Ettercap Automates the Malicious Middleman

Man in the middle (MITM) attacks can be devastatingly effective, providing hackers with all kinds of confidential information and, just as seriously, giving them the opportunity to feed false information to victims.

These attacks involve a hacker diverting packets which are meant to flow between a victim's computer and another machine - usually an Internet gateway – so that they flow through the attacker's computer, where they can be inspected and changed before being passed on.

The easiest and most effective way to achieve a MITM attack is though an Address Resolution Protocol (ARP) spoofing attack. Recall that on an Ethernet network local IP addresses are associated with hosts' network adapter MAC addresses, and that hosts send out ARP requests to find out the MAC address that any arbitrary local IP address has been assigned to. These requests take the form "who-has 192.168.1.150, tell 192.168.1.1". Since ARP responses, in the form "192.168.1.150 is 00:11:22:33:44:55" do not get authenticated and will be acted on even if there has not previously been an ARP request, it is possible to send a spoof ARP response telling the victim's machine that the gateway IP address 192.168.1.1 is associated with the MAC address of the attacker's machine, and to send one to the gateway effectively informing it that all traffic for the victim's IP address should be sent to the adapter with the attacker's MAC address, not the victim's.

All that's then needed is for the attacker to forward the packets on to their intended destinations, and the victim will be none the wiser – any delay due to this diversion is usually far too small to be detectable.

Let's think about the implications of a MITM attack. Any packets sent from the victim's machine to the gateway go through the attacker's machine, where they can be inspected. The sorts of packets the attacker may be after include POP, SMTP and FTP logins and passwords, or any other type of data that is not encrypted.

It's possible to carry out an ARP poisoning MITM attack manually using Wireshark (Ethereal) to intercept and edit ARP requests, but actually it's very easy for anyone who can get on to your network (using Aircrack-ng to get on wirelessly, for example) to carry out such an attack using automated open source tools. The best known one of these is called Ettercap.