How to sniff network traffic and ARP poisioning using ettercap in kali linux
In this recipe, we will examine the process of sniffing network traffic. Sniffing network traffic involves the process of intercepting network packets, analyzing it, and then decoding the traffic (if necessary) displaying the information contained within the packet. Sniffing traffic is particularly useful in gathering information from a target, because depending on the websites visited, you will be able to see the URLs visited, usernames, passwords, and other details that you can use against them.
We will use Ettercap for this recipe, but you could also use Wireshark. For demonstration purposes, Ettercap is a lot easier to understand and apply sniffing principles. Once an understanding of the sniffing process is established, Wireshark can be utilized to provide more detailed analysis.
A wireless card configured for packet injection is required to complete this recipe although you can perform the same steps over a wired network. In case of a wireless card, packet injection involves sending a packet, or injecting it, onto an already established connection between two parties.
How it work?
Let’s begin the process of sniffing network traffic by launching Ettercap.
- Open a terminal window and start Ettercap. Using the –G option, launch the GUI:
2. We begin the process by turning on Unified sniffing. You can press Shift + U or use the menu and navigate to Sniff | Unified sniffing.
3. Select the network interface. In case of using a MITM attack, we should select our wireless interface.
4. Next, we turn on Scan for hosts. This can be accomplished by pressing Ctrl + S or use the menu and navigate to Hosts | Scan for hosts.
5. Next, we bring up the Host List. You can either press H or use the menu and navigate to Hosts Host List.
6. We next need to select and set our targets. In our case, we will select 192.168.10.111 as our Target 1 by highlighting its IP address and pressing the Add To Target 1 button.
7. Now we are able to allow Ettercap to begin sniffing. You can either press Ctrl + W or use the menu and navigate to Start | Start sniffing.
8. Finally, we begin the ARP poisoning process. From the menu, navigate to Mitm | Arp poisoning….
9. In the window that appears, check the optional parameter for Sniff remote connections.
10. Depending on the network traffic, we will begin to see information.
11. Once we have found what we are looking for (usernames and passwords). We will turn off Ettercap. You can do this by either pressing Ctrl + E or by using the menu and navigating to Start | Stop sniffing.
12. we need to turn off ARP poisoning and return the network to normal.
How it works…
This recipe included an MITM attack that works by using ARP packet poisoning to eavesdrop on wireless communications transmitted by a user. We began the recipe by launching Ettercap and scanning for our hosts. We then began the process of ARP poisoning the network. ARP poisoning is a technique that allows you to send spoofed ARP messages to a victim on the local network.
We concluded the recipe by starting the packet sniffer and demonstrated a way to stop ARP poisoning and return the network back to normal. This step is key in the detection process as it allows you to not leave the network down once you have stopped poisoning the network.
This process is useful for gathering information as it’s being transmitted across the wireless network. Depending on the traffic, you will be able to gather usernames, passwords, bank account details, and other information your targets send across the network. This information can also be used as a springboard for larger attacks.