Monday, November 30, 2009

Take down any host on a network using Ettercap's plugin Isolate

Ettercap is a very popular password sniffer and packet analyzer. It comes pre-built with many plugins, including isolate in which im gonna briefly discuss here. This plugging allows you to literally take down a host on a network. For example, if you find out that you have a user using the internet for malicious purposes, why not just take him out? The theory behind this attack lies around poisoning the users arp cache. Since a computer on your LAN that communicates on the interenet relies on knowing what the mac address of the gateway or router is, it wont be hard to imagine what would happen if we tell your machine that in order to get to internet, send all packets to another mac address. More interestingly, say the router's ip address is 192.168.1.1, if we poison the arp cache of a machine to link the routers address or 192.168.1.1 to that computer's own mac address what would result is a complete denial of service. Whenever that users machine tries communicate on the web, all his packets would be send to his own mac address. Talk about a state of confusion

This attack may take up to 5 mins to work. It relies on the arp cache entry to time out before it needs to refresh it self.

# ettercap -Tq -i eth0 -P isolate /192.168.1.103/ //

The above command would complete take the host 192.168.1.103 down. You can run ipconfig /all on you windows machine and arp -a, then compare the mac address. If they are the same, then you just pwned that machine. Now you can tell those pesky torrent whores just before you take them down, "Say hello to my lil friend.....".....Isolate.

Resources/Good reading:
http://wcosughacking.blogspot.com/2008/07/isolate-ip.html

No comments:

Post a Comment