Ettercap Tutorial: DNS Spoofing & ARP Poisoning Examples

Ettercap stands for Ethernet Capture.
Ettercap is a comprehensive suite for man in the middle attacks.
It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.

Download and Install
Download the install the Ettercap package fromย Ettercap.
You can also install from the mirror as follows:
# apt-get install ettercap-gtk ettercap-common
This article explains how to perform DNS spoofing and ARP poisoning using Ettercap tool in Local Area Network ( LAN ).
Warning: Do not execute this on a network or system that you do not own. Execute this only on your own network or system for learning purpose only. Also, do not execute this on any production network or system. Setup a small network/system for testing purpose and play around with this utility on it for learning purpose only.
Ettercap Basics
First letโ€™s learn some basics about Ettercap. Ettercap has the following 4 types of user interface
ยงย  Text Only โ€“ โ€˜-Tโ€™ option
ยงย  Curses โ€“ โ€˜-Cโ€™ option
ยงย  GTK โ€“ โ€˜-Gโ€™ option
ยงย  Daemon โ€“ โ€˜-Dโ€™ option
In this article, we will mainly focus on the โ€œGraphical GTK User Interfaceโ€, since it will be very easy to learn.
Launching an ARP Poisoning Attack
We have already explained about why we need ARP and the conceptual explanation of ARP cache poisoning inย ARP-Cache-Poisoning. So please have a look into it, and this article will cover how to perform it practically.

The following diagram explains the network architecture. All the attacks explained here will be performed on the following network diagram only. Using Ettercap in a production environment is not advisable.

Launch Ettercap using the following command in the 122 machine.
# ettercap -G
Click โ€œSniff->Unified Sniffingโ€. It will list the available network interface as shown below. Choose the one which you want to use for ARP Poisoning.
Once you have chosen the interface the following window will open:
The next step is to add the target list for performing the ARP poisoning. Here we will add and as the target as follows.
Click โ€œHosts->Scan for Hostโ€.
It will start to scan the hosts present in the network.
Once it is completed, click โ€œHosts->Host Listโ€. It will list the available hosts in the LAN as follows:

Now among the list, select โ€œ192.168.1.51โ€ and click โ€œAdd to Target 1โ€ณ and select โ€œ192.168.1.10โ€ and click โ€œAdd to Target 2โ€ณ.
Now select โ€œMitm->Arp Poisoningโ€ as follows:

The following dialog box will open. Select โ€œSniff Remote Connectionโ€ and click โ€œokโ€:

Then click โ€œStart->Start Sniffing as follows:

Now Arp is poisoned, i.e, 122 machine starts to send ARP packets saying โ€œIโ€™m 1.10โ€ณ. In-order to verify it, From โ€œpingโ€ณ. Open โ€œWiresharkโ€ application in machine, and put a filter for ICMP. You will get the ICMP packets from to in as follows:
Launching DNS Spoofing Attack in LAN
The concept of DNS is as follows.
ยงย  Machine A said โ€˜ping google.comโ€™
ยงย  Now it has to find that IP address of
ยงย  So it queries the DNS server with regard to the IP address for the domain
ยงย  The DNS server will have its own hierarchy, and it will find the IP address of and return it to Machine A
Here we will see how we can spoof the DNS.
There are many plugins which comes by default with EtterCap. Once such plugin is called as DNSSpoof. We are going to use that plugin to test the DNS spoofing.
Open the /usr/share/ettercap/etter.dns in the 122 machine and add the following,
* A
Here, acts as the DNS server. In-order to perform DNS spoofing, first we need to do the ARP poisoning as explained above. Once ARP is done, follow the below steps
Click โ€œPlugins->Manage Pluginsโ€ as follows:

Select the โ€œdns_spoofโ€ plugin and double click to activate it as follows:

Now from ping
$ ping

PING ( 56(84) bytes of data.
64 bytes from ( icmp_seq=1 ttl=64 time=3.56 ms
64 bytes from ( icmp_seq=2 ttl=64 time=0.843 ms
64 bytes from ( icmp_seq=3 ttl=64 time=0.646 ms
You can see that it returns a local machineโ€™s IP address which we have given in the configuration.
Hope this articles provides some insight into ARP Poisoning and DNS Spoofing. Once everything is done, remember to stop MITM attack as follows:

Finally, it doesnโ€™t hurt to repeat the warning again. Do not execute this on a network or system that you do not own. Setup a small network/system for testing purpose and play around with this utility on it for learning purpose only.