This is a guide on performing MITM attacks with Ettercap for insecure passwords only! This does not cover the use of sslstrip to sniff SSL encrypted passwords, although this will be covered in another guide. This is still very useful however, when dealing with normal HTTP login pages. Have fun!
First, open up your Ettercap config file. It can be found at /etc/etter.conf. We’re going to need to make a very quick change in here, so scroll down to the part about IP Tables under the Linux section, and uncomment the already commented parts. After you’re done, it should read something like this;
|# if you use iptables:
redir_command_on = “iptables -t nat -A PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport”
redir_command_off = “iptables -t nat -D PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport”
Next, fire up the Ettercap GUI (it’s the easiest to work with) and click on the “Options” button, then select the Netmask option. You should be left with a window like this – only empty. Enter 255.255.255.0 as your netmask.
Next, click “Sniff” and then “unified sniffing”. Ettercap will ask you for your Network Interface. If you’re on an Ethernet connection, enter eth0. If you’re on a Wireless connection, it’s probably wlan0.
Then, you’re going to click the “Hosts” dropdown, then “scan for hosts”. This will scan your network for active machines.
Hit the hosts button again, and click on the hosts list. The results from the scan we just did will be sitting in your window right now. One of these IP addresses will be your router (you should know which one it is). What we are going to do is perform a Man In The Middle Attack, so we route all the traffic to our computer before sending it along to the router.
Add your victim IP address to target 1, and the router to Target 2. Then, click the “Mitm” button at the top, check the box which says “Sniff remote connections” and hit OK.
Now, you can press the Start button and begin sniffing for passwords! As soon as someone logs into a website using insecure HTTP, you will be notified. For example, I logged into Warez-bb and this is what happened;