By Leonard Cucos •  Updated: 05/18/21 •  7 min read

In this Man-in-the-Middle [MITM] tutorial, I will show you how to conduct an ARP poisoning attack using Ettercap in Kali Linux. Furthermore, you will learn how to capture and extract the files transferred between a client and a file server during the ARP poisoning attack using Wireshark.

This is going to be fun!

DISCLAIMER: This guide is for ethical hacking, penetration testing, and security purposes only. Do not apply this guide in a production environment [company network, Internet, etc.] without permission from the system/network owner. 

And with that out of the way, let’s get started. 

Virtual Hacking Lab Setup

To practice along, you will need to install the following virtual machines using any virtualization solutions such as VirtualBox or VMware:  

  1. Windows 10
  2. Ubuntu File Server
  3. Kali Linux.

If you don’t know how to install the above VMs, follow the guide on How To Install A Virtual Hacking Lab With Virtual Box here.

NOTE: I recommend you take some time to set up your own lab, as it will be handy every time you learn and practice a new hacking tutorial on this website.

Here is the lab overview used in this hacking tutorial [Figure 1.1].

MITM Ettercap ARP Poisoning - Lab overview. Source:
Figure 1.1: MITM – Lab overview

Find the IPs and MAC addresses for the Windows 10 and Ubuntu File Server VMs. If you don’t know how to find your IP and MAC addresses follow the instructions for Windows and Linux operating systems here. It would help if you got this imprinted in your memory as soon as possible.

Learning Outcome

In this MITM tutorial you will learn the following:

MITM Ettercap ARP Poisoning IP & MAC - Lab overview. Source:
Figure 1.2: MITM – Lab overview.

Ettercap ARP Poisoning Set Up

On Kali Linux, navigate to Applications → Sniffing & Spoofing → Ettercap, as seen in Figure 1.3 below. Alternatively, you can launch Ettercap by typing in the terminal the following command:

sudo ettercap -G
MITM Ettercap ARP Poisoning - Launching Ettercap in Kali Linux. Source:
Figure 1.3: Launching Ettercap in Kali Linux

The Ettercap graphical interface will open. Disable Sniffing at startup and click the Accept icon on the top right to accept the settings [Figure 1.4].

MITM Ettercap ARP Poisoning - Ettercap Accept settings. Source:
Figure 1.4: Accept settings.

Click on the Scan for hosts icon on the top left to instruct Ettercap to start scanning the network for hosts [Figure 1.5]. The search process depends on how many hosts are alive in your network but is usually pretty fast. 

MITM Ettercap ARP Poisoning - Ettercap search for hosts. Source:
Figure 1.5: Search for hosts.

Next, click on the Hosts List icon to see the list of hosts discovered by Ettercap in your network. As you can see in Figure 1.6, Ettercap discovered the IP and MAC addresses for the Client and File Server in our network. 

MITM Ettercap ARP Poisoning - Ettercap Discovered Hosts List. Source:
Figure 1.6: Discovered Hosts List.

NOTE: Ettercap will not include the host used to run the search [in this case Kali Linux] as a discovered host in the Host List. 

Select to highlight the first host [IP], then click on the Add to Target 1 button. Do the same for the second host and click Add to Target 2 [Figure 1.7].

MITM Ettercap ARP Poisoning - Ettercap Assign Hosts to Target. Source:
Figure 1.7: Assign Hosts to Target.

Click on MITM Menu, and select ARP poisoning from the drop down menu [Figure 1.8].

MITM Ettercap ARP Poisoning. Source:
Figure 1.8: Arp poisoning.

On the MITM Attack dialogue window, leave the default settings and click OK [Figure 1.9]

MITM Ettercap ARP Poisoning Settings. Source:
Figure 1.9: Arp poisoning.

Alright. Ettercap is now ready to perform the MitM ARP poisoning attack on the specified targets in the network. 

Please don’t start the attack yet. We want to start capturing the traffic between the Client and Server first to extract the files transferred. 

Start Wireshark by navigating to Applications → Sniffing & Spoofing → Wireshark as seen in Figure 1.10 below:

MITM Ettercap ARP Poisoning - Launch Wireshark in Kali Linux. Source:
Figure 1.10: Launch Wireshark in Kali Linux.

On the Wireshark, scroll down to the Capture section, select eth0 from the list of network devices, then click on the Start capturing packets icon [Figure 1.11]. 

MITM Ettercap ARP Poisoning -  Wireshark Start capturing packets on eth0. Source:
Figure 1.11: Wireshark – Start capturing packets on eth0.

Before we perform the ARP poisoning attack, let’s look at the ARP information on the client machine [Windows 10]. To list the recently resolved MAC addresses for the IP hosts in the network [ARP], open a Command Prompt window and type:

arp -a

Take note of the File Server’s MAC address – in my case, 00-0c-29-f5-49-14 [Figure 1.12]. We will recheck the File Server MAC address after we launch the ARP poisoning attack in a moment. 

MITM Ettercap ARP Poisoning - Check Client [Windows 10] ARP. Source:
Figure 1.12: Check Client [Windows 10] ARP.

Launching The Ettercap ARP Poisoning Attack

Move back to Kali Linux virtual machine and launch the attack by clicking on the Start Sniffing in Ettercap [Figure 1.13]. 

MITM Ettercap ARP Poisoning - Launch Ettercap ARP poisoning attack. Source:
Figure 1.13: Launch the ARP poisoning attack.

All that is left is to upload a file from the Client machine [Windows 10] to the File Server and hope to capture it using Wireshark.

Open a File Explorer window on the Client machine, click on Network, and select the File Server from the list [Figure 1.14].

If you don’t see your File Server share here, review the SAMBA configuration on your File Server and Windows 10 VMs per the instructions provided in the virtual hacking lab set up here

MITM Ettercap ARP Poisoning - Access the File Server. Source:
Figure 1.14: Access the File Server.

Drag-and-drop any file [a picture, text file, etc.] on the File Server window. For example, I will create a notepad file, write something in it [Figure 1.15] and upload it on the File Server [Figure 1.16].

MITM Ettercap ARP Poisoning - Example of a notepad file. Source:
Figure 1.15: Example of a notepad file.
MITM Ettercap ARP Poisoning - Upload a file to the File Server. Source:
Figure 1.16: Upload a file to the File Server.

Before we turn off Ettercap and Wireshark, let’s look again at the ARP information on the Client machine by typing the following command in the Command Prompt window.

arp -a

Let’s compare side by side the ARP information before and during the ARP poisoning attack.

 As you can see in Figure 1.17 below, the MAC address of the File Server before and during the ARP poisoning attack changed. The Client machine thinks it is still talking with the File Server when a MitM attack compromises the connection. 

MITM Ettercap ARP Poisoning - File Server MAC address before and during the attack. Source:
Figure 1.17: File Server MAC address before and during the attack.

Extracting The Captured Files

On Kali Linux, turn off the Ettercap ARP poisoning attack by clicking the Stop Sniffing button on the top right of the interface [Figure 1.18]. 

MITM Ettercap ARP Poisoning - Stop Ettercap. Source:
Figure 1.18: Stop Ettercap.

Turn off the capture process in Wireshark by clicking on the Stop capturing packets button on the top right of the interface [Figure 1.19]. 

MITM Ettercap ARP Poisoning - Stop Wireshark capture. Source:
Figure 1.19: Stop Wireshark capture.

Extract the transferred file between Client and File Server by navigating to File → Export Objects → SMB in Wireshark.

NOTE: If you configured your File Server with something other than Samba protocol [IMF, TFTP, etc.], make sure you select that protocol in the Wireshark Export Objects menu in this step.   

You can see the file we uploaded on the File Server during the ARP poisoning attack. 

You can save the captured file by highlighting the capture field and clicking the Save button [Figure 1.20]. Give the file a name when prompted and click OK.  

If you captured multiple files, you can save all files in one go by clicking the Save All button. 

MITM Ettercap ARP Poisoning - Save the capture file(s) from Wireshark. Source:
Figure 1.20: Save the capture file(s) from Wireshark.

Let’s check the fruit of our attack by checking the file we captured [Figure 1.21]

MITM Ettercap ARP Poisoning - Checking the results. Source:
Figure 1.21: Checking the results.

Voila. You just conducted an ARP Poisoning attack on a Windows 10 client and File Server as well as you captured the file transferred in between. Well done!

Next, continue with ARP Poisoning – PART 2 tutorial and learn how to capture login credentials [username and password] when users authenticate on a web application. That’s a really cool hack!

Before You Go

One important thing to keep in mind: Ettercap is attacking ARP at TCP/IP Layer 2; therefore, this attack will only work in the same LAN.

The Layer 2 encapsulation is stripped out by routers when using multiple network segments and gets recreated in the next network segment. Therefore the ARP poisoning attack on multiple network segments is not possible.

I hope you found this ethical hacking tutorial helpful. If so, do me a favor and share it with your friends and colleagues. 

See you in the next tutorial.    

Leonard Cucos

Leonard Cucos is an engineer with over 20 years of IT/Telco experience managing large UNIX/Linux-based server infrastructures, IP and Optics core networks, Information Security [red/blue], Data Science, and FinTech.