Ettercap — A Comprehensive tool for MITM attacks

Ettercap is a tool made by Alberto Ornaghi (ALoR) and Marco Valleri (NaGA) and is basically a suite for man in the middle attacks on a LAN. It supports active and passive dissection of many protocols and includes many features for network and host analysis. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a number of common protocols. Ettercap stands for Ethernet Capture.

Ettercap uses four models:

· IP: The packets are filtered based on source and destination.

· MAC: Packet filtering based on MAC address.

· ARP: ARP poisoning is used to sniff/hijack switched LAN connections (full-duplex).

· Public ARP: ARP poisoning is used to allow sniffing of one host to any other host.

It is a free and open source tool that can launch Man-in-the-Middle attacks. You can use this tool for network analysis and security auditing and it can be run on various operation systems, like Linux, BSD, Mac OS X and Windows. Ettercap can sniff network traffic, capture passwords, etc. Some of the available plugins in Ettercap are as listed below:

· autoadd — it will automatically add new victims to the ARP poisoning MITM attack when they come up.

· chk_poison — it performs a check to see if the ARP poisoning module of ettercap was successful.

· dos_attack — this plugin runs a DOS attack against a victim’s IP address.

· find_conn — search connection on a switched LAN.

· find_ip — find the first unused IP address in the range specified by the user in the target list.

· finger — uses the passive fingerprint capabilities to fingerprint a remote host.

· gw_discover — this plugin tries to discover the gateway of the LAN by sending TCP SYN packets to a remote host.

· isolate — the isolate plugin will isolate a host from the LAN.

· pptp_clear — forces no compression/encryption for PPTP tunnels during negotiation.

· pptp_reneg — forces tunnel renegotiation.

· rand_flood — floods the LAN with random MAC addresses.

· remote_browser — it sends to the browser the URLs sniffed thru HTTP sessions.

· search_promisc — it tries to find if anyone is sniffing in promisc mode.

· scan_poisoner — check if someone is poisoning between some host in the list and us.

· find_ettercap — try to identify ettercap packets sent on the LAN.

Ettercap has the following 4 types of user interface

· Text Only — ‘-T’ option

· Curses — ‘-C’ option

· GTK — ‘-G’ option

· Daemon — ‘-D’ option

The versatility of ettercap is like a double-edged sword. It is easy to label this utility as a hacker tool for script kiddies because ettercap includes such a broad spectrum of attack and reconnaissance functions, it may also be used to teach LAN hacking techniques.

Once ettercap has inserted itself in the middle of a switched connection, it can capture and examine all communication between the two victim hosts, and subsequently take advantage of these other features:

· Character injection: Insert arbitrary characters into a live connection in either direction, emulating commands sent from the client or replies sent by the server.

· Packet filtering: Automatically filter the TCP or UDP payload of packets in a live connection by searching for an arbitrary ASCII or hexadecimal string, and replacing it with your own string, or simply dropping the filtered packet.

· Automatic password collection for many common network protocols: The Active Dissector component automatically recognizes and extracts pertinent information from many protocols including TELNET, FTP, POP3, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, and SNMP.

· SSH1 support: Capture username, password, and the data of an SSH1 connection.

· HTTPS support: Insertion into an HTTP SSL session, as long as a false certificate is accepted by the user PPTP suite: Perform man-in-the-middle attacks against PPTP tunnels.

· Kill any connection: View and kill arbitrary active connections.

Ettercap has developed into a tool that encompasses a wide range of available LAN attacks. Since it combines many separate attacks into one convenient interface, ettercap is also a great way for new security practitioners to learn the technical basis for many LAN attacks; discovering how a hacker would use these tools is valuable training. As it becomes more popular to extend the LAN through wireless access points in coffee shops and restaurants, it becomes clear that the security community needs to promote change. The development of secure replacements for older protocols such as ARP would go a long way towards eliminating some of the more common attack strategies.