Charlie Harvey

Ettercap remote_browser Plugin Fun

Written by Charlie on

Screenshot of ettercap remote browser

I’ve just spent some serious time getting Ettercap's remote_browser plugin to work as expected on my home network. The plugin allows you to view the pages that another user on your network is browsing. What actually made the difference in the end was changing the argument ordering. For once dogged persistence on my part ended up being productive!

Here's what worked on my Debian Squeeze laptop with a brief intro to Ettercap.

Intro to Ettercap

Ettercap is a "man in the middle attack tool". It could be used maliciously, of course, but it is also massively useful as a debugging tool and to make sure my networks are secured. My most common use case is to let me sniff traffic at work and home in combination with wireshark from my laptop. To be able to do this I simply do this: # ettercap -Q -T -i wlan0 -M arp /10.0.0.1/ /10.0.0.9/ That tells ettercap

-Q
Be super quiet. Ettercap can print all the packets, plus users and passwords that it captures. But I’ll use wireshark for displaying the packets.
-T
Use the text-only interface. You can also use a curses interface -C or the GTK interface -G .
-i wlan0
Use my wireless interface (wlan0)
-M arp
Do ARP cache poisoning.
/10.0.0.1/ /10.0.0.9/
Group 1 and 2 for packet capture. Ettercap uses two groups rather than a src and dest. I usually specify my gateway first and the machine in which I am interested second. Not sure if that is correct but it is what I do.

I can then run wireshark, start capturing from wlan0 and see all the traffic between 10.0.0.1 and 10.0.0.9.

Let’s have some fun!

Ettercap's remote_browser plugin lets you watch what another user is looking at in your own browser. In my case that is iceweasel rather than mozilla, so I made a change in my /etc/etter.conf where the remote_browser variable now reads thus. remote_browser = "iceweasel -remote openurl(http://%host%url)" I spent an aeon trying to watch my eeepc from my main laptop before finally discovering that changing the argument order fixed things. Of course it is entirely possible that I am misattributing the fix, but the ordering below is now working reliably for me. # iceweasel & # ettercap -i wlan0 -P remote_browser -T -q -M arp:remote /192.168.0.1/ /192.168.0.14/ Let's break that down again.

iceweasel &
We'll need an iceweasel browser running as root. I tried fiddling with the uid and gid in /etc/etter.conf, but to no avail. The & puts iceweasel into the background if you’ve not seen that before.
-i wlan0
Use the wireless interface
-P remote_browser
Use the remote_browser plugin.
-T
Use the text-only interface.
-q
Be quiet, don't print packets to STDOUT.
-M arp:remote
Do an ARP cache poisoning man in the middle attack. the :remote is required if you want to see the remote traffic.
/192.168.0.1/ /192.168.0.14/
Our gateway and 'target' machine.

Now, I can watch myself browsing on another machine to my heart's content. Which is actually a little troubling if you think about it. Best to use HTTPS everywhere and ideally a secure VPN, tor or an SSH socks proxy. Network administrators, you should check out the section on defenses in the SANS Ettercap primer if you want to mitigate ARP attacks on your users.


Comments

  • Be respectful. You may want to read the comment guidelines before posting.
  • You can use Markdown syntax to format your comments. You can only use level 5 and 6 headings.
  • You can add class="your language" to code blocks to help highlight.js highlight them correctly.

Privacy note: This form will forward your IP address, user agent and referrer to the Akismet, StopForumSpam and Botscout spam filtering services. I don’t log these details. Those services will. I do log everything you type into the form. Full privacy statement.