POST CATEGORY : Others

Why should an organization hire an Information Security professional?

Every business organization seeks safety and security of its internal information. It is essential to ensure that the data is protected from malicious attackers who easily breach into the network through use of unfair practices. Maintaining a secure information security policy and hiring the right bunch of qualified professionals is of prime importance to any organization who intend to prevent their internal servers and systems from being compromised. Such professionals ensure that the software installations are up-to-date and build in security layers which become difficult for cyber attackers to intrude into the network.

What is CISSP?

The full form of CISSP is Certified Information Systems Security Professional. This certification is conferred by the International Information Systems Security Certification Consortium (ISC)², which is a global non-profit organization specializing in IT security. (ISC)² is rendered as one of the world’s largest Information Security organization which offers a variety of security certifications like CISSP, CSSLP, and CAP.

As an Information Security aspirant, there are multiple benefits of obtaining a CISSP certification which you simply cannot ignore. Let’s discuss some of the topmost reasons to earn such a certification and discover how a CISSP is integral for any business organization and act as a key component in the selection procedure for managerial-level information security positions.

  • Global Recognition

Obtaining a CISSP certification is a good move for a flourishing IT career. Reason being, CISSP provides industry-wide recognition  and considered as the “Best Professional Certification Program” by SC Magazine. This certification is highly endorsed and recognized by well-known global MNCs like Google, IBM etc. It is ascertained that there is a projected requirement of about 56% of cyber experts in the current job market.

  • (ISC)² Membership

You are eligible to earn an (ISC)² membership once you complete the CISSP certification. This membership offers a wide array of resources and advantages which help you to improve your knowledge area and network. You just need to invest on some maintenance fees annually to retain the membership. As a member, you also stand a chance to earn discounts on industry seminars and conferences and have free access to certain online events. Your credentials are available online through digital badges. The scope of benefits of a member are immense and opens a world of possibilities for you to stay connected with the latest findings and resources.

  • Job Competency

The core content of CISSP provides a wide range of understanding of the security field to the information security professionals and creates an awareness of the latest security threats. This certification encompasses knowledge transfer of control devices and the network architecture to maintain the integrity and confidentiality of public and private networks. The course content is designed in such a way that it involves the application of security concepts and the best practices for software development, enterprise computing solutions in the production and operation environment.

  • Increased Earning Potential

Getting a CISSP certification under your belt not only assures you of advanced knowledge and skill-sets but also command higher remuneration. In 2017, there were around 1 million job openings in cybersecurity which is likely to go beyond 1.5 million by 2019. Organizations are continuously competing to hire the best security talent in the market and are ready to pay handsome salaries to the prospective candidates. On an average, a CISSP earns 25% more than the non-certified counterparts.

  • High Demand for Security Experts

On a global scale, companies are investing more on hiring CISSP certified experts. With the ever-increasing intensity of hacker activities across the world, organizations are struggling to keep at bay such security breaches which hamper their internal security fabric. For this reason, employers are recruiting certified cybersecurity experts to prevent such network intrusion by building stronger security layers thereby protecting their internal servers and systems from malicious attacks.

Takeaway

Considering all these factors that has been discussed in this article, we can safely connote that obtaining a CISSP certification can certainly propel your IT career to a great extent. CISSP is thus, a very well-performing certification and once you are through the certification, it provides you a rewarding, lucrative and satisfying career path in the long run.

Author Bio: I am Maria Thomas, Content Marketing Manager and Product Specialist at GreyCampus with eight years rich experience on professional certification courses like PMI- Project Management Professional, PMI-ACP, Prince2, ITIL (Information Technology Infrastructure Library), Big Data, Cloud and Six Sigma.

Why you should know about SSL certificates: CertDB.com Case

It’s generally believed that an SSL certificate is just a minor collection of the data files that digitally bond the cryptographic key to the businesses’ details. Everyone supposedly knows that without the SSL certificate, all of the proper secure data on the website could get intercepted and used for blackmailing, identity theft, etc. Likewise, the certificate is important as a mean of forming the trust in the website and the commercial customer attraction. All of the listed benefits could be exploited by using the service, called CertDB, or by figuring out each one of them manually. Thanks to the user friendly interface of the service, however, I think it’s a worthwhile option for those only starting to wonder if the SSL certificates have the ability to change the nature of things around us.

The CertDB is an SSL certificate search engine that could be used for the various purposes. First of all, it allows the companies who specialize in the security breaches to find the problematic certificates with the aim of weakening the possibility of the hacker attacks. The service also functions as a useful tool during the penetration tests. Not to forget to mention that with the help of the certificate analysis one may discover the subdomains and domains of the particular focus that could turn to be vulnerable. Such an information may be used not only for the security but also in a profitable way. A commercial SSL-selling company, for example, could boost its own sales by warning those suffering from the “holes” in the system. Although, there is clearly no need to think of CertDB as os some advanced mechanism that is of no use to the non-experts on the internet. On the opposite, the service could turn to be truly practical, regardless of the fact that the creators position their service primarily for the research.

Have you ever wondered how come a simple internet user may figure out the plans of the entire company? Despite the various establishments’ enormous efforts to remain free of private info breaches and the strict non-disclosure deals, which could keep secrets for as long as desired, things could get leaked pretty easily. By exploiting the direct searching software of CertDB, one can surely find the newly-released SSL certificates that could be used for gathering the info, such as the company’s used domains, subdomains, and IP addresses. Thus, such a data could help the owner to interpret it in the variety of ways. For instance, the company may have just registered the domain indicating the upcoming start of the initial coin offerings (ico.xxx.com). This small piece of evidence may be actually crucial as it can be used for the competitive analysis and other business analytics among others. Sometimes, the company of the focus may issue the certificate in an organization with the domains of the other companies, which could mean the collaboration or the purchase of one company by another. Clearly, such a data could potentially benefit the owner as it can generate profits as an insight info or even lead to the start of the investigation (if there are hints of the unfair business practices). I, personally, find this to be truly appealing as CertDB has the promising power to shape the entire industries with its innovative and useful searching engine.

CertDB is clearly an unparalleled project, and there is an obvious need to mention the people working behind the doors of it. The SSL certificate search engine is only possible due to the SPYSE team of highly-skilled security specialists and IT experts of the area that constantly work on the IT projects all across the globe. Besides, it’s fair to claim that the innovation is continuous, which is something that personally fascinates me. As I was writing this article, the SPYSE team has just released the subdomain searching tool (findsubdomains.com) that looks promising to me after doing the first-hand analysis. I will attempt to fully review the newly-released service in the short time, although there is one outstanding thing that I should already mention, being the free using cost of the service. It seems to me that the entire SPYSE team is functioning with the waves of enthusiasm in mind. Besides, there is a manifest sign of professionalism as can be seen by the capabilities of the CertDB website.

More should be said about the project’s mission and why it has come to exist with the effort of the SPYSE team mentioned above. The inventors of CertDB hold a belief that the internet is developing at an incredibly rapid speed, which only furthers the issues of data security and privacy concerns that could potentially happen in any web project of the focus. To this end and with the purpose of disclosing the hidden info to the public, CertDB keeps functioning for the needs of the average users who want to know more about the various companies and conglomerates. The fact that CertDB, an internet-wide SSL search engine, exists allows to both browse the “outdated” data as well as to obtain the newly-published one. Frankly, such things could change the way I look on the use of data, which is something I don’t say that much often.

Every time I want to stick my nose where it does not belong, I do realize that CertDB is the best option for me to use in such a situation. It’s free of charge, has the most accurate database of the SSL certificates and is easy to use for those inexperienced with the web surfing processes. Personally, I would continue to use CertDB and exploit all of the service’s benefits. Although, I hope that you have been able to reconsider your position on the importance of the SSL certificates.

DOS Attack Penetration Testing (Part 1)

Hello friends! Today we are going to describe DOS/DDos attack, here we will cover What is dos attack; How one can lunch Dos attack on any targeted network and What will its outcome and How victim can predict for Dos attack for his network.

Requirement

Attacker machine: kali Linux

Victim machine: Ubuntu

Optional: Wireshark (we have added it in our tutorial so that we can clearly confirm all incoming and outgoing packet of network)

What is DOS/DDOS Attack

Form Wikipedia

denial-of-service attack (DoS attack) is a cyber-attack where the attacker looks for to make a machine or network resource unavailable to its deliberated users by temporarily or indefinitely services of disturbing a host connected to the Internet. Denial of service is usually accomplished by flooding the targeted machine or resource with excessive requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. A DoS or DDoS attack is analogous to a group of people crowding the entry door or gate to a shop or business, and not letting legitimate parties enter into the shop or business, disrupting normal operations.

Basically attacker machine either himself sends infinite request packets on target machine without waiting for reply packet form target network, or uses bots (host machines) to send request packet on target machine. Let study more above it using given below image, here you can observe 3 Phases where Attacker machine is placed at the Top while Middle part holds Host machine which is control by attacker machine and at Bottom you can see Target machine.

From given below image you can observe that the attacker machine want to send ICMP echo request packet on target machine with help of bots so this will increase the number of attacker and number of request packet on target network and cause traffic Flood. Now at that time the targeted network get overloaded and hence lead some service down then prevent some or all legitimate requests from being fulfilled.

DOS/DDOS Categories

  • Volume Based Attack: The attack’s objective is to flood the bandwidth of the target networks by sending ICMP or UDP or TCP traffic in per bits per second.
  • Protocol Based Attack: This kind of attack focus actual target server resources by sending packets such TCP SYN flood, Ping of death or Fragmented packets attack per second to demolish the target and make it unresponsive to other legitimate requests.
  • Application Layer Attack: Rather than attempt to demolish the whole server, an attacker will focus their attack on running applications by sending request per second for example attacking on WordPress, Joomla web server by infinite request on apache to make it unresponsive to other legitimate requests.

 

How to Perform DOS Attack?

If you are aware of OSI 7 layers model then you may know that whenever we send request packet to server for accessing any particular service for example browsing Google.com then this process execute by passing through 7 layers of OSI model and at last we are able to access Google.com on browser.

Now suppose port 80 is open in target’s network (192.168.1.107) for accessing its HTTP services so that you can open their website through your browser and get the information available in those web pages. So basically attacker plan to slow down HTTP service for other user who wants to interact with target machine through port 80 as result server will not able to reply the other legitimate requests and this will consider as Protocol Dos attack.

Attacker can use any tool for DOS attack but we are using Hping3 for attacking to generate traffic flood for target’s network to slow down its HTTP service for other users.

Above command will send endless request packet per second on port 80 of target’s network.

What will Effect of Dos Attack?

As we had described that any kind of Dos attack will affect the server services to their users and clients in establishing connection with it. Here also when we had sent infinite request packet on port 80 of target’s network then it should make HTTP service unable for legitimate users.

So now if I will explore target IP on your browser for accessing their web site as a legitimate users then you can observe that the browser is unable to connect with server for HTTP services as shown in given below image.

How to Predict DOS Attack in Our Network?

Configure IDS in your network which will monitor the incoming network traffic on your network and generates the alert for suspicious traffic to system administrators. We had install Snort on system (ubuntu: 192.168.1.107) as NIDS (Network Intrusion Detection System) kindly read our previous both articles related to Snort Installation (Manually or using apt-respiratory)and its rule configuration to enable it as IDS for your network.

TCP SYN Flood

Execute given below command in ubuntu’s terminal to open snort local rule file in text editor.

sudo gedit /etc/snort/rules/local.rules

Above rule will monitor incoming TCP-SYN packets on 192.168.1.107 by generating alert for it as “SYN Flood Dos”. Now turn on IDS mode of snort by executing given below command in terminal:

Now test the above rule by sending infinite SYN packet using attacker’s machine. Open the terminal and enter msfconsole for metasploit framework and execute given below command to run the syn flood exploit.

This exploit will send countless syn packets on target’s network to demolish its services.

We have set shost for attacker’s IP only for tutorial else it was optional or you can address any random IP of your network, now can see SYN flood has been lunched on port 80 by default it is consider as Protocol Based Dos Attack as described above.

As I had declaimed above why we are involving wireshark in this tutorial so that you can clearly see the packet sends from attacker network to targets network. Hence in given below image you can notice endless SYN packet has sent on target’s network on port 80.

Come back to over your target machine where you will notice that snort is exactly in same way capturing all in coming traffic here your will observe that it is generating alerts for “SYN Flood Dos”.  Hence you can block attacker’s IP (192.168.1.105) to protect your network from discard all further coming packets toward your network.

UDP Flood 

Now again open local rule files for generating alert for UDP flood Dos attack and enter given below rule and save the file.

Above rule will monitor incoming UDP packets on 192.168.1.107 by generating alert for it as “UDP Flood Dos”. Now turn on IDS mode of snort by executing given below command in terminal:

We are using Hping3 for attacking to generate traffic flood for target’s network to slow down its UDP service for other users it is consider as Volume Based Dos Attack as described above.

Above command will send endless bits packet per second on port 80 of target’s network.

From given below image you can observe wireshark has captured UDP packets from 192.168.1.105 to 192.168.1.107

Come back to over your target machine where snort is capturing all in coming traffic here your will observe that it is generating alert for UDP Flood Dos attack. Hence you can block attacker’s IP to protect your network from further scanning.

SYN FIN Flood

By default snort capture SYN FIN Flood packets turn on IDS mode using given below command.

Again we are using Hping3 for attacking to generate traffic flood for target’s network to slow down network services for other users.

Above command will send endless bits packet per second on port 80 of target’s network.

Hence in given below image you can notice endless SYN-FIN packet has sent from 192.168.1.105 to 192.168.1.107 on port 80.

Come back to over your target machine where you will notice that snort is exactly in same way capturing all in coming traffic here your will observe that it is generating alerts for “SYN-FIN Flood Dos”.  Hence you can block attacker’s IP (192.168.1.105) to protect your network from discard all further coming packets toward your network.

PUSH ACK Flood

Now again open local rule files for generating alert for some combination of flags such as PSH-ACK packets and enter given below rule and save the file.

Above rule will monitor incoming TCP-PSH/ACK packets on 192.168.1.107 by generating alert for it as “PUSH-ACK Flood Dos”. Now turn on IDS mode of snort by executing given below command in terminal:

Again we are using Hping3 for attacking to generate traffic flood for target’s network to slow down network services for other users.

Above command will send endless bits packet per second on port 80 of target’s network.

Hence in given below image you can notice endless PSH-ACK packet has sent from 192.168.1.105 to 192.168.1.107 on port 80.

Come back to over your target machine where you will notice that snort is exactly in same way capturing all in coming traffic here your will observe that it is generating alerts for “PUSH-ACK Flood Dos”.  Hence you can block attacker’s IP (192.168.1.105) to protect your network from discard all further coming packets toward your network.

Reset Flood

Now again open local rule files for generating alert for Reset flag packets and enter given below rule and save the file.

Above rule will monitor incoming TCP-RST packets on 192.168.1.107 by generating alert for it as “Reset  Dos”. Now turn on IDS mode of snort by executing given below command in terminal:

Again we are using Hping3 for attacking to generate traffic flood for target’s network to slow down network services for other users.

Above command will send endless bits packet per second on port 80 of target’s network.

Hence in given below image you can notice endless RST (Reset) packet has sent from 192.168.1.105 to 192.168.1.107 on port 80.

Come back to over your target machine where you will notice that snort is exactly in same way capturing all in coming traffic here your will observe that it is generating alerts for “Reset Dos”.  Hence you can block attacker’s IP (192.168.1.105) to protect your network from discard all further coming packets toward your network.

FIN Flood

Now again open local rule files for generating alert for Fin flag packets and enter given below rule and save the file.

Above rule will monitor incoming TCP-RST packets on 192.168.1.107 by generating alert for it as “FIN Dos”. Now turn on IDS mode of snort by executing given below command in terminal:

Again we are using Hping3 for attacking to generate traffic flood for target’s network to slow down network services for other users.

Above command will send endless bits packet per second on port 80 of target’s network.

Hence in given below image you can notice endless FIN (Finished) packet has sent from 192.168.1.105 to 192.168.1.107 on port 80.

Come back to over your target machine where you will notice that snort is exactly in same way capturing all in coming traffic here your will observe that it is generating alerts for “FIN Dos”.  Hence you can block attacker’s IP (192.168.1.105) to protect your network from discard all further coming packets toward your network.

Smurf Attack

Smurf attack is DDOS attack in which large numbers of Internet Control Message Protocol packets are used to generate a fake Echo request (icmp type : 8) containing a spoofed source IP which is actually the target network address. This request packet is then is transmitted to all of the network hosts on the network and then each host sends an ICMP response to the spoofed source address (target IP).  The target’s computer will be flooded with traffic; this can slow down the target’s computer and make it unable for other users.

Now again open local rule files for generating alert for ICMP packets and enter given below rule and save the file.

Above rule will monitor ICMP packets on 192.168.1.103 by generating alert for it as “Smurf Dos Attack”. Now turn on IDS mode of snort by executing given below command in terminal:

 

Again we are using Hping3 for attacking to generate traffic ICMP flood for target’s network to slow down network services for other users.

Above command will generate fake ICMP echo request packet containing a spoofed source IP: 192.168.1.103 which is basically our victim’s network and this request packet is then is transmitted to host’s network on 192.168.1.255 and then this host sends an ICMP response to the spoofed source address which our victim’s machine in IDS mode.

From given below image you can observe it is showing source machine 192.168.1.103 sending  icmp echo request packet to 192.168.1.255 but as we know in actually attacker is main culprit behind this senario.

Come back to over your target machine where you will notice that snort is capturing all the traffic flowing from 192.168.1.103 to 192.168.1.255 and generating alerts for “Smurf Dos Attack” which means is our machine (victim’s machine) is pinging other host machine of that network. Therefore the network administrator should be attentive with this kind of traffic and must check the system activity and legitimate ICMP request of packet of his network.

Author: Rahul Virmani is a Certified Ethical Hacker and the researcher in the field of network Penetration Testing (CYBER SECURITY).    Contact Here

Comprehensive Guide on Sniffing

ARP Protocol

The Address Resolution Protocol (ARP) is a communication protocol. It is used for discovering the link layer address associated with a given Internet layer address, a critical function in the Internet protocol suite. ARP was defined by RFC 826 in 1982, and is Internet Standard STD 37. ARP is also the name of the program for manipulating these addresses in most operating systems.

ARP is used for mapping a network address (e.g. an IPv4 address) to a physical address like an MAC address. For more details visit here.

Requirement:

  1. Kali Linux Machine
  2. Windows Machine
  3. Local Area Network
  4. EtterCap tool
  5. VM running Metasploitable
  6. Wireshark (Protocol Analyzer)
  7. XArp tool
  8. FTP Client
  9. Putty Client

ARP Protocol Process

Address Resolution Protocol is in many ways similar to a domain name service (DNS). As DNS resolves known domain names to an unknown IP address, similarly an ARP resolves known IP addresses to unknown MAC addresses. As shown below in given image

If we observe by the above image; IP address 192.168.1.102, wants to communicate to IP address 192.168.101, but does not know its physical (MAC) address. An ARP request is broadcasted to all systems within that network, including IP X.X.X.100, X.X.X.101, and X.X.X.103. When IP address X.X.X.101 receives the message, it replies back via uni-cast with an ARP reply. This response contains the physical (MAC) address of BB-BB-BB-BB-BB-BB as shown above, this ARP reply information is then placed in the ARP cache and held there for a short duration, to reduce the amount of ARP traffic on the network, The ARP cache stores the IP, MAC, and a timer for each entry. The timer’s duration many vary depending upon the Operating system in use, i.e., Windows operating system may store the ARP cache information for 2 minutes compare to a Linux machine which may retain it for 15 minutes or so.

Let us now begin with exploiting the ARP protocol to our advantage!!!

Scenario: Let us take the below scenario, where we will use 2 windows host machines Representing Host A and Host B as Victim and Kali Linux Host C used to target the victim’s. In following image you can see attacker has lunch arp poisoning attack which has poisoned the arp table by adding attacker Mac address with both Host’s IP: A & B.

Let’s Begin the ARP Poisoning Attack

The First step is to clear the ARP Cache of both the host by typing following command in command prompt arp -d for Host A, then Ping the Host A for reply, now type command arp -a, this will show you the physical (MAC) address of the Host A Machine .

Similarly let us do the same activity on the other systems which is Host B

Start Sniffing with Ettercap

Let us now start to exploit both Host A and Host B, from Host C machine, which is our Kali Linux, start sniffing with Ettercap tool as shown in the below image on Kali.

Go to Sniff and select Unified sniffing

Select the Network interface as appropriate, in this case it is eth0, click on OK

Now go to the Hosts Tab and Select Scan for Hosts as shown below to scan the connected system in a local network.

You will get the host list of all the scan hosts as shown below, let us now select our Targets from the host list X.X.X.101 and X.X.X.102, now add both the targets one by one by clicking on the tab Add to Target 1 and 2 respectively, from the given image we can see that both the targets are now added to our list.

Now go to MitM (Man in the middle) and select ARP Poisoning. A Dialog box will appear for optional parameters.

Check the box “Sniff remote connection” and click OK

Go to start tab and click on start sniffing to target the Host A and B added.

Now let us go to our Kali machine and open the terminal, let us now type command ifconfig to determine our IP address and physical (MAC) address, in our case it is 00:0c:29:5b:8e:18 as highlighted in given image

Since we have started the arp poisoning attack on both the victim machine X.X.X.101 and 102 from our Kali machine, if we go to any host and type arp -a on the command prompt, you will clearly see that the physical (MAC) address of the victim machine has changed to the physical (MAC) address of the Kali machine, as shown above, Physical (MAC) address of both the IP X.X.X.102 and X.X.X.107 are same, which means that all the traffic from host X.X.X.102 is passing through Kali machine X.X.X.107

Demonstrate MITM with Wireshark

Let us now Open Wireshark on our Kali machine and analyze the packets, let us filter the packets by typing the following command  icmp && (eth.sec = = 00:0c:29:5b:8e:18 || eth.dst == 00:0c:29:5b:8e:18), here in the command eth.sec means (Ethernet source) and eth.dst means (Ethernet destination), the MAC address are common in both source and destination which is the physical MAC address of our Kali machine, what we see is the source IP X.X.X.102 and destination X.X.X.101 are getting captured by the Kali machine which has a Physical (MAC) address 00:0c:29:5b:8e:18, hence proving  successful sniffing of the victim machine.

Combining DNS Spoofing with sniffing

Let us now exploit both of our victim machines with DNS Spoofing attack

From your Kali machine go to the path: /root/etc/ettercap/etter.dns, open the file and remove any content if available, after then type the value * A (your Kali Linux IP address) as shown below and save the file.

Next step is to go to the ettercap tool and select plugins and click on manage the plugins as shown below:

Now select dns_spoof plug-in, once selected you will see (*) sign on the said plug-in.

Now if from the victim machine we type the command ping www.google.com, you will observe that the reply is getting received from IP X.X.X.107 which is the IP for our Kali machine, which means that the Kali machine has become the DNS server for the victim machine.

Let us now add one more plug-in the same way we added dns_spoofing plug-in, this time we will use remote browser plug-in as shown in the image below. Once this plug-in get added, you can capture all the browser activity performed by the victim on his browser including user name and passwords.

Capturing NTLM passwords

Open Kali terminal and type msfconsole, once the console starts type: search http_ntlm, now type: use auxiliary/server/capture/http_ntlm as shown in the below image:

This module attempts to quietly catch NTLM/LM Challenge hashes.

Now according to above trap set for victim this module will capture NTLM password of victim’s system when he will open any http web site on his browser which will redirect that web site on attacker’s IP.

From given below image you can notice victim is trying to browse “IMDb.com” on his web browser but it requires authentication which is requesting for his username and password. Now if he try to open something else let says google.com there also it will ask username and password for authentication, until the victim will not submit his username and password he cannot browse anything on his web browser.

As the victim enter username and password, attacker at background will capture NTLM hash on his system.

Great!! The attacker had captured NTMLv2 hash; now let count detail apart from hash value that the attacker has captured.

From given image you can see that attacker has captured two things more:

  • Username: raj
  • Machine name: WIN-1GKSSJ7D2AE

Now use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm, we have successfully decoded the captured hashes with user name as raj and password as 123.

Combining DHCP Spoofing with sniffing

DHCP spoofing: A fake DHCP server is setup by attacker in a local network, which broadcast a large number Request message of false IP configuration to genuine Client.

Go to ettercap and click on MitM, select DHCP spoofing

Form the below image, provide the necessary information

  • IP Pool – 168.0.200-210 (put and IP range to issue IP to the system connected to the network, this will work as DHCP server)
  • Net-mask 255.255.0 (as per the IP Class)
  • DNS Server IP 168.0.1 (as per the IP Class)

Click OK and Start sniffing

Here I have turn on the “metasploitable server” given below image shows the IP 192.168.0.202 which is from the pool of IP range we provided on ettercap DHCP.

Let us now go to the client machine and try to connect the metasploitable server with FTP (File Transfer Protocol) client as shown in the below image

Provide the host name (IP), user name and password to connect to the FTP server.

From the given below image we can see that, the information such as username and password for FTP is getting captured by ettercap provided by the host machine, in our case it is User:msfadmin, PASS:msfadmin

From given below image you can perceive that now we are trying to connect with metasploitable server (192.168.0.202) through telnet via port23 using putty. it will prompt you for the user name and password, provide the necessary information .

From the above image we can clearly see that ettercap has captured the credential information been provide by the user in our case it is User:msfadmin Pass: msfadmin for telnet service.

HTTP Password Sniffing

Let us now do the same through HTTP (Hypertext Transfer Protocol)

From the below image, we can see dvwa service is running in our metasploitable server, through the client browser let us type 192.168.0.202/dvwa/login.php, it will prompt for username and password, lets provide the credentials.

We could see from the below image, ettercap has once again captured the username and password been provide by the user from browser, in our case it is username: admin and PASS: password for HTTP service.

SMTP Password Sniffing

Lastly let us now try this with SMTP (Simple Mail Transport Protocol) Sniffing.

First step is to configure SMTP Server in your environment please click Here as to how we can configure SMTP server in windows machine.

Once the Server is configured, and we have setup email clients on the target machines,

Let us open Ettercap and add both our Targets X.X.X.102 and X.X.X.104 and select ARP poisoning

Now let us send an email from Target A to Target B as shown below

Here target A: [email protected] is sender who is sending message to target B: [email protected]  and hence port 25 for SMTP service will get in action.

Given below image has confirm that Aarti has received raj’s mail successfully, while at background attacker is sniffing all the traffic passes through router.

If we now go to Ettercap console, we can clearly see that it has successfully sniffed the traffic between Target A and Target B and captured the credential of Target A (Raj) as shown in above image.

Capture Email of SMTP server with Wireshark

Go to wire shark are put the filter smtp && (eth.src == 00:0c:29:4a:47:75 || eth.dst == 00:0c:29:4a:47:75) the MAC address filter is for our kali machine, you will observe it has captured packets from both our target Machines.

It has sniff every all SMTP packets , captured the both email IDs i.e. sender and receiver  with message been sent to Target B which is Hello Friends today we are performing smtp sniffing , which shows that we have been successful on our attack on the selected targets, as shown in image below.

Throughout this article, we discussed around ways and techniques that can be used to exploit the Arp protocol successfully, let us now discuss briefly around the technique to be used to detect the arp attack.  

ARP Attack Detection                

There are various tools available to detect the arp attack, one of the most common tools is XArp tool, which we will be using for this article.

We can run this tool in any host machine in the network to detect the arp attack, above image shows the affected systems on the network highlighted in red (X), we can disconnect these host from the network and decide upon next course of action to mitigate these risk by implementing the following controls:

  1. Dynamic address inspection
  2. DHCP snooping
  3. VLAN hopping prevention

Author: Krishnan Sharma is a technology professional having passion for information security and related fields, he loves technical writing and is part of our hacking article team, he may be contacted Here