MITM ARP POISONING ATTACK WITH ETTERCAP – Part 2

In this Man-in-the-Middle [MITM] tutorial, you will learn how to use Ettercap in Kali Linux to conduct an ARP poisoning attack. Furthermore, you will learn how to capture login credentials [username and password] when users authenticate on a website. 

In the MITM ARP Poisoning Attack With Ettercap – Part 1, we used Wireshark to capture files transferred between a Windows 10 and a File Server. This time, we will capture the HTTP traffic between a client and a web server while performing an ARP Poisoning attack.

This is super fun – I am sure you’ll enjoy it!

DISCLAIMER: This guide is for ethical hacking, penetration testing, and security purposes only. Do not apply this guide in a real environment [company network, Internet, etc.] without permission.

And with that out of the way, let’s get started.

Virtual Hacking Lab Setup

To practice along, you will need to start the following VirtualBox VMs in your virtual hacking lab setup

  • Windows 10
  • Metasploitable2
  • Kali Linux

NOTE: If you don’t have a virtual hacking lab set up yet, I strongly recommend you do so by following the virtual hacking lab tutorial in the link provided above.

All the hacking tools used in this tutorial are already available on the above VMs.

The following diagram [Figure 1.1] show the lab setup for this MITM Ettercap tutorial: 

Ettercap Arp poisoning attack [Part 2] - virtual hacking lab setup. Source: nudesystems.com
Figure 1.1: Ettercap Arp poisoning attack – virtual hacking lab setup.

Assuming you already started the VMs required in this lab, take note of your IP and MAC address for Windows 10 and Metasploitable 2

If you don’t know how to do that, here is a quick guide on how to find my IP and MAC address on various operating systems. 

NOTE: your VMs’ IPs and MAC addresses will most likely differ from mine. I suggest using a piece of paper to draw a diagram similar to the one below [Figure 1.2]. 

Ettercap Arp poisoning attack [Part 2] - VMs IPs and MAC addresses. Source: nudesystems.com
Figure 1.2: Ettercap Arp poisoning attack – VMs IPs and MAC addresses.

Learning Outcome

Upon lab completion you will know how to:

  • Use Ettercap to conduct a MITM ARP poisoning attack on specific targets in a network.
  • Use Wireshark to capture usernames and passwords when users authenticate on a web application.
  • Analyze the ARP cache before and during an ARP poisoning attack.

Step 1: Set Up Ettercap for ARP Poisoning Attack

On Kali Linux VM, navigate to Applications → Sniffing & Spoofing → Ettercap, as seen in Figure 1.3 below.

Ettercap Arp poisoning attack [Part 2] - Launch Ettercap in Kali Linux. Source: nudesystems.com
Figure 1.3: Launch Ettercap in Kali Linux.

Alternatively, you can launch Ettercap by typing in the terminal the following command:

sudo ettercap -G

Once Ettercap shows up, disable Sniffing at startup option and click the Accept icon on the top right to accept the settings [Figure 1.4].

Ettercap Arp poisoning attack [Part 2] - Disable Sniffing at startup. Source: nudesystems.com
Figure 1.4: Ettercap – disable Sniffing at startup.

Next, let’s instruct Ettercap to start discovering the hosts alive in our network by clicking on Scan for hosts in the top left of the window [Figure 1.5]. 

Ettercap Arp poisoning attack [Part 2] - search for hosts. Source: nudesystems.com
Figure 1.5: Ettercap – Search for hosts.

Once the scan is completed, click on the Hosts List icon to check the list of host IPs and MAC addresses discovered by Ettercap [Figure 1.6]. 

If the network you scan consists of many hosts, you will see a larger list of discovered IPs in Ettercap. You can remove the hosts you don’t intend to run an ARP poisoning attack on by selecting the IP/MAC and clicking on the Delete Host button.

NOTE: The IP and MAC address used by the host running Ettercap [in this case, Kali Linux] will not be listed in the Host List. 

Ettercap Arp poisoning attack [Part 2] - Discovered hosts. Source: nudesystems.com
Figure 1.6: Ettercap – Discovered hosts.

NOTE: You can run an ARP poisoning attack in Ettercap against two target machines only. 

Select to highlight the first IP/MAC in the list and click on the Add to Target 1 button. Do the same for the second IP/MAC and click Add to Target 2 [Figure 1.7].

Ettercap Arp poisoning attack [Part 2] - Add to Targets. Source: nudesystems.com
Figure 1.7: Ettercap – Add to Target.

Nest, click on MITM Menu, and select ARP poisoning from the drop down menu [Figure 1.8].

Ettercap Arp poisoning attack [Part 2] - Set ARP poisoning. Source: nudesystems.com
Figure 1.8: Ettercap – MITM ARP poisoning.

On the MITM Attack dialogue window, make sure the Sniff remote connections checkbox is selected, then click OK [Figure 1.9]

Ettercap Arp poisoning attack [Part 2] - Sniff remote connections. Source: nudesystems.com
Figure 1.9: Ettercap – Sniff remote connections.

The Ettercap is now set up to perform a MITM ARP poisoning attack on the specified targets in our network. 

Please don’t start the attack yet. 

Step 2: Set Up Wireshark for Network Packet Capture

To capture user login credentials between Windows 10 and the Web Server, we need to start and set up Wireshark first.

Start Wireshark by navigating to Applications → Sniffing & Spoofing → Wireshark as seen in Figure 1.10 below:

Ettercap Arp poisoning attack [Part 2] - Start Wireshark in Kali Linuxs. Source: nudesystems.com
Figure 1.10: Start Wireshark in Kali Linux.

Once the Wireshark opens, scroll down to the Capture section. 

Select eth0 on the list of network devices, then click on the Start capturing packets icon [Figure 1.11].

NOTE: you can select a different interface such as WiFi in case you want to capture packets transferred via WiFi, etc. 

Ettercap Arp poisoning attack [Part 2] - select capture network interface. Source: nudesystems.com
Figure 1.11: Wireshark – select capture network interface.

Alright. Ettercap and Wireshark are now prepared for the attack. Continue to the next section.

Step 3: Check ARP Cache For Windows 10

Before we start the ARP poisoning attack, let’s look at the ARP information on the Windows 10 machine.

Open a Command Prompt in Windows 10, and execute the following command:

arp -a

Find the IP and MAC address of the Metasploitable2 VM in the command output [Figure 1.12]. Take special attention to the MAC address. You will see why in a moment.  

NOTE: if you don’t see the Metasploitable2 IP/MAC address in the list, ping the host by typing the following command in Command Prompt to force update Windows 10 ARP cache database.

ping <the IP address of Metasploitable2 VM>
Ettercap Arp poisoning attack [Part 2] - Windows 10 ARP cache. Source: nudesystems.com
Figure 1.12: Windows 10 ARP cache.

Step 4: Create An Account On Mutillidae Web Page

Mutillidae: Born to be hacked is a free and open-source web application specifically designed for penetration testing and security enthusiasts. 

Mutillidae is available on all operating systems via the WAMP/MAMP/LAMP stack. 

Metasploitable2 comes with Mutillidae pre-installed, so if you set up your virtual hacking lab per my instructions, you already have it running on the Metasploitable2 VM.

On the Windows 10 VM, open a browser and type the IP address of your Metasploitable2 VM.

Once you’ve accessed the Metasploitable webpage, click on the Mutillidae link, as seen in Figure 1.13 below.

Ettercap Arp poisoning attack [Part 2] - Metasploitable 2 - Mutillidae. Source: nudesystems.com
Figure 1.13: Metasploitable 2 – Mutillidae.

On the Mutillidae webpage, click on the Please register here link to create a new account [Figure 1.14]. 

Ettercap Arp poisoning attack [Part 2] - Metasploitable 2 - Mutillidae: create a new account. Source: nudesystems.com
Figure 1.14: Mutillidae – create a new account.

Create a new account like you would do on any other website on the Internet. Make sure you remember the username and password [Figure 1.15].  

Ettercap Arp poisoning attack [Part 2] - Metasploitable 2 - Mutillidae: Register for an Account. Source: nudesystems.com
Figure 1.15: Mutillidae – Register for an Account.

NOTE: if you receive a database error when creating your Mutillidae account, you can find the fix here. 

Don’t login yet on the Mutillidae webpage. We will need to start the attack in Ettercap first. 

Step 5: Launch The ARP Poisoning Attack

Head over to the Kali Linux VM. Launch the ARP poisoning attack by clicking on the Start Sniffing icon in Ettercap [Figure 1.13].

Ettercap Arp poisoning attack [Part 2] - Launch the attack in Ettercap. Source: nudesystems.com
Figure 1.13: Launch the attack in Ettercap.

At this point the Ettercap ARP poisoning attack is running on the given targets and Wireshark is capturing the traffic in the network [Figure 1.14].

Ettercap Arp poisoning attack [Part 2] - Ettercap and Wireshark in Kali Linux. Source: nudesystems.com
Figure 1.14: Ettercap and Wireshark in Kali Linux.

Step 6: Login On Mutillidae Web Page

Alright. It’s time to log in on the Mutillidae web page. Head over the Windows 10 VM and log in using the username and password you created earlier [Figure 1.15].

Ettercap Arp poisoning attack [Part 2] - Login on the Mutillidae web page. Source: nudesystems.com
Figure 1.15: Login on the Mutillidae web page.

If you login successfully, you should see a web page like in Figure 1.16 below. 

Ettercap Arp poisoning attack [Part 2] - Mutillidae web page. Source: nudesystems.com
Figure 1.16: Mutillidae web page.

Step 7: Compare ARP Cache In Windows 10

Before we stop the ARP poisoning attack on the target machines and stop the network packet capture, let’s examine if the ARP attack actually happened.

The easiest way to check is to compare the arp -a command output before and during the ARP poisoning attack. 

On the Windows 10 Command Prompt type again:

arp -a

In Figure 1.17 below, I compare the MAC addresses for Windows 10 VM before and during the attack. 

As you can see, the MAC addresses stored in the Windows 10 ARP cache are different. Enough proof that the ARP poisoning attack is taking place. 

NOTE: you can check again the ARP cache in Windows 10 once we stopped the MITM attack. The Metasploitable2 MAC address should revert to the initial state.

Ettercap Arp poisoning attack [Part 2] - Window 10 ARP cache before and during the MITM attack. Source: nudesystems.com
Figure 1.17: Window 10 ARP cache before and during the MITM attack.

Step 8: Stop Ettercap and Wireshark 

On Kali Linux, turn off the attack by clicking the Stop Sniffing button on the top right of the Ettercap interface [Figure 1.18].

Ettercap Arp poisoning attack [Part 2] - Stop the attack in Ettercapk. Source: nudesystems.com
Figure 1.18: Stop the attack in Ettercap.

Turn off the packet capture process in Wireshark by clicking on the Stop capturing packets button on the top right of the interface [Figure 1.19].

Ettercap Arp poisoning attack [Part 2] - Stop network packet capture in Wireshark. Source: nudesystems.com
Figure 1.19: Stop network packet capture in Wireshark.

Step 9: Find The Username and Password

On Wireshark, navigate to File → Export Objects → HTTP

Look for the application/x-www-form-urlencoded [index.php]. Highlight it and Save it on your Desktop [Figure 1.20]. 

Ettercap Arp poisoning attack [Part 2] - Identify and download the www-form on Wireshark. Source: nudesystems.com
Figure 1.20: Identify and download the www-form on Wireshark.

Open the index.php file by double-clicking on it. 

Here you go. You can see the plaintext values of the user POST variables submitted to the Web Server using the HTTP protocol.

Bingo! My Mutillidae username is testuser and password is testuser1234 [Figure 1.21].  

Ettercap Arp poisoning attack [Part 2] - Mutillidae username and password. Source: nudesystems.com
Figure 1.21: Mutillidae username and password.

That’s it. You just conducted an ARP Poisoning attack with Ettercap and captured the user login information on a web application. 

Conclusion

There are some limitations however to this hacking method. 

Ettercap is attacking ARP at TCP/IP Layer 2; therefore, this attack will only work within the same network. In other words, if the client and the server are not in the same network segment, the ARP poisoning attack won’t work. 

Network devices such as routers strip the Layer 2 encapsulation every time a packet crosses from a network segment to another. This is a reason why network segmentation is an important security measure to protect the systems from similar attacks.

Passwords with special characters such as $ or & cannot be put in the URL. Therefore special characters in a password are URL-encoded and they are escaped with the % symbol.

This method works for complex passwords, too, as long as you are patient enough to decode the special characters in a password.

Before You Go

I hope you found this MITM ARP poisoning tutorial useful. If so, do me a favour and share it with your friends and colleagues – it really makes a difference.

Stay safe.