Address Resolution Protocol (ARP) spoofing is maybe the most common MITM attack out there. It is based on the fact that the Address Resolution Protocol—the one that translates IP addresses to MAC addresses—does not verify the authenticity of the responses that a system receives. This means that, when Alice's computer asks all devices in the network, "what is the MAC address of the machine with IP xxx.xxx.xxx.xxx", it will believe the answer it gets from any device, be it the desired server or not so ARP spoofing or ARP poisoning works by sending lots of ARP responses to both ends of the communications chain, telling each one that the attacker's MAC address corresponds to the IP address of their counterpart.
In this recipe, we will use Ettercap to perform an ARP spoofing attack and set ourselves between a client and a web server.
For this recipe, we will use the client virtual machine we configured in Chapter 1, Setting Up Kali Linux and vulnerable_vm. The client will have the IP address 192.168.56.101 and vulnerable_vm 192.168.56.102.
- With both virtual machines running, our Kali Linux (192.168.56.1) host will be the attacking machine. Open a root terminal and run the following command:
ettercap –G
From Ettercap's main menu, select Sniff | Unified Sniffing.
- In the pop up dialog select the network interface you want to use, in this case we will use vboxnet0, as shown:
- Now that we are sniffing the network, the next step is to identify which hosts are communicating. To do that, go to Hosts on the main menu, then Scan for hosts.
- From the hosts we found, we will select our targets. To do this from the Hosts menu, select Hosts list:
- From the list, select 192.168.56.101 and click on Add to Target 1.
- Then, select 192.168.56.102 and click on Add to Target 2.
- Now we will check the targets: on the Targets menu, select Current targets:
- We are now ready to start the spoofing attack and position ourselves in between the server and the client. From the Mitm menu, select ARP poisoning…
- In the pop up window, check the box Sniff remote connections and click on OK:
And that's it, we can now see all traffic between the client and the server.
In the first command we issued, we told Ettercap to run with its GTK interface.
Then, we started the Ettercap sniffer function. Unified mode means that we will receive and send information through a single network interface. We select bridged mode when our targets are reachable through different network interfaces, for example, if we have two network cards and connect to the client through one and to the server through the other.
After the sniffing is started, we select our targets.
Tip
Select your targets beforehand
It is important to to include only strictly necessary hosts as targets for a single attack since poisoning attacks generate a lot of network traffic and cause performance problems to all hosts. Before starting an MITM attack, identify clearly which two systems are going to be the targets and spoof only those systems.
Once our targets are set, we start the ARP poisoning attack. Sniffing remote connections means that Ettercap will capture and read all the packets sent between endpoints, and Only poison one way is useful when we only want to poison the client and don't want to know the responses from the server or gateway (or if it has any protection against ARP poisoning).