1

The Main Event

Battle Of the Sniffers

Battle Of the Sniffers

● The Champion

– Ethereal: Network Analyzer

● The Challenger

– Ettercap: Network Security Suite

A look at Ettercap

● Ettercap: Features

– Packet Sniffing

● Unified Sniffing

● Bridged Sniffing

– Logging

– Real Time Data Views

● Live Connections / Man-in-the-Middle

A look at Ettercap

● Ettercap: Requirements● Unix Based OS

● Windows NT/2000/Server 2003

● Libraries

– libpcap 0.81 or higher

– libnet 1.2.1.1 or higher

– libpthread

– zlib

– Optional: GTK+, Ncurses, OpenSSL

A look at Ettercap

● Ettercap: Installation

– Website Download Available at:

● http://ettercap.sourceforge.net/

– Linux Installation

● Decompress using tar/gzip

● ./configure.sh

● make

● make install

A look at Ettercap

● Ettercap: The GUI

– Ncurses GUI

● Main Window

Using Ettercap

● Getting ready to sniff

– Select ”Sniff”

– Select ”Unified

Sniffing”

Using Ettercap

● Sniffing Screen

Using Ettercap

● Performing the Sniff

– Select ”Start”

– Select

”Start Sniffing”

– Press ”ENTER”

– Stop the Sniff by

selecting ”Stop

Sniffing”

Using Ettercap

● Features While Sniffing:

– Statistics.

– Select ”View”

then ”Statistics”

– Results updated

in real time.

Using Ettercap

● Features While Sniffing:

– Connection View

– Select ”View”

then

”Connections”

– Results updated

in real time.

Using Ettercap

● Features While Sniffing:– Connection

Details

– Choose a

connection in the

Live Connections

list and press

”ENTER”

– Results updated

in real time.

Using Ettercap

● More Features:– Host Scanning and targeting.

– Plug-In System.

– Logging.

– Inject Information

The Sniffing Experiment

● Three Trials– HTTP Request / Response

– Secure HTTP Request / Response

– FTP Transaction

● Testing Platform– Pentium 3 Linux Computer

– Fedora Core 2

First Trial: HTTP Transaction

● Website: www.kmaxmedia.com

● Ethereal– Showed very detailed information about each packet.

– Setup of Connection

– Request / Response

– Closure of Connection

– Also showed every packet that was used in the transaction.

First Trial: HTTP Transaction

● Ethereal

First Trial: HTTP Transaction

● Ettercap– Successful in sniffing the request and response.

– But Ettercap would only sniff the payload.

– Doesn't capture packet information.

– Indications of timed caching of information.

● Due to this, sometimes would erase the information.

First Trial: HTTP Transaction

● Ettercap

Second Trial: HTTPS Transaction

● Web Site: CIBC

Kaleem's

Bank

Account

Second Trial: HTTPS Transaction

● Both sniffers were unable to show the plaintext.– 128-Bit Encryption at work.

– Ettercap does have a feature to allow it to give a fake certificate

for an attack but the environment was not ideal.

● However, Ethereal recognized the public key

used.

Second Trial: HTTPS Transaction

● Ethereal

Second Trial: HTTPS Transaction

● Ettercap

Third Trial: FTP Transaction

● An FTP login was performed on

ftp.kmaxmedia.com. This included a username

and password.

● Both sniffers were able to successful get the

username and password information. But the

presentation of the information was different.● Information was more readable in Ettercap.

Third Trial: FTP Transaction

● Ethereal

Third Trial: FTP Transaction

● Ethercap

The Battle: Some Observations

● During the Sniffing● Ethereal would only show statistics on the type of packets

sniffed while Ettercap would show statistics, profiles,

connections and more in real time.

● Any personal authentication information that is heard on

the wire, ettercap would notify the user the minute it

appears in the user messages section

The Battle: Some Observations

● Extras● Ethereal

● Thouough information of packets.● Broad support for most protocols.● Filtering features to help organize packets.● Can read capture logs from over 20 prograns.

● Ettercap● Real time information delivered while sniffing. ● A sniffer with weaponry. ● Custom plugin support.

The Verdict

● Ethereal● Best suited for packet analyzation.

● Ettercap● Best suited to test security of a network.

– Supplies the user with a variety of tools.

● Plugins● Bridged Sniffing● Attacks

● Not just a sniffer.

Ettercap: Pros and Cons

● Pros– Very, very powerful tool.

– Easy to use GUI interface.

– Real Time Information while sniffing.

– Ability to perform attacks easily.

● Cons– Can be difficult to compile for Windows.

– Curses GUI not too stable. Overlaps tables.

– More documentation could be useful.

The Conclusion

● ”With the dust settling in the battle of the sniffers, the new Ettercap

proved to be a worthy foe against Ethereal possessing immense

manipulating power which can change a network’s environment.

However, it still needs time to develop itself into a robust,

dependable and a mature tool like Ethereal. ”

– Kaleem Maxwell