In this tutorial, We are going to Setup Ettercap on Kali Linux, If you didn’t know about Ettercap you should google around about that and read the documentation on their official website. But Don’t worry we will give you an intro about that tool.
What is Ettercap?
Ettercap is a free and open-source network security tool for man-in-the-middle attacks on LAN. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD, and Solaris, and on Microsoft Windows. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a number of common protocols.
Now Let’s Start!
1 – LAUNCH ETTERCAP
Open a root terminal and enter the command ettercap -G to launch the graphical interface of ettercap.
- Once ettercap is open, select the ‘Unified Sniffing‘ option under the ‘Sniff‘ menu.
Now, select your network interface and then click ‘OK‘.
- WiFi = wlan0, Ethernet = eth0 | I am using WiFi so I will select WLAN0 and click OK.
2 – TARGET HOSTS
Now it is time to target our hosts. To begin this, select the “Scan for Hosts” option under the “Hosts” menu, or just press Ctrl + S. It will scan the hosts on your provided network interface, and display how many were found in the Logging box on the bottom. In my case, 4 hosts were added to the host’s list.
Now, open the Hosts List by selecting Hosts List under the “Host” menu, or just press H.
Next – Select the default gateway and click “Add to Target 1.” My default gateway is 192.168.1.1. After that, select the host of the VICTIM to who you are going to perform the attack. My victim will be my Galaxy S3 (connected to my wifi). This works for any device on your network. Ok, so the IP address of my victim host is 192.168.1.14. I will select this host and then click “Add to Target 2.”
Ok, now select Current Targets under the Targets menu, or just press “T” on your keyboard. It will now show you the current targets. If you followed the last step correctly, your default gateway will be on one side, and the victim host on the other.
First, I am going to show you how to ARP poison. We do this for all of the other MITM attacks. Ok, so once you have your targets, Simply select “Arp poisoning” off of the “Mitm” menu. Next, select “Sniff remote connections” and click OK.
Great, now we just need to do one more thing to start the ARP poisoning. Select “Start Sniffing” off of the “Sniff” menu, or you can just use the shortcut: CTRL + W.
Now, you have ARP poisoned the victim! You will now receive information as they log in to sites. Example – I am going to log in to HackForums.net on my phone and Ettercap will show the login information in the logging area. Now, as you see in the image below, we have my username and password to HF :D. It will sniff all logins.
The second Man in the Middle (Mitm) attack I’m going to show you is DNS SPOOFING.
Here is the definition of DNS Spoofing, taken from Wikipedia.
DNS spoofing is a computer hacking attack, whereby data is introduced into a Domain Name System name server’s cache database, causing the name server to return an incorrect IP address, diverting traffic to another computer.
Basically, DNS spoofing is like this scenario:
The attacker does a DNS spoofing attack to replace http://twitter.com with http://192.168.1.4 (THE ATTACKERS’ TWITTER PHISHER). Having done this, if the victim visits twitter.com, it will show the ATTACKERS’ phisher instead of real Twitter.
Alright, so before we can DNS spoof, you need to configure a file called etter.dns. In Kali Linux, this file is located in /usr/share/ettercap/etter.dns. If it is not, no problem – you can find it the file by running the following command in the terminal:
Alright, now we will open etter.dns in any type of text editor. I am just going to use nano, by entering the following commands:
Now, etter.dns will be open in the nano terminal text editor.
Take note that your etter.dns should be full of text, mine isn’t because I have done this before. Next, delete all of the text in this file. You can’t do ctrl + A in the terminal, so it might be a little faster/easier to open this file in an editor such as LeafPad and edit it there.
Alright, now I have etter.dns open in nano terminal text editor as seen in the image below.
Ok, so this file tells what we are going to DNS spoof.
What we will do is enter the following:
twitter.com A 192.168.1.4
This will DNS spoof twitter.com to 192.168.1.4 (which is going to be my credential harvester for Twitter).
If you wanted, you could enter multiple lines like this:
twitter.com A 192.168.1.4
facebook.com A 184.108.40.206
myspace.com A 220.127.116.11
This would DNS spoof twitter.com to 192.168.1.4, facebook.com to 18.104.22.168(Google), and myspace.com to 22.214.171.124 (Twitter). Or, you could just put an asterisk which means it will spoof ALL websites to your desired IP:
* A 192.168.1.4
I am just going to spoof Twitter for this tutorial, so in etter.dns I am going to delete everything and just enter twitter.com A 192.168.1.4. Save the file. If you’re using nano, you can save it by pressing Ctrl + X, then Y, then press enter.
Great, now etter.dns is ready. I spoofed twitter to 192.168.1.4 which is going to be my credential harvester. To create a credential harvester, launch the SET framework by entering the command: se-toolkit. **If you wish to simply spoof it to an IP other than your phisher then skip this step 🙂 **
Now, enter 1 for Social-Engineering Attacks.
Secondly, enter 2 for Website Attack Vectors.
Finally, enter 3 for Credential Harvester Attack Method.
Alright, now enter 2 for site cloner.
Next, enter YOUR local IP (find it with ifconfig). mine is 192.168.1.4, so I’ll enter 192.168.1.4.
Now, it wants you to enter the URL you wish to clone. I am going to make a fake twitter, so I enter http://www.twitter.com. Now we are done with that part.
NOW, it is time to conduct the DNS SPOOFING attack. Go back to ettercap and make sure you are NOT ARP POISONING anymore (If you tried that attack) by clicking “Stop Mitm Attacks” under the Mitm menu.
Ok, now select “Manage the Plugins” under the Plugins menu, or just press the shortcut “CTRL +P”
Last but not least, click Start Sniffing under the sniff menu, or just press Ctrl + W (IF YOU ARE NOT ALREADY SNIFFING)
Now, I will go to twitter.com on the victim device, and it would take me to twitter.com – BUT this is not the real twitter – it’s the attacker’s fake twitter! if I were to log in, I’d receive the credentials in the SET window.
Also, you can use “Filters” on Ettercap (this is one of my favorites), which allows you to custom filter packets. I will edit this post later when I have time and type up a tutorial on filtering, but right now I will just post a link to a guide:
Well, I hope this tutorial was helpful, I tried to explain everything the best I can don’t forget to comment if you have any problem!