https://sicurezza.net/tool/come-eseguire-un-attacco-man-in-the-middle-attraverso-larp-poisoning ARP Poisoning, also known as ARP Spoofing, is a technique by which an attacker sends fake ARP (Address Resolution Protocol) messages over a local network. The spoofing ARP can allow an attacker to sniff data frames on a network, change or stop the flow of traffic. Basically the purpose of ARP Poisoning is to exploit the lack of authentication in the ARP protocol by sending counterfeit ARP messages over the network. Furthermore, ARP Poisoning attacks can be performed very easily by a compromised machine connected to the network or directly by the attacker's machine if it was able to connect directly to the destination network. ARP packages can be falsified to send data to the attacker's machine. ARP spoofing creates a large number of counterfeit ARP requests and response packets to overload the switch. The switch is set in forwarding mode and after the ARP table has been invaded by counterfeit ARP replies, attackers can smell all network packets. Attackers invade an ARP cache of the target computer with fake entries, also known as poisoning. ARP poisoning uses Man-in-the-Middle access to poison the network. What is a Man-In-The-Middle? A man-in-the-middle attack (MITM) is an attack in which the attacker forwards secretly and probably alters communications between two parties who believe they communicate directly with each other. In this case, the victims think of communicating with each other, but in reality the attacker controls the communication. A MITM attack can only succeed when the attacker embodies each endpoint well enough to meet his expectations. ARP spoofing attack Before proceeding further and to perform this simulation of the ARP poisoning attack you will need the following tools: Kali Linux / Parrot / BlackBuntu or any other Linux operating system Let's move on to practice if you still have problems understanding the principle, putting into practice an ARP poisoning attack will help you better understand how it works and its possibilities. Identify IP address First of all, you will need to find out what the IP address of your machine is on the network. The easiest way to find out is to open the terminal and use the following commands. ifconfig Or alternatively ip a Install Ettercap If Ettercap is not yet installed on your system, you can install it immediately using the following commands. Ettercap is available in different versions and formats. Recent versions of the sources and binary packages are described on the page of the software download page. Based on Debian sudo apt install ettercap Ettercap configuration Now that Ettercap is already installed on your computer, we'll modify the Ettercap configuration file a bit to optimize the results provided by the tool. sudo nano /etc/ettercap/etter.conf The ec_uid and ec_gid lines must be set to 0 for the program service to work on behalf of the SuperUser: [privs] ec_uid = 0 # nobody is the default ec_gid = 0 # nobody is the default Subsequently it is necessary to find and uncomment these two lines: redir_command_on = “iptables -t nat -A PREROUTING -i% iface -p tcp –dport% port -j REDIRECT –to-port% rport” redir_command_off = “iptables -t nat -D PREROUTING -i% iface -p tcp –dport % port -j REDIRECT –to-port% rport ” They are used to redirect SSL connections to normal HTTP, if possible. Then save the changes and the program is ready to work. Fireup Ettercap The program can work in different ways: with a graphical interface, without and as a service. We will consider the work in the graphical interface. To run a program with a GTK interface, use the -G option: Use the -E option for sudo to save all of our users' environment variables. ARP Poisoning Attacks using Ettercap This attack anatomy allows us to force the target computer to send us packets instead of sending it to the router. Let's get to the point and perform the Ettercap ARP poisoning attack In Ettercap, click on Sniff> Unified Sniffing and in the new popup select your network interface referenced by the following screenshot of wlp2s0. Now it's time to scan the network and list the currently connected devices. To do this, simply click on host> search host. The entire network will be scanned for live hosts. When the scan is complete, click the host> host list again to see the list of hosts available on the network. Important: this list also includes the default gateway address, so we need to be careful when selecting destinations. We will select targets from our list of hosts. In a MITM attack, the attacker intercepts the network and sniffs the packets. In our man-in-the-middle scenario, our target machine is 192.168.1.104 and our router is 192.168.1.1. In Ettercap, click on target 1 and select add to target 1. Repeat the same with target 2 and select add to target 2. Now the interesting part begins. Click on Mitm> ARP Poisoning and click OK. Next, select the Remote sniff connections option and click OK again. Click on start> start the sniffing. This will start ARP Poisoning in the network, which means we have enabled our network card in promiscuous mode and now local traffic can be subject to sniffing. The program is now sending packets to the network, with a request for 192.168.1.104 to update the ARP cache and replace the router's MAC address with yours. The attack is started and executed correctly. You can open the menu View -> Connections and see the active connections for the target device. If a packet is sent over the network without an encryption method, you can view the information transmitted by clicking on the connection line. The information sent is displayed on the left side and the information received is displayed on the right side. Any sensitive information, such as data passed through an access form, a registration form, a contact form, etc ... as long as it is not encrypted, can be analyzed by the attacker who examines the contents of each line and its values.