DOC PREVIEW
DMC ITSY 2430 - An Ettercap Primer

This preview shows page 1-2-24-25 out of 25 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 25 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 25 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 25 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 25 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 25 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

© SANS Institute 2004, Author retains full rights.Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.An Ettercap Primer Duane Norton GIAC Security Essentials Certification Practical Assignment Version 1.4b Option 1 April 14, 2004 Abstract Ettercap is an open-source tool written by Alberto Ornaghi and Marco Valleri (a.k.a. ALoR and NaGA). Ettercap is described by its authors as “a multipurpose sniffer/interceptor/logger for switched LANs [1].” Since it incorporates a variety of features necessary for working in switched environments, ettercap has evolved into a powerful tool that allows the user to launch several different types of man-in-the-middle attacks. In addition, ettercap makes available many separate classic attacks and reconnaissance techniques within its interface. The versatility of ettercap is a double-edged sword. It is easy to label this utility as a hacker tool for script kiddies, and it certainly can be used as such. However, because ettercap includes such a broad spectrum of attack and reconnaissance functions, it may also be used to teach LAN hacking techniques to students of network security. As such, the purpose of this paper is to raise awareness of the flexibility of ettercap’s features, to demonstrate several of its specific capabilities, and to offer defensive strategies. While there are countermeasures that may be implemented to prevent successful ettercap attacks, many LANs remain all too vulnerable. Introduction Ettercap is a versatile network manipulation tool. It uses its ability to easily perform man-in-the-middle (MITM) attacks in a switched LAN environment as the launch pad for many of its other functions. Once ettercap has inserted itself in the middle of a switched connection, it can capture and examine all communication between the two victim hosts, and subsequently take advantage of these other features: • Character injection: Insert arbitrary characters into a live connection in either direction, emulating commands sent from the client or replies sent by the server • Packet filtering: Automatically filter the TCP or UDP payload of packets in a live connection by searching for an arbitrary ASCII or hexadecimal string, and replacing it with your own string, or simply dropping the filtered packet.© SANS Institute 2004, Author retains full rights.Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.• Automatic password collection for many common network protocols: The Active Dissector component automatically recognizes and extracts pertinent information from many protocols including TELNET, FTP, POP3, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, and SNMP • SSH1 support: Capture username, password, and the data of an SSH1 connection • HTTPS support: Insertion into an HTTP SSL session, as long as a false certificate is accepted by the user • PPTP suite: Perform man-in-the-middle attacks against PPTP tunnels • Kill any connection: View and kill arbitrary active connections [1] It also has many useful reconnaissance tools built in, to ensure that an attacker can stealthily gain awareness of the LAN topology before launching MITM attacks: • Active OS fingerprinting: Directly probe a LAN host to identify its operating system, using the nmap database [2] • Passive LAN scanning: By listening to and analyzing passing frames, collect information about LAN hosts such as the operating system, open ports, running services, and IP and MAC addresses • IP and MAC-based sniffing: Listen to LAN traffic in promiscuous mode and capture passing traffic. This feature is similar to common packet capture utilities, such as tcpdump, and allows filtering by IP or MAC address. • Search for other ARP poisoners and promiscuous mode NICs: Detect other systems that are currently sniffing on the LAN, or performing ARP cache poisoning attacks. • Packet forge: Construct and send custom Ethernet frames and IP packets to test the responses of network devices. This function has features similar to the tool hping2 [3], and may be used to manually set header flags and spoof IP and MAC address [1]. Overview of Plugins Ettercap is also extensible; the developers wrote support for plugins so that anyone can add new functionality, such as support for a new protocol dissector. The ettercap distribution includes a library of these plugins. The naming convention for these plugins (and for ettercap itself) is based on the names of monsters from the role-playing game Dungeons and Dragons. There are two types of plugins, which can be differentiated by their names. Hooking plugins are named with the prefix Hxx_ (e.g. H09_roper). These plugins are designed to accept sniffed data from a hijacked connection directly from the ettercap sniffing engine. In this way the plugins are said to be hooked into ettercap, communicating directly with the engine through a predefined application© SANS Institute 2004, Author retains full rights.Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.programming interface (API). External plugins are named simply, e.g. ooze. These plugins are standalone features that do not expect data directly from the sniffing engine as input. • H00_lurker – Search the LAN for other Ettercap poisoners. • H01_zaratan – Broker/redirector for GRE tunnels • H02_troll – ARP Reply spoof tool • H0*_hydra – Suite of plugins to manipulate PPTP tunnels • H09_roper – Blocks ISAKMP key exchange in IPSEC traffic • H10_phantom – Sniff/Spoof DNS requests • H1*_giant – Suite for SMB attacks • H20_dwarf – Log all mail activity (e.g. POP, SMTP) • H30_thief – Steal files from an HTTP stream • arpcop – Report suspicious ARP activity • banshee – Kill all connections between two hosts • basilisk – Checks for successful ARP poisoning • beholder – Find connections on a switched LAN • confusion – Force a switch to send another host’s data to your port • golem – Denial of service attack • hunter – Search for network interface cards that are in promiscuous mode • imp – Collect Windows


View Full Document

DMC ITSY 2430 - An Ettercap Primer

Documents in this Course
Load more
Download An Ettercap Primer
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view An Ettercap Primer and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view An Ettercap Primer 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?