Using Ettercap to Perform MITM Attack 

**Note: The content in this article is only for educational purposes and understanding of cybersecurity concepts. It should enable people and organizations to have a better grip on threats and know how to protect themselves against them. Please use this information responsibly.** 

Using Ettercap to Perform MITM Attack 

Man in The Middle attacks exploit the vulnerabilities in various network protocols such as Address Resolution Protocol (ARP), Internet Protocol (IP), Domain Name System (DNS), Hyper Text Transfer Protocol (HTTP) to name a few. 

Here we will perform MITM on the Address Resolution Protocol. 

Before that we will see how ARP works. 

ARP Resolves IP address to MAC address. This is required because in order to communicate with other systems a device needs to know the other device’s hardware address (MAC address). 

How ARP works? 

• (A) knows (B)s IP address but wants its MAC address. 

• (A) Will 1st check for (B)s MAC address in its ARP table. If not found, then: – 

• (A) will send ARP request as a broadcast. 

• All systems in the Local Area Network (LAN) receive the message, checks destination IP and drops the packet if it doesn’t belong to them. 

• The intended device (B) then sends out its MAC address as a unicast reply to sender (A) 

• (A) updates its ARP table (also called ARP cache). 

MITM (Man in The Middle) attack is performed on Address Resolution Protocol (ARP) by ARP Spoofing or ARP Poisoning (used interchangeably). In this attacker sends out many ARP requests to both targets. This would change the data of ARP cache. By this attacker impersonates the location of specific IP address another user is trying to reach. This would lead to the target sending its data to the attacker. 

Now let us demonstrate this using Ettercap GUI. 

1. Login to your Kali Linux machine and make sure your target system is logged in (we are using a Debian virtual machine in this case). 

2. Open Ettercap GUI in Kali Linux System. 

3. Select sniffing at startup and the appropriate primary interface (eth0 in this case) and click on the tick to accept. 

4. Click on menu -> Hosts -> Hosts list 

Sometimes this may not show scan results immediately. So, to get the scan results we can click the “Search icon”. 

5. This will show the target IP address (in this case the Debian system that is on the same Local Area Network) and the default gateway. We will add the target system to target 1 and the default gateway to target 2. This is because we have to sniff the data that the Debian system will send to the default gateway using our Kali Linux machine. Since we are 

using a virtualized environment (VMware) here, the default gateway for all the virtual machines will be the same here. The default gateway is the entry point and exit point in this virtual machine subnet. So, it acts as a routing device that knows how to pass the traffic between different subnets and networks. 

192.168.150.132 is the IP address of Debian target VM and 192.168.150.2 is its default gateway. 

6. Now select MITM menu -> ARP Poisoning 

7. Select “Sniff remote connections”. This sends many ARP requests to the targets. 

8. We have selected the URL http://testphp.vulnweb.com on our target machine (i.e. Debian system). We go to signup and enter the username and password. 

9.  The Ettercap GUI in our attacker machine now captures all the details. It shows the website visited, protocol used, port number IP of server, the entered username and password. 

Note that as the website is using HTTP protocol, the username and password are captured in plain text as no encryption or hashing happens in HTTP protocol. Hence to bypass this, most websites nowadays use the HTTPS protocol.