It’s 11:00 pm and the network isn’t working. You need to figure out a way to get a copy of Wireshark somewhere useful without digging through network closets for the monitor port on the master switch. But you’re too tired (or maybe too lazy) to go set up a monitor port and figure out where it’s physically located.
Luckily, there is a clever trick to see everything without having a monitor port on the router. Ettercap is a tool that allows for ARP Poison Routing (APR). APR is a useful technique to convince the network you are the gateway and, on the converse, convince the gateway that you are the network. This is done by sending carefully crafted ARP replies over the network to overwrite the ARP caches (the tables that translate between IP and MAC addresses) of every node in scope. As soon as the process is complete, all network traffic goes through the poisoning device which can be running Wireshark or any other tool that deals with local network traffic. The best part of all, when you are done, it disappears in seconds without a trace. Keep in mind, while the tool is running SSL certificates will not validate on or from the targeted devices. Make sure all end users in scope are home for the night and nothing mission critical on the network requires an https connection.
I’ve listed out an easy to follow, step-by-step guideline to get a “man-in-the-middle” of your network traffic without needing to set up a monitor port on the master switch.
Step 0 (only if needed): Install Ettercap and dependencies with
sudo apt-get install debhelper cmake bison flex libgtk2.0-dev libltdl3-dev libncurses-dev libncurses5-dev libnet1-dev libpcap-dev libpcre3-dev libssl-dev libcurl4-openssl-dev ghostscript ettercap-gtk or equivalent for your platform.
Step 1: Open Ettercap in graphical mode. This can be done with the command
ettercap -G or by selecting it from your applications list.
Step 2: Enable network sniffing and bind Ettercap to an interface. In the top menu, select Sniff → Unified sniffing…
Step 3: Choose the interface you would like to use for sniffing. For wireless sniffing (yes, it actually works!), the interface name will probably start with wlan. For ethernet sniffing, the interface name will probably start with eth.
Step 4: In the menu, select Hosts → Scan for hosts.
Step 5: Open the host list by selecting Hosts → Hosts list from the menu.
Step 6: Select every device that you would like to see the traffic from. Then press Add to Target 1 to inform Ettercap that these are the devices to be poisoned.
Step 7: Now we need to tell Ettercap what plugins we want loaded. These allow for additional features, such as making sure the devices stay poisoned after the attack is started. In the menu, select Plugins → Manage the plugins.
Step 8: Double click the plugins named autoadd and repoison_arp. These will ensure the devices in the targets list keep sending their traffic to us until we terminate the attack.
Step 9: Now to start the attack. From the menu, select Mitm → ARP poisoning…
Step 10: Enable Sniff remote connections and press OK.
Step 11: Use your newly found “monitor port” for whatever you need, such as Wireshark.
It’s a simple and easy solution to help you circumvent your need for a monitor port if you either don’t have one or don’t have access to one. Let us know what other tools, situations, and devices you have used Ettercap for.