PASSWORD SNIFFING FROM NETWORK USING ETTERCAP

INTRODUCTION TO ETTERCAP

logo.png
**It is a free and open source network security tool for man-in-the-middle attacks on LAN. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a number of common protocols.

Ettercap was born as a sniffer for switched LAN (and obviously even "hubbed" ones), but during the development process it has gained more and more features that have changed it to a powerful and flexible tool for man-in-the-middle attacks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many features for network and host analysis (such as OS fingerprint).
It has two main sniffing options:

UNIFIED, this method sniffs all the packets that pass on the cable. You can choose to put or not the interface in promisc mode (-p option). The packet not directed to the host running ettercap will be forwarded automatically using layer 3 routing. So you can use a mitm attack launched from a different tool and let ettercap modify the packets and forward them for you.
The kernel ip_forwarding is always disabled by ettercap. This is done to prevent to forward a packet twice (one by ettercap and one by the kernel). This is an invasive behaviour on gateways. So we recommend you to use ettercap on the gateways ONLY with the UNOFFENSIVE MODE ENABLED. Since ettercap listens only on one network interface, launching it on the gateway in offensive mode will not allow packets to be rerouted back from the second interface.

BRIDGED, it uses two network interfaces and forward the traffic from one to the other while performing sniffing and content filtering. This sniffing method is totally stealthy since there is no way to find that someone is in the middle on the cable. You can look at this method as a mitm attack at layer 1. You will be in the middle of the cable between two entities. Don't use it on gateways or it will transform your gateway into a bridge. HINT: you can use the content filtering engine to drop packets that should not pass. This way ettercap will work as an inline IPS ;)

You can also perform man in the middle attacks while using the unified sniffing. You can choose the mitm attack that you prefer. The mitm attack module is independent from the sniffing and filtering process, so you can launch several attacks at the same time or use your own tool for the attack. The crucial point is that the packets have to arrive to ettercap with the correct mac address and a different ip address (only these packets will be forwarded).**

main_the_middle1.jpg

INSTALLATION OF ETTERCAP

-»»ON LINUX SYSTEM

Open terminal and write following commands-

sudo apt-get install ettercap
sudo apt-get install ettercap-graphical
sudo ettercap -G
10250236_294523884091877_6845229721062056066_n.jpg?oh=e218ca147df769fa1ad0b523df07c4b2&oe=551B92EE

-»»>ON WINDOWS SYSTEM

click the link given below and install

http://www.example.com http://sourceforge.net/projects/ettercap/files/unofficial%20binaries/windows/ettercap-NG-0.7.3-win32.exe/download

Kali Linux

The best way to work on etternet is by installing Kali Linux. Its the most advanced and versatile penetration testing distribution ever created. It already has ettercap in its applications.

Here are some steps that will show you how to sniff passwords (they are written assuming you are using kali linux):

  1. Go to Applications at the top left corner.
  2. Go to Kali Linux.
  3. Go to Sniffing/Spoofing and then on Network Sniffers.
  4. Click on Ettercap Graphical.
  5. Click on Sniff and then on Unified sniffing (shortcut Shift+U).
  6. Click on dropdown list symbol and select the network interface you are using.
  7. Click on Hosts and then on Scan for hosts (shortcut Ctrl+S).
  8. Go to Mitm and then on Arp poisoning.
  9. A dialog box will appear.
  10. Select Sniff remore connections and then on OK.
  11. Go to Hosts and then on Host List (shortcut H).
  12. Select the IP address of the computer you want to attack and then click on Add to Target (1 or 2).
  13. Go to Start and then on Start Sniffing (shortcut Ctrl+W).
  14. Wait for the person to type his ID and password on a site and you will get ID and password in decrypted mode.

Here, the website in which logs on to is of http type and not https which is secure and very difficult to break into.
Here is a little video which demonstrates the above steps. To go there click on this link
https://www.youtube.com/watch?v=4FEXUuWyVqI

Submitted By:
Vatsal Singhal & Vikas Godara

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License