Ettercap Tutorial | ARP Poisoning Example.

Ettercap stands for Ethernet capture.

And it is a comprehensive suite to perform a MITM (Man-In-The-Middle) attack.

It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.

 Download & Install

Download and install the ettercap package.

You can also simply install in Ubuntu or any Linux system by writing a simple syntax in the terminal.

sudo bash

apt-get install ettercap-gtk ettercap-common

And done ettercap is now ready to function in your Unix engine.

Warning: Do not execute this on a network or system that you do not have permissions. Execute this only on your own network or system for learning purpose only or the systems having permissions. 

  

This article explains how to perform DNS Spoofing & ARP Poisoning using Ettercap in LAN (Local Area Network).

 Ettercap Basics

Some basics of ettercap. Actually ettercap has 4 types of user interface and i.e.

1. Text only : '-T' option

2. Curses     : '-C' option

3. GTK         : '-G' option

4. Daemon  : '-D' option

In this article we'll mainly focus on the Graphical User Interface i.e. GTK of ettercap.

Launching an ARP Poisoning attack

If you don't know what actually an ARP poisoning attack is then visit here. 

Now fire up your kali.

1. To start ettercap GTK interface, we have to just type this syntax in the terminal.

    ettercap -G 

2. Click “Sniff->Unified Sniffing”. It will list the available network interface.

    Choose any of the one which you want to use for ARP Poisoning.  

    Here you can choose any network interface as you choose a network interface a new      window will open.

3.  The next step is to add the target list for performing the ARP poisoning.

     Here we will add 192.168.1.51 and 192.168.1.10 as the target as example.

4. Click “Hosts->Scan for Host”.
    It will start to scan the hosts present in the network.
    
5. Once it is completed, click “Hosts->Host List”. It will list the available hosts in the LAN.

6. Now among the list, select “192.168.1.51” and click “Add to Target 1″ and select                    “192.168.1.10” and click “Add to Target 2″.

7. Now select “Mitm->Arp Poisoning”.

8. A dialog box will open. Select “Sniff Remote Connection” and click “OK” .

9. Then click “Start->Start Sniffing”.



Now Arp is poisoned, i.e, 122 machine starts to send ARP packets saying “I’m 1.10″.
In-order to verify it, From 192.168.1.51 “ping 192.168.1.10″. 
Open “Wireshark” application in 192.168.1.122 machine, and put a filter for ICMP. 
You will get the ICMP packets from 192.168.1.51 to 192.168.1.10 in 192.168.1.122.