Home :

• Home
• Contact
• Readme
• Thanks
• Translations
• History
• References
• Statistics
• About us

Tutorials :

• Analyzing
• 
• Wireshark
• Ettercap
• Snort & BASE
• Snort_Inline & BASE
• 
• Monitoring
• 
• Cacti
• PHP Weathermap
• 
• Logging
• 
• Php-syslog-ng
• Rancid
• Ipplan
• 
• Routing
• 
• Vyatta
• Quagga
• 
• VPN
• 
• OpenVPN
• 
• Telephony
• 
• Trixbox
• 
• Link Emulation
• 
• WANem

Other :

• Open Source
• MySQL

Networking :

• Interfaces
• Ping
• TCPdump
• Netstat
• Iperf
• CDP

OS :

• Linux ;
• Windows ;
• 
• Debian ;
• Ubuntu ;
• 
• APT Tools
• CheckInstall
• Minicom

Php Scripts :

• Bandwidth
• World Time
• Menu

Ettercap Mitm attacks
Last Update: Jan 30 2008

---

Tool
Install
Ergonomy
Forum


Details Ettercap Nedir?
Gerekenler & Yükleme
ARP Zehirleme
"Ortadaki Kişi" Saldırıları
İstatistikler
Alınması Gereken Tedbirler

---

⚠️⚠️⚠️
Please check our website about
attractions in Western Switzerland !! (Please use english translation).

⚠️⚠️⚠️
Merci de consulter notre site sur les
activités à faire en Suisse romande !!

---

After the ARP poisoning tutorial, the victim ARP cache has been changed to force the connections from the Windows machine to go trough the Ettercap machine to reach the desired destination.

The network scenario diagram is available in the Ettercap introduction page.

As the trap is set, we are now ready to perform "man in the middle" attacks, in other words to modify or filter the packets coming from or going to the victim.

To launch attacks, you can either use an Ettercap plugin or load a filter created by yourself.

---

1. PLUGINS

2. FILTERS

---

PLUGINS

We will use here the Ettercap plugin called dns_spoof to test a very famous attack, the DNS spoofing where the pirate answers DNS requests at the place of the DNS server.
When you access your favourite web site with your browser, your machine (it has an IP address of 192.168.1.2 in our case study) will first ask the DNS server for the IP address matching your URL and then the browser will display the web page.
With DNS spoofing, when the DNS request is sent, the spoofer answers at the place of the DNS server and provides another IP address.
The consequences will be that you have the feeling to reach the desired web site but this will be in fact the pirate's website because of the different IP address.

The attack can very dangerous when the pirate spoofs important websites such as your bank website. His/Her fake web server will have exactly the same interface than the real bank web site. So, the pirate will wait for you to enter your credentials on his website to capture them.

Let's proceed with the DNS spoofing attack.
The first thing to do is to set the configuration file called etter.dns in the /usr/share/ettercap/ directory.

#vim /usr/share/ettercap/etter.dns

In the file you can find an explanation about its configuration.
Here is the content of our etter.dns file.

linux1.org *.linux.com www.linux.org

A A PTR

198.182.196.56 198.182.196.56 198.182.196.56

It means that when you open www.linux1.org in your web browser, you will see the content of the www.linux.org website.

To start the DNS spoofing, you need to activate the dns_spoof plugin in the Ettercap graphical interface. Remember that you need to follow the ARP poisoning tutorial before doing the steps below.

Plugins -> Manage the plugins

Click on the dns_spoof line to activate the plugin. This will tag the line with a star.


Then enter www.linux1.org in a web browser.
You can see that the content of the page opened is the one that matches the IP address you added in the etter.dns file and not the real IP address matching the www.linux1.org address.


                     

To stop the DNS spoofing:

Start -> Stop sniffing

Although we stopped the attack, you can see that the www.linux1.org address in your web browser still displays the content of the www.linux.org web site. This is because of the DNS cache on our client machine 192.168.1.2. By default, Windows keeps a DNS entry for 300 seconds or 5 minutes in its cache. So either you wait quietly for 5 minutes or, better, you flush or clear the DNS cache with the following command:

Launch a command line interface window as follow:
Start -> Run -> cmd

C:\Documents and Settings\administrator>ipconfig /flushdns

On an Ubuntu machine use the following command: "/etc/init.d/dns-clean start"
To see your DNS cache:

C:\Documents and Settings\administrator>ipconfig /displaydns

If you want to change the default DNS cache time, you have to modify an entry in the Windows registry.
Be careful when playing with the registry, an incorrect configuration can damage your system and prevent it from rebooting.

Start -> Run -> arborescence below:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\

Click on "NegativeCacheTime" in the right panel:



click on the "Decimal" button and finally enter your new value for the DNS cache time.



Top of the page

---

FILTERS

The filters allow you to change the content of packets.
To create a filter, a configuration file must be configured first. You can find some examples in the /usr/share/ettercap/etter.filter.examples file.

We chose in our simple example to change the prompt of a FTP connection. Below is our configuration file called test_filter in the /usr/share/ettercap directory.

# replace the FTP prompt
if (tcp.src == 21 && search(DATA.data, "ProFTPD")) {
   replace("ProFTPD","TeddyBearFTPD);
}

Then you need to compile the file with etterfilter because Ettercap can only load compiled files.

#etterfilter etter_filter -o etter_filter_compil

This will create a compiled file called etter_filter_comp.

Load the filter in Ettercap:

Filters -> Load a filter...

Now, it's time to test a FTP connection with our client machine 192.168.1.2. Tests are performed before and after the Ettercap filtering.
"xyz" is the website name and "1.2.3.4" an IP address.

(Of course, you must be set as "man in the middle". If it's not already the case, follow the arp poisoning tutorial.)

C:\Documents and Settings\Administrator>ftp www.xyz.com

Connected to xyz.com.
220 "ProFTPD 1.3.0a Server ("ProFTPD) [1.2.3.4]
User (xyz.com:(none)):

C:\Documents and Settings\Administrator>ftp www.xyz.com

Connected to xyz.com.
220 "TeddyBear FTPD 1.3.0a Server ("TeddyBear FTPD) [1.2.3.4]
User (xyz.com:(none)):


Top of the page

Warning: include(./google.htm): Failed to open stream: No such file or directory in /home/clients/2092070cc529a092f88d8480f1925281/web/tr/ettercap_filter.php on line 305

Warning: include(): Failed opening './google.htm' for inclusion (include_path='.:/opt/php8.1/lib/php') in /home/clients/2092070cc529a092f88d8480f1925281/web/tr/ettercap_filter.php on line 305