Ettercap

[Kev]

See http://ettercap.sf.net/devel/bh-us-03-ornaghi-valleri.pdf for the official slides.

At the network layer, hosts are identified by IP addresses. At the Data Link layer, however, hosts are identified by MAC addresses. All packets (in ethernet) are delivered by MAC address (ARP and RARP convert between IP and MAC addresses).

To conserve bandwidth, switches direct traffic to a specific port based on the target MAC address (as opposed to hubs which simply broadcast all packets to all ports). This allows multiple peer-to-peer conversations to occur at the same time as each conversation only requires two ports (whereas in a hub each conversation occupies all ports!) Hence, bandwidth management; not security .

For a switch to know which port connects to which MAC addresses, the switch creates and manages a CAM table (a simple mapping between port and MAC address(es)). If no Port Security, this table is dynamic and changes over time (to allow for hosts to appear, disappear and move between ports). The switch learns the CAM table mappings by monitoring the source and destination MAC addresses in packets that it directs.

Now look at the Port Stealing slide. Send layer 2 packets with "source address equal to victim host address" and "destination address equal to its own mac address". Taking these in reverse order, the switch will direct the packet to the port mapped to the destination address, the attackers "own mac address"; i.e. the packet will return to the attackers host (so no other hosts will notice the packet). At the same time, the switch will record the source address of the packet against the port it came from in the CAM table; i.e. the victim host (MAC) address against the attacker's port. If you looked in the CAM table, you'd now find the attackers port mapped to both the attackers MAC address and also the victim's MAC address.

The switch will now direct the next packet targeted at the victim's MAC address to the attackers port (based on the CAM table entry) - the port is 'stolen'.

To relay the packet to the correct port (so that the conversations can continue uniterrupted), the attacker needs to get the CAM table back to the original state, i.e. with the victim's port mapped to the victim's MAC address. This is achieved by issuing a broadcast ARP request for the victim's IP address. Broadcast means the request will go to all ports (including the victim). When the victim responds, the switch will record the new CAM table mapping (back to where it was originally). The captured packet can now be resent by the attacker and correctly directed by the switch to the victim's port.

Now (and this is the scary bit) to get and relay the _next_ packet, the attacker needs to repeat the entire process. It looks like a lot of work and is why I raised queries about whether or not packets would be dropped. NaGA says 'not necessarily' which is fair enough.

Kev
_________________
_Please_ don't play on other people's networks; you wouldn't like it if they played on yours...

[NaGA]

Kev explianed excellently the key concepts.

EttercapNG features PortStealing as a native mitm method (0.6.x had a plugin for it).
It can handle packets queues. When we are waiting for the arp-reply that states the port has been taken back by the victim, ettercap can queue the packets we are receiving for that host (different packet queues are used for all the hosts involved in the poisoning process) and send them alltoghether.

Forwarded packets can have the original mac address or the attackers' one depending on the fact we are doing a full duplex stealing job or not.

Since time is critical in such a job you should configure timeouts and sleeping time in etter.conf

Packets not intercepted are easier than packet loss or retransmission.
You have to find a good compromise between these two factors.



P.S.
Kev, feel free to fix my terrible english grammar