My Tech Portfolio

Intercepting iPhone Traffic with Ettercap and Analyzing with Wireshark: A Beginner’s Guide to Man-in-the-Middle Attacks

In my ongoing journey to better understand network security, I decided to experiment with Man-in-the-Middle (MITM) attacks using the text-based version of Ettercap. My goal was to intercept and analyze the traffic between my iPhone and my router, simulating a real-world MITM attack. To further break down the captured traffic, I used Wireshark to go through the TCP streams and examine the data being transmitted.

Here’s a look at how I conducted the attack, captured the data, and analyzed the results using both Ettercap and Wireshark.

What is a Man-in-the-Middle Attack?

A MITM attack occurs when an attacker secretly intercepts communication between two parties, allowing the attacker to monitor, alter, or steal sensitive information. By using Ettercap, I positioned my laptop as the “man in the middle” between my iPhone and my router to study the network traffic flowing between them.

Setting Up the Attack with Ettercap

To intercept my iPhone’s traffic, I used the following Ettercap command:

sudo ettercap -T -S -i wlo1 -M arp:remote /192.168.8.1// /192.168.8.167//

This command does the following:

  • sudo: Elevates privileges, which are needed for intercepting network traffic.
  • ettercap: Executes the Ettercap program.
  • -T: Runs Ettercap in text mode (no graphical interface).
  • -S: Suppresses extra output, running in “silent” mode.
  • -i wlo1: Specifies my wireless network interface, wlo1, as the one to use for the attack.
  • -M arp:remote: Initiates ARP poisoning, a common MITM attack technique, targeting remote hosts on the same network.
  • /192.168.8.1//: The IP address of my router.
  • /192.168.8.167//: The IP address of my iPhone.

This setup allowed me to intercept and capture the communication between my iPhone and the router. The intercepted traffic was saved as a pcap (packet capture) file for deeper analysis later on.

Analyzing the Traffic with Wireshark

After capturing the traffic with Ettercap, I used Wireshark to open the pcap file and dive deeper into the data. Wireshark is a powerful network protocol analyzer that allows you to inspect the details of network packets.

Here’s how I analyzed the traffic coming from my iPhone:

  1. Loading the pcap file: After opening Wireshark, I loaded the pcap file generated by Ettercap. This file contained all the packets intercepted during the MITM attack.
  2. Filtering for relevant traffic: Since I was primarily interested in my iPhone’s traffic, I applied a display filter in Wireshark to isolate packets coming from my iPhone’s IP address: ip.src == 192.168.8.167 This filter helped me focus only on the traffic originating from my iPhone, making it easier to analyze the data.
  3. Following TCP streams: One of the most useful features in Wireshark is the ability to follow TCP streams. This feature reconstructs the data flow between two endpoints, making it easy to view entire conversations.To follow a TCP stream:
    • I right-clicked on any packet in the list.
    • Selected “Follow” and then “TCP Stream” from the context menu.
    This allowed me to see the full communication between my iPhone and the server it was connecting to. In some cases, I could view plaintext data from unencrypted sessions, such as HTTP requests. However, for encrypted traffic (HTTPS), the contents were obfuscated, but I could still see some useful metadata like the destination IP and protocol type.
  4. Identifying patterns: I observed various types of traffic such as DNS requests, HTTP traffic, and encrypted HTTPS traffic. This reinforced the importance of encryption in protecting sensitive data from being intercepted and read by attackers.

Key Takeaways

The combination of Ettercap and Wireshark gave me a comprehensive view of how MITM attacks work and what kind of data can be intercepted in real-time. Here’s what I learned:

  1. ARP Poisoning is an effective attack within a local network, but only unencrypted traffic (like HTTP) is easily readable.
  2. Wireshark’s TCP stream feature is invaluable for analyzing intercepted traffic and following the data flow between devices.
  3. Encryption Matters: I could see the stark difference between encrypted (HTTPS) and unencrypted (HTTP) traffic. Without HTTPS, sensitive data can be intercepted with ease.

Ethical Considerations

It’s important to reiterate that using MITM techniques on networks without permission is illegal. Always practice ethical hacking and use these tools for learning and strengthening security measures. My goal in using Ettercap and Wireshark was to understand how MITM attacks work so that I can better defend against them in the future.

By leveraging tools like Ettercap and Wireshark, I’m gaining hands-on experience with real-world attack scenarios and deepening my understanding of network security. Stay tuned as I continue my journey in ethical hacking and network analysis!

Leave a comment