One of the active evesdropping attack in current scenario used against individual and organisational is
MAN-IN-THE-MIDDLE often know as
MITM attack.It is basically exploits the
ARP(Address Resolution Protocol).This attack is categorized as Layer 2 attack ,i.e it works on layer -2(MAC Sublayer) of TCP/IP model most of u must be knowing.
MITM attack include: apr poisioning , DNS spoofing , http session hijaking
ARP
This protocol is made to facilitate layer-2(MAC) to layer-3(IP) address transaltion.APR is based on 2 packats ARP_REQUEST and ARP_RESPONSE
Aim of these 2 packats are to locate the hardware address associated with the provided IP-address.
ARP_REQUEST is like it says my IP is AA.AA.AA.AA ,and my MAC address is
AA:AA:AA:AA:AA:AA i want to send some data to destination whose IP is BB.BB.BB.BB i don't know the Hardware address pls tell me.depicted in pic given and similarly
ARP_RESPONSE packet is generated answering the requested question.Once this transmission is over the transmitting device updates its
ARP_CACHE_TABLE,and then the communication starts.
ARP POISIONING
ARP is insecured protocol,devices using
ARP can take update at any time.This means that any host in network can reply with
ARP_REPLY and force the another host to update its
ARP_CACHE with new poisoned value.
This feature of ARP can be used in malicious manner that user thinks that it is communicating with intended user in spite of fact actually it is communicating with attacker.
Now i m gonna show you the demonstration for ARP_POSIONING. For recreating by demonstration u need
1)unix OS
2)ettrecap utility
there are many pluginswhich are provided by ettrecap.
that u can find using
$man ettrecap
use the command given below to start arp posoning n listening to private data,poior to that be sure to be in superuser mode .
#ettercap -T -q -M arp:remote -i etho -P repoison_arp // //
above command will scan all the host in ur subnet and will poison dere
arp_cache.
-T -- this cap is for running ettrecap in text mode
-q -- this cap is for showing only usufull information not the entire packet
-M -- this cap is for starting MITM attack
-i --this cap is for selection of netwrok interface on which MITM will work
it can be eth0 or wlan0 or watever interface u are interested in
-P -- this is for using the plugin provided by the utility
// // --it is there for selecting the user range within subnet default is whole
subnet
After executing this command u'll get the private data of users within subnet .
above tutorial was intended entirely for purpose of understanding.pls don't use them for malacious purpose .
it's awl for nw
For more info goto :-
http://securityresearch.in/
Next post will be about
DNS_SPOOFING till then tadasssssssss..