On Path Attacks: File Transfer Capture with Ettercap and Wireshark

Introduction

An on-path position can be leveraged to capture file transfers between targets. In this write-up, we will capture SMB (Server Message Block) file transfers from a client to a ShareDrive folder.

Disclaimer:

All information, techniques, and tools described in this write-up are for educational purposes only. Use anything in this write-up at your discretion; I cannot be held responsible for any damages caused to any systems or yourselves legally. Using all tools and techniques described in this write-up for attacking individuals or organizations without their prior consent is highly illegal. You must obey all applicable local, state, and federal laws. I assume and accept no liability and will not be responsible for any misuse or damage caused by using the information herein.

Lab Setup

• VirtualBox
• Windows 10 VM (Client)
• Windows Domain Controller (ShareDrive folder)
• Kali Linux VM (Attacker)

Conduct ARP Poisoning with Ettercap

The Ettercap application can be used for ARP poisoning and achieving an on-path position. In this section, we will conduct an ARP poisoning with Ettercap on Kali Linux.

In the Ettercap application, press the check mark icon to Accept the initial configuration.

Press the magnifying glass icon to Scan for hosts.

Press the server stack icon to view the Hosts list of hosts identified in the scan.

The scan for hosts on the network will take a couple of minutes to complete.

In the Ettercap application Host List, select the Windows machine (192.168.0.4) and then select Add to Target 1.