Sunday, 30 September 2012

MITM with Ettercap

Hello readers, we are back with our tutorials on Matriux, due to some unwanted circumstances we weren’t able to be a part of last month’s issue. However we promise to provide our continued support and help to the users. This month we are going to cover a basic tutorial of Man-In-The-Middle (MITM) attack using Ettercap by ARP spoofing technique.

Ettercap is a great tool especially for Man-In-The-Middle Attacks. Very simple and easy to use tool intercept data over LAN and systems connected over switched routers and execute MITM attacks.
“Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN. It supports active and passive dissection of many protocols (even ciphered ones) and includes many features for network and host analysis.” – quoted from Ettercap Website.


MITM with Ettercap by ARP poisoning

Requirement: Target system to be in the same network as our attacker – Matriux (can be used over systems communicating over routers too). But let’s make it easy ;)

Ettercap can be found in Matriux under Arsenal > Scanning >Ettercap. I prefer we use the console mode for better understanding of the attack procedure.

Attack Setup
----------------------------------------------------------------------------------------- 1.Enable IP Forwarding by typing the following in terminal.

2.Edit the file /etc/etter.conf (may be present at different location in different version try “locate etter.conf “). Uncomment the following lines by removing “#” they are present
3.Open another terminal and type “driftnet –i<<interface>>” use the interface by which you are able to
communicate with the target system. (In my case it was eth1). You will be able to see a black window coming up.

Initiating the Attack

Open the terminal as root and start the attack by typing: 
~#ettercap –Tq –M arp:remote /<<IP of target>>/

IP of target can be a group of IP addresses.

Now you can see the data, passwords and everything being browsed or passed over internet from the target in the window and also the images the target is browsing in the driftnet window we opened up earlier

Now you have successfully performed a MITM attack using Ettercap by ARP spoofing. You can also try changing the data the target system is communicating with the internet.

EtherApe –Graphical Network Monitoring

Hello readers, we are back again with a new release, Matriux Krypton at nullcontritiya,Goa 2012. Thank you for your support throughout these years that we are able to bring in the bigger and better security solutions. This version includes some great features with 300 powerful penetration testing and forensic tools. The UI is made more elegant and faster. Based on Debian Squeeze with a custom compiled kernel 2.3.39-krypton Matriux is the fastest distribution of its kind and runs easily on a p-IV with as low as 256MB RAM and just 6GB HDD. Included new tools like reaver-wps, androguard, apkinspector, ssh server and many more. Installer (MID) is made more easy this time.

Doesn’t it look cool? Go, ahead give a try and let us know what you think of the new version.
Now coming to this months’ article on EtherApe, which is an open source graphical network monitor for Unix systems. It displays the network activity graphically with host and link sizes shrink and grow accordance with the traffic activity. Protocols are color coded. Some features of EtherApe include:-
  •  Network view can be modified by applying filters
  •  Can read traffic from file along with the network
  •  A variety of protocols, packet types and frames are supported.
  •  Clicking on any link or node will provide additional information regarding the protocols and traffic information
  • Handles traffic on Ethernet, WLAN, VLAN plus several other media and encapsulation types
  • Output can be exported into a XML file supported from version 0.9.11
EtherApe can be found in Matriux Arsenal under Arsenal --> Reconnaissance -->EtherApe (root)

Or simply fire up EtherApe by typing EtherApe in terminal.
Note: Remember that EtherApe requires root permission to run, else you will get an error “No suitable Device found”.
To start monitoring the network select the network interface from the Menu Capture --> Interfaces.

This will start reading the network data from the interface selected and displays the network in graphical representation.

When you start EtherApe, you may or may not see traffic depending on whether there is traffic actively passing through your network. (Here I pinged Google and opened Matriux Forums in a browser to generate some network activity).
Also the data regarding this network activity can be viewed from Menu -->View --> Nodes/Protocol.

Showing the activity at the nodes.
 Showing the activity with respect to protocols, this data is useful in many ways to trouble shoot network or check for unwanted traffic etc.
Also clicking on any link/node in the network map will display the activity at that node/link.

 You can also configure EtherApe from the preferences in the menu.

EtherApe can also read a tcpdump file that will allow us to capture network traffic to a file and analyze that traffic later or in offline mode. Reason being, using EtherApe as root is not recommended to remotely monitor the network as you run a risk of transmitting the root information over the network. EtherApe is a great tool that can monitor the network and can be used for monitoring the network activity and their protocols. Go ahead and run EtherApe to see the visual beauty of the network ;)
Happy Hacking :)