Man in the Middle Attacks and Ettercap
What is a Man in the Middle Attack?
When a rogue successfully captures the data packets in-transit between the host and the server the hacker has the ability to monitor the activities going on in the end user’s device for example, the attacker can mirror the screen of the end user and breach privacy. This can happen in any form of online communication, such as email, social media, web surfing, etc. Not only are they trying to eavesdrop on your private conversations, they can also target all the information inside your devices.
How does Man in the Middle Attack function?
Let’s say you received an email that appeared to be from your bank, asking you to log in to your account to confirm your contact information. You click on a link in the email and are taken to what appears to be your bank’s website, where you log in and perform the requested task.
In such a scenario, the man in the middle (MITM) sent you the email, making it appear to be legitimate. (This attack also involves phishing, getting you to click on the email appearing to come from your bank.) The attacker also created a website that looks just like your bank’s website, so you wouldn’t hesitate to enter your login credentials after clicking the link in the email. But when you do that, you’re not logging into your bank account, you’re handing over your credentials to the attacker.
There are basically seven types of MITM Attacks: IP Spoofing, DNS Spoofing, Email Hijacking, HTTPS spoofing, SSL Hijacking, Wifi Eavesdropping, Stealing Browser Cookies.
What is Ettercap?
Ettercap is a multipurpose sniffer/content filter for man in the middle attacks. The target in Ettercap is in the form MAC/IPs/PORT/s and MAC/IPs/IPv6/PORTs if IPv6 is enabled.
Ettercap was born as a sniffer for switched LAN (included hubbed LANs), but with time Ettercap evolved as a flexible tool for man-in-the-attacks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many features for network and host analysis (such as OS fingerprinting).
How does Ettercap work?
Ettercap has two main sniffing options:
1. Unified:-
This method sniffs all the packets that pass on the cable. The User packets not directed to the host running Ettercap will be forwarded to the automatically using layer 3 routing.
2. Bridged:-
This method uses two network interfaces and forwards the traffic from one to the other while performing sniffing.
Some of the most relevant features of Ettercap are SSH1 support, SSL Support, Character injection in an established connection, Packet filtering/dropping, remote traffic sniffing, plug-ins support, Password collector, Passive OS fingerprinting.
Prevention of MITM Attacks:-
Identification of MITM Attacks is very Difficult and hence we need to be ready to prevent the attacks always.
To avoid internal man in the middle attacks you can set up an intrusion detection system (IDS). The IDS will basically monitor your network, and if someone tries to hijack traffic flow, it gives immediate alerts. However, the downside of IDS is that it may raise false attack alerts at various instances. This leads to users disabling the IDS. Tools which use the advanced address resolution protocol (like XARP or ARPOn) and measures like implementing dynamic host configuration protocol (DHCP) snooping on switches can limit or prevent ARP spoofing. This, in turn, can help you prevent man in the middle attacks.
Another solution for preventing man in the middle attacks is to use the virtual private network (VPN). The use of such encrypted tunnels creates additional secure layers when you access your networks over links like Wi-Fi. Additionally, companies should have proper process auditing and monitoring in place so that they are aware of their staff activities.
