ARP spoofing is an attack on an Ethernet or Wi-Fi network to get between the router and the target user. In an ARP spoofing attack, messages for the target are sent to the attacker instead, allowing the attacker to spy, refuse service, or staff a target. One of the most popular tools for carrying out this attack is Ettercap, which is pre-installed on Kali Linux.
On a normal network, messages are routed via Ethernet or Wi-Fi by linking the MAC address of a connected device to the IP address used to identify it by the router. This is usually done via an Address Resolution Protocol (ARP) message that indicates which MAC address of the device belongs to which IP address. It tells the rest of the network where to send the traffic, but it can easily be faked to change the way traffic is routed.
In an ARP spoofing attack, a program like Ettercap sends fake messages that attempt to get devices to associate the hacker's MAC address with the IP address of the target. If they are successful, they are temporarily stored in a configuration setting on other network devices. If the rest of the network instead starts delivering packets for the target to the attacker, the attacker effectively manages the data connection of the target.
There can be three primary results after an attacker initially achieves success in poisoning the ARP cache of other hosts on the network:
- The attacker can spy on traffic. They can lurk in the shade and see everything the target user does on the network. It goes without saying.
- The attacker can intercept the packets and change them to a man-in-the-middle attack. They can intercept passwords typed in an HTTP website, view DNS requests, and resolve IP addresses that the target is navigating to to see which sites the target is visiting. In a man-in-the-middle attack, the attacker not only has the ability to see what is happening on the network, but also to manipulate it. For example, they might try to downgrade the encryption using the connection by deliberately asking for unsafe versions of web pages to make it easier for the attacker to sniff passwords. A hacker can also be annoying. For example, they can replace words in the text of a website, flip or replace images, or change other types of data that flow to and from the target. The attacker can drop the packets intended for the purpose of making a denial-service attack. This is perhaps the most frustrating for a target. While a Wi-Fi authentication attack is by far the most common cause of an attack on a Wi-Fi network, ARP spoofing can be much more challenging to find out. If the attacker chooses not to forward the packages that are now sent to him instead of the target, the target will never receive them. The Wi-Fi network can get stuck from the inside, coming between the target and the router and then dropping the packets between them.
One of the most intriguing programs installed by default in Kali Linux is Ettercap. Unlike many of the programs that are only command line, Ettercap has a graphical interface that is very beginner-friendly. Although the results can sometimes vary, Ettercap is an excellent tool for newcomers to master network attacks such as ARP spoofing. If you don't have it yet (like if you downloaded a light version of Kali), you can get it by typing the following in a terminal window.
~ # apt install ettercap-graphicical Read package lists ... Ready Build dependency structure Read status information ... Done ettercap-graphicical is already the newest version (1: 0.8.2-10 + b2).
Ettercap is not the only tool for this, nor is it the most modern. Other tools, such as Bettercap, claim to do what Ettercap does, but more effectively. Ettercap, however, appears to be useful enough for our demonstration. The general workflow of an Ettercap ARP spoofing attack is to join a network that you want to attack, find hosts in the network, assign targets to a & # 39; targets & # 39; file, and then perform the attack on the targets.
Once we have done all of that, we can figuratively watch over the shoulder of the target while browsing the Internet, and we can even disconnect the websites from which we want to send them away. We can also perform various payloads, such as isolating a host from the rest of the network, refusing service by dropping all packages sent to them, or running scripts to try to downgrade the security of the connection.
Step 1: Connect to the network
The first step of ARP spoofing is to connect to the network that you want to attack. If you are attacking an encrypted WEP, WPA or WPA2 network, you must know the password. This is because we are attacking the network internally, so we need to be able to see some information about the other hosts on the network and the data passing through them.
You can connect to an ARP spoofing network in two ways. . The first is to connect via Ethernet, which is very effective, but not always practical and rarely subtle. Instead, many people prefer to use a wireless network adapter and perform the ARP spoofing via WiFi.
Step 2: Start Ettercap
In Kali, click & # 39; Applications & # 39; and then on & # 39; Sniff and Spoof & # 39; "followed by" ettercap-graphic. "You can also click on the" View applications "option in the dock and then search for and select" Ettercap ".
Once it is started, you need Ettercap main screen. You'll see the ghostly Ettercap logo and a few & # 39; s drop-down menus to start the attack in. In the next step we'll explore the "Sniff" menu.
at this point make sure that you have an active connection to the network before continuing.
Click on the menu item & # 39; Sniffing & # 39; and then select & # 39; Unified sniffing & # 39; a new window will open asking you which network interface you want to browse in. You must select the network interface that is currently connected to the network you are attacking.
Now you see a text confirming that sniffing has started, and you have access to more advanced menu options such as Targets, Hosts, Mitm, Plugins, etc. Before we get started to use one of them, we must identify our goal on the network.
To find the device that we want to attack on the network, Ettercap has a few tricks in store. First we can perform a simple scan for hosts by pressing & # 39; Hosts & # 39; and then & # 39; Scan for hosts & # 39; to click. A scan is performed and after it is completed, you can see the resulting hosts that Ettercap has identified in the network by pressing & # 39; Hosts & # 39; and then on & # 39; Hosts list & # 39; to click.
We can now see a list of targets that we have discovered on the network. Do you want to see what they do or limit the goals? Click on & # 39; View & # 39; and then on & # 39; Connections & # 39; to start browsing through connections.
Once in the display Connections you can filter the connections by IP address, connection type and whether the connection is open, closed, active or killed. This gives you a lot of snooping power, which can be expanded by clicking on "View" and then on "Resolving IP addresses". This means that Ettercap will attempt to resolve the IP addresses that other devices in the network connect to.
If you want to identify a target on a network and know what they are browsing, look over their shoulder to see which website they are on and link the website to an IP address with an active connection to the same website. Otherwise you can usually see this at the MAC address, because you can look it up online to see the manufacturer.
Step 5: Select hosts to target with ARP Spoofing
Now that we have identified our targets IP address, it's time to add them to a target list. As soon as we do this, we will tell Ettercap that we want to designate that IP address as an IP address that we want to pretend, so that we receive messages from the router that were meant to be sent to the destination.  Return to the "Hosts" screen and select the IP address of the target that you want to target. Click the IP address to highlight it, and then click "Targets" followed by "Target List" to see a list of devices that target ARP spoofing.