This is for educational purposes only! I set this lab in a controlled environment using a Windows file server, Windows XP desktop, and my laptop runing Knoppix live CD. In this lab I use Ettercap only for arp poison and spoofing, and I use Ethereal for the sniffing. First of all, I made sure my laptop would forward IP packets so I ran #echo 1 >/proc/sys/ipv4/ip_forward to accomplish this. Next, I opened a root shell and fired up Ettercap with the arp poison plugin. Instead of spoofing the traffic between two nodes, I flooded all traffic with poisoned arp packets, even the gateway. The reason behind this is if an attacker has a target and wants to find the login information to the gateway, but doesn’t know which node in the subnet the admin/user will use to login to the gateway, the attacker could find out by running the commands I do which will cause a denial of service. So, while spoofing the traffic, I also start ethereal to sniff the traffic and see which node logs into the gateway and any other pertinant info found in the packet.
Basically, the following two commands combined with the previous command used with Knoppix Live CD will create a MITM attack.
In one root console start Ettercap
#ettercap -o -T -P repoison_arp -M arp:remote //
In another root console start the text version of Ethereal
#tethereal -w /tmp/mitm_log.pcap -f “not arp and not icmp”
or if you have time and want to watch the traffic in real time your can start the Ethereal gui, however, either way you load the pcap file from the tethereal command in the gui Ethereal.
Screenshots of both Ettercap and Ethereal’s text version running simultaneously to cause a DOS and MITM attack can be found at http://www.networksecuritytech.com/viewtopic.php?p=28767#28767