How to Spy on Another Person’s Browser: Man-in-the-Middle Attacks

I dusted off Ettercap the other day and started playing with it again. With Ettercap, you can very easily perform Man-in-the-Middle attacks with ARP poisoning. In layman’s terms, ARP poisoning is simply placing your machine between the target machine and the internet, so you can view all the traffic of the target.

This is done by altering the ARP cache so the target PC thinks you are the router, and the router thinks you are the target PC. Several programs offer ARP poisoning, but Ettercap offers some interesting modules and filters that you can use that do different functions.

Today, I want to look at the “Remote Browser Attack” feature of Ettercap. This basically allows you to remotely spy on a target PC and a copy of the website they are visiting will be displayed on your computer.

To do this attack there are just a couple of settings to change in the Ettercap config file.

Ettercap Instructions in Backtrack 4:

Edit the “/etc/etter.conf” file.
Under the [privs] section,
Change:
EC_uid =65534
EC_gid = 65534
to:
EC_uid = 0      #65534
EC_gid = 0       #65534

And, scroll down to the [Strings] section.

If the target is using Firefox, change:
remote_browser = “Mozilla -remote openurl(http://%host%url)”
to:
remote_browser = “firefox -remote openurl(http://%host%url)”

Now start up Ettercap-GTK. 

When it starts up, pick “Sniff” and then “Unified Sniffing” and then pick your network card.

Now, just select “Hosts” and scan the network for hosts. Next, click “Hosts” and “Host list”. A list of the available host’s IP addresses will appear. 

Click on the target PC, then click on “Add to Target 1”, then click on the router, then click “Add to Target 2”.

Click on the “Plugins” menu. Select “Manage the plugins”. Scroll down the list and Double click on “Remote_browser”. An asterisk will appear in front of it when it is selected. Next click the “Mitm” menu tab and select “ARP Poisoning”.

Then just hit “Start” and “Start Sniffing”

Finally, make sure you open the Firefox browser on your Backtrack attacker machine. The webpage for every website your target visits will show up in your Firefox browser.

That’s it, just go to the target machine and surf the web. On the attacker machine, you can see that Ettercap is capturing the target’s surfing:

As the target surfs to different webpages, the Firefox on the attacking machine will also auto-update with the page they are on:

Notice the tabs in Firefox on the attacking machine. These are a history of all the pages that the target has visited since the attack began.

For targets, I used an updated version of Windows 7 and Windows XP SP 3 in this test. Ettercap is an older program, and has not been updated in a while.  This attack used to work very well against older versions of Windows XP. On XP Service Pack 3, normal pages show up fine, but encrypted webpages would not show up on the attacker machine. So, for example, you could go to and login to Gmail on the target machine, but only the login page would show up on the attacker browser.

Also, many of Ettercap’s older password sniffing functions no longer work on updated machines and websites.

Windows 7 fared the best against the Ettercap attack. With just using the ARP poisoning attack, Windows 7 would not allow you to open SSL encrypted sites at all. It sensed something was wrong and gave this error:

If you tried to continue, the web address would turn red and a message came up saying due to security issues the page would not be displayed.

Also, when trying to run the remote browser module attack against the Windows 7 machine, as soon as you tried to surf to any webpage, standard or encrypted, the internet connection would drop completely.

Okay, how to defend against these types of attacks. Man-in-the-Middle attacks are possible because of Arp Poisoning, if your ARP cache could not be modified, this attack would not be possible. Unfortunately, it appears that changing your ARP cache to static is not feasible or practical on many networks.

Some internet security programs protect the ARP cache from being changed. Also many IDS systems will detect when a program tries to change the ARP cache. If you a network manager and are not familiar with these types of attacks, check into it to see what is the best solution for your system. For home users, a quick solution is do not share your wireless router with your neighbors, lock it down!

Windows 7 with its more advanced security features held up better against these attacks than Windows XP SP3 did. It just may be time to consider upgrading from XP to Windows 7.

Advertisements