In this Man-in-the-Middle [MITM] tutorial, I will show you how to conduct an ARP poisoning attack using Ettercap in Kali Linux. Furthermore, you will learn how to capture and extract the files transferred between a client and a file server during the ARP poisoning attack using Wireshark.
This is going to be fun!
DISCLAIMER: This guide is for ethical hacking, penetration testing, and security purposes only. Do not apply this guide in a production environment [company network, Internet, etc.] without permission from the system/network owner.
And with that out of the way, let’s get started.
Virtual Hacking Lab Setup
To practice along, you will need to install the following virtual machines using any virtualization solutions such as VirtualBox or VMware:
- Windows 10
- Ubuntu File Server
- Kali Linux.
If you don’t know how to install the above VMs, follow the guide on How To Install A Virtual Hacking Lab With Virtual Box here.
NOTE: I recommend you take some time to set up your own lab, as it will be handy every time you learn and practice a new hacking tutorial on this website.
Here is the lab overview used in this hacking tutorial [Figure 1.1].
Find the IPs and MAC addresses for the Windows 10 and Ubuntu File Server VMs. If you don’t know how to find your IP and MAC addresses follow the instructions for Windows and Linux operating systems here. It would help if you got this imprinted in your memory as soon as possible.
Learning Outcome
In this MITM tutorial you will learn the following:
- Use Ettercap in Kali Linux to conduct an ARP poisoning attack on specific targets in a network.
- Capture files transferred between a client and file server using Wireshark in Kali Linux.
Ettercap ARP Poisoning Set Up
On Kali Linux, navigate to Applications → Sniffing & Spoofing → Ettercap, as seen in Figure 1.3 below. Alternatively, you can launch Ettercap by typing in the terminal the following command:
sudo ettercap -G
The Ettercap graphical interface will open. Disable Sniffing at startup and click the Accept icon on the top right to accept the settings [Figure 1.4].
Click on the Scan for hosts icon on the top left to instruct Ettercap to start scanning the network for hosts [Figure 1.5]. The search process depends on how many hosts are alive in your network but is usually pretty fast.
Next, click on the Hosts List icon to see the list of hosts discovered by Ettercap in your network. As you can see in Figure 1.6, Ettercap discovered the IP and MAC addresses for the Client and File Server in our network.
NOTE: Ettercap will not include the host used to run the search [in this case Kali Linux] as a discovered host in the Host List.
Select to highlight the first host [IP], then click on the Add to Target 1 button. Do the same for the second host and click Add to Target 2 [Figure 1.7].
Click on MITM Menu, and select ARP poisoning from the drop down menu [Figure 1.8].
On the MITM Attack dialogue window, leave the default settings and click OK [Figure 1.9]
Alright. Ettercap is now ready to perform the MitM ARP poisoning attack on the specified targets in the network.
Please don’t start the attack yet. We want to start capturing the traffic between the Client and Server first to extract the files transferred.
Start Wireshark by navigating to Applications → Sniffing & Spoofing → Wireshark as seen in Figure 1.10 below:
On the Wireshark, scroll down to the Capture section, select eth0 from the list of network devices, then click on the Start capturing packets icon [Figure 1.11].
Before we perform the ARP poisoning attack, let’s look at the ARP information on the client machine [Windows 10]. To list the recently resolved MAC addresses for the IP hosts in the network [ARP], open a Command Prompt window and type:
arp -aTake note of the File Server’s MAC address – in my case, 00-0c-29-f5-49-14 [Figure 1.12]. We will recheck the File Server MAC address after we launch the ARP poisoning attack in a moment.
![MITM Ettercap ARP Poisoning - Check Client [Windows 10] ARP. Source: nudesystems.com](https://nudesystems.com/wp-content/uploads/2021/05/image-40.png)
Launching The Ettercap ARP Poisoning Attack
Move back to Kali Linux virtual machine and launch the attack by clicking on the Start Sniffing in Ettercap [Figure 1.13].
All that is left is to upload a file from the Client machine [Windows 10] to the File Server and hope to capture it using Wireshark.
Open a File Explorer window on the Client machine, click on Network, and select the File Server from the list [Figure 1.14].
If you don’t see your File Server share here, review the SAMBA configuration on your File Server and Windows 10 VMs per the instructions provided in the virtual hacking lab set up here.
Drag-and-drop any file [a picture, text file, etc.] on the File Server window. For example, I will create a notepad file, write something in it [Figure 1.15] and upload it on the File Server [Figure 1.16].
Before we turn off Ettercap and Wireshark, let’s look again at the ARP information on the Client machine by typing the following command in the Command Prompt window.
arp -aLet’s compare side by side the ARP information before and during the ARP poisoning attack.
As you can see in Figure 1.17 below, the MAC address of the File Server before and during the ARP poisoning attack changed. The Client machine thinks it is still talking with the File Server when a MitM attack compromises the connection.
Extracting The Captured Files
On Kali Linux, turn off the Ettercap ARP poisoning attack by clicking the Stop Sniffing button on the top right of the interface [Figure 1.18].
Turn off the capture process in Wireshark by clicking on the Stop capturing packets button on the top right of the interface [Figure 1.19].
Extract the transferred file between Client and File Server by navigating to File → Export Objects → SMB in Wireshark.
NOTE: If you configured your File Server with something other than Samba protocol [IMF, TFTP, etc.], make sure you select that protocol in the Wireshark Export Objects menu in this step.
You can see the file we uploaded on the File Server during the ARP poisoning attack.
You can save the captured file by highlighting the capture field and clicking the Save button [Figure 1.20]. Give the file a name when prompted and click OK.
If you captured multiple files, you can save all files in one go by clicking the Save All button.
Let’s check the fruit of our attack by checking the file we captured [Figure 1.21]
Voila. You just conducted an ARP Poisoning attack on a Windows 10 client and File Server as well as you captured the file transferred in between. Well done!
Next, continue with ARP Poisoning – PART 2 tutorial and learn how to capture login credentials [username and password] when users authenticate on a web application. That’s a really cool hack!
Before You Go
One important thing to keep in mind: Ettercap is attacking ARP at TCP/IP Layer 2; therefore, this attack will only work in the same LAN.
The Layer 2 encapsulation is stripped out by routers when using multiple network segments and gets recreated in the next network segment. Therefore the ARP poisoning attack on multiple network segments is not possible.
I hope you found this ethical hacking tutorial helpful. If so, do me a favor and share it with your friends and colleagues.
See you in the next tutorial.
