you will see a menu that includes "Scan for Hosts". Click on it and ettercap will begin scanning the network for hosts.
Now, using that same "Hosts" tab, click on "Hosts List". This will display all the hosts that ettercap has discovered on your network as seen in the screenshot below.
Now, select one of the hosts that will be the target of this attack in the window by clicking on it and then click on "Add to Target 1" at the bottom of the window. When you do so, ettercap will add that host as the first target in our MiTM attack as seen in the screenshot below.
Next, select the second host in this attack and then click "Add to Target 2".
Finally, go to the menu above and click on MITM tab and the drop down menu will have a selection called "ARP Poisoning" as seen in the screenshot below.
Select it and it will open a pop window like below. Select "Sniff remote connections".
When we press OK, ettercap will begin ARP poisoning and you will see ettercap respond in its main windows with the message below.
Now, we have successfully placed ourselves between the two targets systems and all their traffic must flow through us. This is where the fun begins as we can now delete, manipulate, impersonate and view all their traffic.
Altering the Traffic
As I mentioned above, the real risk in a MiTM attack is that the attacker can eavesdrop on the Internet traffic as well as alter it, if they want. In this section, now that we are between the two systems we will demonstrate the risks of MiTM attack. We will use the MiTM attack to edit/alter the Internet traffic as seen by the target. In this way, the attacker can actually alter the content of websites, alter the content of an email, change the pictures seen by the target in their Internet traffic, delete specific Internet traffic packets, etc. The message should be clear, when we have placed ourselves in the middle, the target is at our mercy!
Step #2: Alter the Traffic
In this next section, we will be altering the traffic from an internal corporate Intranet site. This site is used by all the employees for corporate announcements, scheduling, etc. Although this scenario is within a corporate Intranet within a LAN, the technique and effect would be the same over the wider Internet. In our scenario, the manager has posted a new starting time for the following day because of a very heavy work load. As a result, he wants everyone to begin work at 6 am and he posts this to the corporate intranet site for all the employees to see. Our attacker has malicious intentions toward the target and wants to alter the message to the target so that they instead come to work late, at 11 am. This is likely to have negative repercussions for the target from the manager, exactly what the attacker wants.
Step #3, Create the Intranet Site
The corporate Intranet announcement page looks like the screenshot below. Everyone in the department will see it and although they are disappointed in the earlier start time, they adjust their schedule to help with the additional workload. Our attacker doesn't want the target to see this message, but rather an altered message to mislead him as to the new starting time.
Step #4: Using Ettercap Filters
One of the many beauties of using Ettercap for MiTM attacks is the ease with which you can alter and edit the target's Internet traffic.
From the Ettercap GUI, you will see above the top menu bar a pull down menu item labeled "Filters". Click on it and then Click on "Load a Filter".
When you do so, a window like that below will appear. We can see to the right of the window, numerous filter files.
Let's take look at the contents of that directory (/usr/share/ettercap) from a terminal in Kali. Open a terminal and type;
kali > cd /usr/share/ettercap
kali > ls -l
As you can see in the screenshot above, there are numerous Ettercap filter files. Note the one named etter.filter.examples. Let's open it with Leafpad and see what it contains.
kali > leafpad etter.filter.examples
This file contains numerous Ettercap filter examples of various types. We can use these as templates for creating our own filters. Notice the various types;
display a message on port 22
log all telnet traffic
log all traffic except http
do some operation on the payload of the packet (in this case change numeric values)
drop any packet containing a particular word or string
log SSH decrypted packets matching a regular expression
and many more
In our case, we want to replace words from a website with other words to alter the meaning of the message. That is, we want to replace "Heavy" with "Light" and "6" with "11" so that the message read by the target would be changed to:
Due to the Light Workload, Everyone is Expected to Come to Work at 11am
Ettercap has a pre-built filter file for doing precisely that! It's the etter.filter file. Let's open it with Leafpad and take a look around.
kali > leafpad etter.filter
Notice, starting with Line 21 after the comments, we have some simple code that searches for TCP traffic (if (ip.proto == TCP)) and it contains data that matches the word "ethercap" (search (DATA.data, "ethercap")) then log and replace it with ettercap (replace("etthercap", "ettercap") ) and create message of what happened (msg("Correctly substituted and logged. \n")) We can use this same code, but replace the words it is looking for and replacing it with the words we want to replace, namely "Heavy" and "6".
Next, we have to edit this Ettercap filter file. First, copy and paste all the uncommented code so that you now have two stanzas. Then replace the word "ethercap" with "Heavy" in the first stanza and in the second stanza, replace the word "ethercap" with "6" as seen the screenshot below.
Make all the changes circled in the screenshot above and save the file.
Step #5: Compile the Filter
Now, before can use the filter, we must compile it. Open a terminal and type;
kali >etterfilter etter.filter -o etter.filter.heavy
Where:
etterfilter is the command to compile the filter file
etter.filter is the input file
-o etter.filter.heavy directs the compiled output to a new file
Step #6: Add the Filter to Ettercap
Now that filter file has been recompiled and ready to use, we can go back to the Ettercap GUI and select "Filters" and now, click on our compiled new filter that we created. When it appears in the "Selection" window, go ahead and click OK. This should now activate an automatic process whereby, in real time, whenever the word " Heavy" is seen in the Internet traffic it, is replaced with "Light" and whenever the number "6" appears, it replaces it with "11". It's important to note that this replacement with take place on ALL internet traffic coming to the target.
Now, when the target goes to the Intranet site announcing the new starting time, they will see the following web page as seen below. Everyone else will see the actual Intranet site, but the target will have those two words changed.
This tutorial demonstrates how easy a MitM attack is using ettercap and the power of being able to alter the traffic to the target system seamlessly and transparently. The end-user has no indication that their traffic has been altered!