Every now and then, you will have to prove that someone on your network is doing something that he isn't supposed to do. And so today I had to somehow gather some proof of certain behavior.
I wanted to prove that someone was visiting certain websites and was reading a certain POP3 mailbox (yes, that protocol is still in use).
An easy way would be to install a keylogger, or -even easier- just to use tcpdump. Unfortunately the network uses switches and not hubs, so -in my ignorance- I thought tcpdumping wouldn't show me their packets.
Then I ran into ettercap. Ettercap makes it possible to sniff packets even when a switch is used. (All the script-kiddies probably knew this for ages ;-)
Coming with three interfaces (text, curses, GTK), this tool is just too easy to handle. By means of ARP poisoning you can perform a so called Man in the middle attack
Within seconds, I defined my targets and withing minutes, I had more proof (and passwords) than I cared about. No need to touch my target's machine physically, or install keyloggers.
Awesome tool! Makes you feel paranoid again ;-)
Comments