Wednesday, February 15, 2012

ettercap + example: DNS spoofing

ettercap is a tool for doing LAN based MitM attacks, which based on ARP spoofing. After it succeeded to step in the traffic flow path, we can do several things with it, for example:
- data modification
- extracting passwords
All of these are accomplished by plug ins.

In order to get ARP spoofing work properly we need to turn on IP forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

Ettercap is already installed in the 64bit version, in the 32 bit version we need to install it:

apt-get install ettercap

We can use the tool in 3 modes: text, cursor, graphical:
ettercap -T
ettercap -C
ettercap -G

I will use the graphical.

Once started, choose the Sniff -> unified sniffing menu, and make a device discovery, which will send an ARP message to all IPs in the subnet. We can load the devices from a file.

Then add the two devices, which you want to sniff to the target list. I used the default gateway and my laptops IP here.

Then load the plugin you want to use.

With choosing MiTM -> Arp spoofingot we can perform the attack, and now we are in the traffic's path between the two machines. At the Start -> Start sniffing menu we can actually activate the attack. For the DNS spoofing we can set the fake domain - IP pairs in the following config file:


If all goes well, we can redirect the computer's traffic to a custom target:

The ettercap log:

Stopping can be done in the Mitm -> Stop mitm attack menu.


1. Basically we need to protect against ARP spoofing, which is the same what I described at the arpspoof tool.
2. Don't use DNS - this can be realistic in some cases
3. Use IDS / IPS on the LAN - this is not so common, and not too effective against such attacks like this
4. Use DNSSEC - DNS signed with a certificate, this one also not widely used

No comments: