Ettercap's Arp+dns Deception

Source: Internet
Author: User
Tags domain name server dns spoofing

1. Network Attack topology Environment




2, the principle explanation ARP Deception

Summary: ARP (address Resolution Protocol) is a protocol for resolving IP addresses into physical addresses. There are two ways to map from IP addresses to physical addresses: tabular and non-tabular. ARP specifically resolves the network layer (that is, the third layer of OSI) to the physical address of the data link layer (that is, the second layer of the OSI) (note: The physical address here does not necessarily refer to the MAC address).

Principle: Host A To send a message to Host B, will query a local ARP cache table, the IP address of B to find the corresponding MAC address, the data will be transferred. If not found, then a broadcasts an ARP request message (carrying host A's IP address ia--Physical address PA), requesting Host B of the IP address for IB to answer the physical address PB. All hosts on the network, including B, receive ARP requests, but only Host B recognizes its own IP address, and then sends back an ARP response message to the a host. It contains the MAC address of B, and a receives a response from B, which updates the local ARP cache. The MAC address is then used to send the data (the MAC address is attached by the network card). Therefore, the local cache of this ARP table is the basis for local network traffic, and the cache is dynamic.

ARP spoofing is one of the commonly used attacks by hackers, there are two kinds of ARP spoofing, one is spoofing the router ARP table, the other is the gateway spoofing of intranet PC.

means: First, arpspoof flooding, overflow arp into a table, but to deceive the victims;

ARP command:

Arp–a: viewing ARP cache information

Arp–d: Delete ARP cache information

Arp–s: Adding an ARP response

DNS Spoofing

Summary: DNS spoofing is a deceptive behavior of an attacker impersonating a domain name server.

Principle: If you can impersonate a domain name server, and then the victim query domain name IP address to the attacker's IP address, so that the user access to the Internet domain name will visit the attacker's home page, rather than the user want to get the homepage of the site, this is the basic principle of DNS spoofing. DNS spoofing is not really "black off" the other side of the site, but an imposter, bluff.

Hosts file:

WINDOWS:C:\WINDOWS\SYSTEM32\DRIVERS\ETC (different for system)


3, Ettercap Tools explained

Introduction: Ettercap was originally designed as a sniffer (sniffer tool) for Exchange online, but with development, it gained more and more functions and became an effective and flexible intermediary attack tool. It supports active and passive protocol parsing and includes many network and host features (such as OS fingerprint) analysis.

Installation: There are many versions, you can download and install themselves;

Operating mode:

ipbased: IP address based sniffing (source IP and destination IP);

Macbased: MAC address-based sniffing (packets in the capture gateway, commonly used);

Arpbased: In the way of ARP spoofing, Ettercap uses ARP spoofing to listen for communication between two hosts in the Switched LAN (full duplex);

Smartarp: In Smartarp mode, ETTERCAP uses ARP spoofing to listen for communication (full duplex) between a host on the Exchange network and all known other hosts (hosts present in the host table);

Publicarp: In Publicarp mode, ETTERCAP uses ARP spoofing to listen for communication between one host and all other hosts in the Exchange network (half duplex). This mode sends the ARP response in broadcast mode, but if Ettercap already has the full host Address table (or if the host on the LAN has been scanned at ettercap startup), Ettercap automatically chooses the Smartarp method, And the ARP response is sent to all hosts other than the listening host to avoid IP address conflicts on the Win2K;

Parameter description:

-A or--arpsniff: arp-based sniffing (required if you want to use man-in-the-middle technology);

-S or--sniff: IP-based sniffing (for the hub environment);

-M OR--macsniff: Mac-based, suitable for listening to remote communication;

-T or--readpacpfile: Offline Sniffing,ettercap will listen for a network packet stored in a PCAP compatible file;

4. Before ARP spoofing attack:

Start of the victim machine:

Start of attack:

Start the NIC for promiscuous mode: Echo 1 >/proc/sys/net/ipv4/ip_forward

Start attacking

Enable ETTERCAP for spoofing


In the top left corner, click Start

After the attack

Sniffer password

Everyone can also yy catch what other packages, such as SSH, this need to use SSLstrip, you can go to see my other blog, here also give you a recommendation: 91ri SSLstrip get ssh password

5. DNS Spoofing

Ettercap's DNS files need to be edited before spoofing


This is intended to allow the client to access the attacker's Web service when accessing

Start DNS Spoofing

The preceding steps are consistent with ARP spoofing, and only need to add a plug-in before starting the spoofing;

Start looking forward to

After attack (note IP)

Ettercap's Arp+dns Deception

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.