Home
Ettercap is a comprehensive, open-source network security tool used for analyzing, monitoring, and manipulating network traffic in a computer network. Originally developed for Unix-like operating systems, it has since been adapted for Windows as well. Ettercap operates as a man-in-the-middle (MITM) attack tool, allowing cybersecurity professionals, penetration testers, and ethical hackers to inspect and modify data as it passes through a network.
So here we set the interface on which have to start sniffing and related attacks. Then we start sniffing on the interface.
ARP spoofing is the process of linking an attacker’s MAC address with the IP address of a legitimate user on a local area network using fake ARP messages. As a result, data sent by the user to the host IP address is instead transmitted to the attacker.
The main cause of ARP spoofing attacks is the fundamental trust issue within the Address Resolution Protocol (ARP) itself. ARP is a network communication protocol that helps devices translate IP addresses, which are easy for humans to remember, into MAC addresses, which are the unique identifiers used by network devices.
We can prevent it by implementing the IDS(Intrusion detection system). Using the Arp-spoof detecting software.
First we discover all the hosts and choose the target on which we want to perform ARP spoofing attack.
To find the Victim gateway.
So here the target is 192.168.21.128 and the target gateway is 192.168.21.2
Then we perform the ARP poisoning attack
Now we can see that we are able to see the traffic. So our attack is successful.
When analyze the Splunk reports we can see that http request was successful but there was no sign of showing ARP spoof.
The DoS (Denial of Service) attack plugin in ettercap is used to overload a target system or network with traffic in order to prevent the system or network from operating normally. This attack aims to prevent authorised users from accessing the target system or network. The way the DoS attack plugin in ettercap operates is by flooding the target with a lot of network traffic. Requests sent over the network, such as HTTP or DNS inquiries, might be considered genuine traffic.
As like the previous steps,
Scan for hosts
Add hosts as target (only the target ip & not the gateway ip)
Start arp poisoning the victim.
And now run the dos_attack plugin.
IN victim Machine.
The victim becomes sluggish as soon as we enable the plugin since the target IP starts sending the victim a large number of packets. Therefore, the victim's web searches just never stop loading.
When the ettercap DNS spoofing plugin is activated, it eavesdrops on the victim's DNS queries and replies with a phoney DNS response that includes a phoney IP address. The attacker's computer IP address or any other IP address they want the victim to visit is this false IP address. The victim's DNS queries are picked up by the ettercap DNS spoofing plugin. After capturing a request, the plugin sends the victim's computer a fictitious DNS answer that includes the attacker's IP address or any other address they may have chosen.
First we need go to mousepad /etc/ettercap/etter.conf we need set the ec_uid = 0, ec_gid = 0
we have remove the hashes from Linux category
then go to mousepad /etc/ettercap/etter.dns and the domain that we need spoof and add the ip of the attcker system
after confguring both this file we need start our own apache server before that go to cd /var/www/html and modify index.html.
and then start apache server service apache2 start.And no go to ettercap -G.
after starting after few seconds we need to press the stop on the bottom left side.
after that we need scan for the network which means the connected device ans will display some host lists.
then we need go to the host list and we need all the hosts in target 1 or target2.
and go to plugins and select mange plugins the click on dns spoffing and it will show activating it.
then select arp spoffing and click ok.
and go to victims machine and check if the attack is sucessfull.
IDENTIFY THE SOURCE OF THE ATTACK JUST BY USING SPLUNK LOGS
Now, open Ettercap and start host scanning then, add victim’s IP to target 1 and default gateway to target 2
After adding the respective hosts as targets start Arp poisoning. And after starting ARP poisoning simultaneously run the Wireshark in the background.
Choose icmp redirect and add the mac address and ip address of the default gateway.
As we can see , the redirected message displayed in wireshark.
