Hardware Reference
In-Depth Information
Note that Ettercap is in interactive mode here. You can press the
H
key to get a menu
with several interesting key commands to help you control the session. It's very
important that you quit Ettercap by pressing the
Q
key. This ensures that Ettercap
will clean up your network after the ARP poisoning attack.
Let's go over the arguments. We pass
-T
on the command line for interactive text
mode, and
-i wlan0
means we want to use the Wi-Fi interface for sniffing—use
eth0
to sniff on a wired connection. The
-M arp:remote
specifies that we'd like
to use an ARP poisoning man-in-the-middle attack, the
-V ascii
dictates how
Ettercap will display the network packets to us, and
-d
specifies that we would
prefer to read host names instead of IP addresses. Last comes the target specification,
which is of the
MAC address/IP address
/
Port number
form. So for example,
/192.168.1.1/80
will sniff traffic to and from
192.168.1.1
on port number
80
only. Leaving something out is the same as saying all of them. You may also specify
ranges, for example,
/192.168.1.10-20/
will sniff the ten IP from
192.168.1.10
to
192.168.1.20
. Often, you'll want to specify two targets, which is excellent to watch,
for example, all the traffic between two hosts, the router and one computer.
How encryption changes the game
Before we move on to the next example, we need to talk about encryption. As long as
the network packets are sent in plaintext (unencrypted—in the clear), Ettercap is able
to dissect and analyze most packets. It will even catch and report the usernames and
passwords used to log in to common network services. For example, if a web browser
is used to log in to your router's administration interface over regular unencrypted
HTTP, Ettercap will spit out the login credentials that were used immediately.
This all changes with encrypted services such as SSH and the HTTPS protocol in
your web browser. While Ettercap is able to log these encrypted packets, it can't get
a good look at the contents inside. There are some experimental features in Ettercap
that will try to trick web browsers with fake SSL certificates, but this will usually
result in a big red warning from your browser saying that something is wrong. If you
still want to experiment with these techniques, uncomment the
redir_command_on
and
redir_command_off
directives under the if you use
iptables
header in the
Ettercap configuration file.
After experimenting with Ettercap and understanding the implications of
unencrypted communications, you might reach the conclusion that we need to
encrypt everything and you'd be absolutely right—welcome to the club and tell
your friends! Fortunately, several large web service companies such as Google
and Facebook have started to switch over to encrypted HTTPS traffic by default.
