Describe the ettercap tool, and show two of its denial of service capabilities.
- [Voiceover] Ettercap is a well known tool which can sniff live connections, operate as a man-in-the-middle, and filter content on the fly, and carry out a denial of service to name just three of it's functions. It supports active and passive protocol manipulation and includes many features for network and host analysis. The particular feature set we'll look at is it's ability to create a denial of service. An Ettercap attack takes place from a host on the local network, either one that's attached itself maliciously or from a host which has been compromised.
Ettercap is provided in Kali as a command line tool and also via a graphical interface, which is listed in the sniffing and spoofing set of applications. For the purposes of demonstrating Ettercap's denial of service capability, I'll use the command line. Let's open a terminal window. I'll enter ettercap -h to see the help information. One of the useful commands is ettercap -P with a list option which lists all the plug ins.
These are pre-set scripts which will carry out a specific function. We can see the plug in modules and in particular we can see various denial of service modules. The first is the dos_attack, a denial of service attack which works by scanning the target to find open ports and then starts flooding them with syn packets using an unused IP address, in the subnet as the source IP. Then it uses fake arp replies to intercepts packets to this unused IP address and complete the connection.
Flooding the target with active connections, the fraggle attack can be used to send large amounts of UDP echo and chargen traffic to all hosts on the subnet using the target as the source address, and all replies then go back to the target. This is a standard UDP flood. The isolate attack will isolate a host from the network by poisoning the victims arp cache with its own Mac address. Ettercap provides a smurf attack plug-in which sends huge numbers of ICMP packets with the target as the source address to a set of hosts.
This causes all the hosts to reply to the ICMP request, causing significant traffic at the target. We'll learn a couple of these. First of all, let's run a DOS attack. In my window system, I have a browser open. Let's search for ABC. Okay, we have internet connectivity. I'll start the attack by entering, ettercap -TQP dos_attack.
The T option specifies we're using the text only interface, and the Q option is to run super quietly. Okay, the attack started and it will take a minute, also, to build up traffic for the denial of service to take effect. Okay, now lets try refreshing the page. The browser is now having difficulty and service is being disrupted.
I'll quit this attack now. Lets now try another attack, the isolate attack, which will poison the targets arp cache. This requires some activity from the target. As Ettercap identifies the arp entries to poison by intercepting traffic to the related IP addresses and uses that to send poisoned arp packets. I can start this attack by simply entering, ettercap -TzqP isolate /10.0.2.10/' the Z option suppresses the initial arp scan of the subnet, as this is not required.
The Q option suppresses display of the package generated during the attack. So back in the Windows 7 system, we can see that the cache has been poisoned and connectivity has been lost. That's it for arp poisoning, so lets clean up now. I can remove the poison cache by restarting or by opening a command window in administrator mode and entering arp -d.
Okay, we have internet connectivity back.
Note: Our Ethical Hacking series will map to the 18 parts of the EC-Council's certification exam. This course maps to the 09 Denial of Service domain.
- What is denial of service?
- SYN flooding
- Smurf and URL flooding
- Deauthenticating a wireless host
- Flooding HTTP
- Using BlackEnergy
- Flooding SIP
- Detecting DoS with PeerShark
- Defeating DoS attacks