The National Law Institute University,

Bhopal

Master of Cyber Law and Information Security

Project
On
“Operational Working of Ettercap Tool”

Subject
Networks and Telecommunication Security

Submitted to: Submitted by:

Mr. Ankur Arora Chetan Sharma
(2018-MCLIS-59)
1|Page
Table of Contents
Abstract................................................................................................................................................... 3
1. Introduction ........................................................................................................................................ 4
1.1. Functionality of Ettercap............................................................................................................... 4
1.2. Features of Ettercap ...................................................................................................................... 4
2. Types of attacks ................................................................................................................................... 5
3. What is Address Resolution Protocol (ARP)? ....................................................................................... 6
4. Practical working of ARP poisoning using Man-in-the-middle attack: ................................................... 7
Conclusion............................................................................................................................................. 10
References ............................................................................................................................................ 11

2|Page
Abstract
Now days most of the networks are Ethernet or wireless frequency network that uses TCP/IP for
communication. A system that is connected to a LAN or wifi has two addresses one is MAC and
the second is IP address. The purpose of this project is to demonstrate the ARP poisoning using
man-in-the-middle attack with the help of ettercap tool. The idea behind man-in-the-middle
attack is to intrude into the existing connection between two hosts on LAN network and intercept
the information.

Keywords: ARP poisoning, Man-in-the-middle attack, Ettercap tool, Host, LAN.

3|Page
1. Introduction
Ettercap is a comprehensive suite for man in the middle attack on LAN. It performs sniffing of
live packets, content filtering and password capturing. It supports passive and active dissection
of many protocols and includes may features like computer network protocols analysis and
security auditing. It runs on Linux and windows operating system. It was initially released on 25
January 2001.

1.1. Functionality of Ettercap

It works by putting the interface into promiscuous mode 1 and by ARP poisoning the victim
machine. It acts as man in the middle attack and unleashes different attacks on victims.

1.2. Features of Ettercap

 It supports active and passive dissection of protocols and provides many features for
network and host analysis. Ettercap offers four modes of operation:
 IP-based: packets are filtered on the basics of source and destination IP address.
 MAC-based: packets are filtered on the basics of MAC address useful for sniffing
connections through a gateway.
 ARP-based: It uses address resolution protocol poisoning to sniff on a switched LAN
between two hosts (full-duplex).
 Public ARP- based: uses ARP poisoning to sniff on a switched LAN from a victim host
to all the other hosts (half-duplex).
 Software includes following features also:
 Injection of character into the server (emulating commands) or into a client (emulating
replies) while maintain a live connection this is known as character injection into an
established connection.
 It sniffs the username and password or the data of SSH1 connection. It is the first
software that sniffs the SSH connection in full-duplex.
 It sniffs the HTTP SSL secured data even when the connection is made through proxy.
 It sniffs the remote traffic through GRE tunnel and makes a remote Cisco router and
performs man-in-the-middle- attack.
 Creation of custom plug-in through Ettercap API
 It collects password from TELNET, FTP, SSH1, and HTTP.
 It searches for a particular string in the TCP or UDP payload and then replaces it with a
custom string of choice to drop the entire packet.
 It determines the operating system of victim host and its network adapter.
 It kills the connection of choice from connections-list.
 It determines the information about host on the LAN their open ports, version number of
available services and type of host (gateway, router and PC) and calculate distance in
numbers of hops.

1
Promiscuous mode is a type of computer networking operational mode in which all network data packets can be
accessed and viewed by all network adapters operating in this mode.
4|Page
  It hijacking the DNS requests.
 It has also has ability to actively and passively find other prisoners on the LAN.

2. Types of attacks
Active attacks: Active attacks are those attack in which attacker try to edit the information and
makes a wrong message. Prevention from these attacks is quite difficult because of wide range of
physical, network and software vulnerabilities. User can detect the attack and recover from it.
Performing of active attack is difficult because when a hacker tries to do it victim gets aware of
it. Forms of active attack:

 Masquerade attack it is also known as interruption in which unauthorized attacker tries to

pose as another entity.
 Modification it can be done in two ways: replay attack, in which data units are captured
and then resent by them. Second alteration attacks in which hacker changes some data of
the original message.
 Fabrication it causes denial of service (DOS) in which attacker gains access to the
network and then lock authorized user not to use the network.

Figure1 2

Passive attacks: In which attacker involves in unauthorized eavesdropping, it includes only

monitoring the information it does not include changes in the data. Passive attacks are hard to
detect because it does not involve any change in the data. One way to protect from passive attack
is that sender can sent the packets in encrypted form and when the receiver receives it, it converts
back it into the plain text. Passive attacks entangle the open ports that are not protected by the
firewalls. In passive attack, attacker searches the vulnerabilities if found attacker exploits it by
gaining the network access.

The passive attacks are further classified into two types:

2
Available at <https://techdifferences.com/difference-between-active-and-passive-attacks.html> accessed on
23/11/18.
5|Page
  Release of message content: Sender wants to send a confidential message to the receiver
and the sender wants that any interceptor does not read the message.
 Through encryption sender can mask the content of the message but still attacker can
analyze the traffic by observing the pattern to retrieve the information this is known as
traffic analysis.

Figure2 3

3. What is Address Resolution Protocol (ARP)?

Address Resolution Protocol (ARP) is a stateless protocol used for discovering the link layer
address like MAC address link with a internet layer address such as IPv4 address. Working of
ARP:

 When one device needs to communicate with other, it searches its ARP table.
 If the MAC address is not found in its own table then it sends ARP request over the
network.
 All devices in the network compare this IP to its MAC address.
 If anyone of the device in the network identifies this IP, then it will respond ARP request
with its IP and MAC address.
 Requesting device store the address pair in its ARP table and then established the
communication.

What is ARP spoofing?

ARP spoofing is type of attack in which a malicious user sends fake ARP messages over the
LAN this results linking of MAC address of malicious user with the IP address of the legitimate
user on the network. Malicious user flooded the target computer with fake ARP cache entries this
is known as spoofing. ARP spoofing is also known as ARP poisoning. ARP poisoning uses Man-
in-the-middle to poison the network.

3
Available at <https://techdifferences.com/difference-between-active-and-passive-attacks.html> accessed on
23/11/18.
6|Page
 What is Man-in-the-middle attack?
Man-in-the-middle attack is a active attack where the hacker impersonates the user by creating a
connection between the target and sender of the information. In this case, target thinks that he is
communicating with sender with in actual hacker controls the communication. SSL prevent this
type of attacks.

Figure3 4

4. Practical working of ARP poisoning using Man-in-the-middle attack:

I have used Ettercap tool version 0.8.2-Ferri release date 14 march 2015 to perform ARP
poisoning in LAN

Step1 - First I ensure that I am connected to a LAN and then check my own IP address by using
the ifconfig command in the command prompt.

Step2 - Open the Ettercap tool, the click on the “sniff” tab from the menu bar and then select
“unified sniffing” click ok to select the interface and the use “wlan0” which means wireless
connection.

4
Available at <https://security.stackexchange.com/questions/183723/i-started-to-learn-about-mitm-eattacks-and-i-
cant-figure-out-few-things> accessed on 24/11/18.
7|Page
Step3 – Now click on the “host’’ tab and then click on “scan the hosts” to see the available host
in the network.

Step4 – Click on the “host” tab then select host lists to see the live hosts in the network. It will
also include default gateway address.

Step5 – Now we have to choose the targets from the available hosts. I added the victim as “target
1”.

Step6 – In this case, our target is “192.168.137.112”.

Step7 – Click on the “man-in-the-middle attack” and then click on “ARP poisoning” and the
click “sniff remote connections” and click ok.

8|Page
Step8 – Then click start and the “start sniffing”

Step9 – If victim logged into any website which uses HTTP protocol I can see the “username”
and “password” in the toolbar of ettercap.

9|Page
Conclusion
Man-in-the-middle attack is an attack where attacker intercepts the communication between the
two persons and the persons even unaware about it that someone is getting their information. In
man-in-the-middle attack creates a threat to online security because it gives attacker to capture
the data in real time. This attack is type of eavesdropping in which attacker is controlled the
entire communication. User can prevent itself from man-in-the-middle attack by not using public
or free wifi, using HTTPS or other secure protocols and providing its credentials only to the safe
and secure websites.

10 | P a g e
References
 https://securitylab.disi.unitn.it/lib/exe/fetch.php?media=teaching:netsec:2016:g4_-
_mitm.pdf
 https://techdifferences.com/difference-between-active-and-passive-attacks.html
 https://security.stackexchange.com/questions/183723/i-started-to-learn-about-mitm-
eattacks-and-i-cant-figure-out-few-things
 http://www.ijcea.com/wp-content/uploads/2016/09/160314087.pdf
 https://www.youtube.com/watch?v=3UD738uE7Tg
 https://pentestmag.com/ettercap-tutorial-for-
windows/?doing_wp_cron=1543264897.6598329544067382812500

11 | P a g e