MITM & Sniffing Tools

How To Sniff Data Using ARPspoof & Ettercap ? [MITM Series : 1]

Hello world, In this article we’ll learn about ARP Spoofing using arpspoof and Ettercap. arpspoof the command line shell. and also graphical Ettercap.

What is ARP ?

ARP stands for Address Resolution protocol which quires the hosts on a network for the MAC address which is Physical address of the systems which is connected on that network LAN.
Basically what happens is the ARP protocol broadcast the IP address of the hosts there are connected and quires for MAC address. when a host returns the MAC address the ARP stores the MAC address with the IP address of that host.

Attack Scenario:

What we are doing is we are poisoning the ARP request with fake responses. as the ARP goes on broadcasting we’ll spoof our IP address even if we don’t have legitimate MAC address. so we will get illegitimate access to other computers connection. we can get the DNS requests, HTTP and all the network traffic from other users. that is our victim.

We are using arpspoof a command line shell, you can get that by this command .

sudo apt-get install arpspoof

After installing you can use this tool. there are two methods to make this.
One way poisoning and Two way Poisoning.
In One way poisoning we used to spoof the requested made by host victim to router.
Two way poisoning deals about both from victim to router and router to victim.
We’ll discuss both attacks.

For getting the network traffic you should have network packet analyzer. there are many applications .
you can use any. I prefer Wireshark. 
You can go through this tutorial about getting wireshark in your Linux or windows machine.

Getting Started:

First you should echo out all the connections going through the Network so Open 2 Terminals for performing 2way poisoining.
First you’ve to run this command to echo out connections.

echo 1> /proc/sys/net/ipv4/ip-forward

After this command you should start poisoning by running this command on both terminals.
At Terminal 1

arpspoof -t <victim_ip> <gateway_ip>

This will poison all the quesries going from victim to router host
At Terminal 2

arpspoof -t <gateway_ip> <victim_ip>

This will poison all the quesries going from router host to victim.
You can now free to open the wireshark and capture packets filter it. HTTP
We’ve a articles on Wireshark you can refer that to learn wireshark and how to make use of it.


Ettercap is a graphical user interface. we can have may LAN attcks MITM atacks on that by easily. you can install it on linux just by

sudo apt-get install ettercap

Run it from terminal using

ettercap -G

There on up bars you can find the MITM tab where there is a ARP spoof.

First you need to start Unified sniffing. then go for hosts and scan hosts.

Add Victims IP address to Target 1 and Gateway Ip address to target 2
Then come to MITM tab and select ARP spoofing you can use two way poisoning just by checking the check-box.

and start capturing packets on network using wireshark.

I hope this article was helpful in understanding the ARP spoof in two methods we’ll continue this MITM series in next article. we’ll discuss DNS Spoofing attack in next article. of this series.

The following two tabs change content below.

Anuj Mishra

Admin, Founder & Chief Editor at HackeRoyale
Engineer. Blogger. Ethical hacker. Penetration Tester. Deep Webbie. Bug hunter. Security Analyst. Web Developer. Techie. Programmer. Foodie. Music Lover. Traveller. Enthusiast.

Comment Now !