Man in the Middle Attack [MITM] using Ettercap, dSniff Tools and Wireshark

August 11, 2015 | Views: 26218

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hello and welcome to this tutorial,

As you can read in the title, we’re going to perform a ‘Man in the Middle Attack’ using Ettercap, dSniff tools and of course, my favorite, Wireshark.

Just to let you know, I’ve performed this attack on a my Mac. For you guys that are using backbox, Kali or others, load up your terminal and enable monitor mode by typing following: airmon-ng start [interface]

But, only if the interface isn’t working when performing this, check the ifconfig for what your interface is. Then, follow these steps to see if it will work. Sometimes, it’s required that you have monitor mode enabled.


How it’s looks when monitor mode is enabled – IMGUR

Now that you’ve done that, let’s start the actual attack.

In your terminal, you’re going to write ‘ettercap -G’ / The G means graphical and is a GUI for ettercap. Instead of adding a -C, for example, which will load ettercap up inside the terminal. Please pay attention: sometimes ettercap has to be run as ‘root’, so use ‘sudo’ for that.


Now that you have ettercap up running, do the following:

  1. Sniff
  2. Unified Sniffing
  3. Your interface ((Make sure to pick the correct interface, else it won’t work!))

Once you’ve picked your interface, let’s scan for our host by pressing following:

  1. Hosts
  2. Scan for hosts

You’ve scanned the host and, in the box, you’ll see: ‘ x hosts added to hosts list.’ If something doesn’t appear, you did something wrong. Make sure your config in ettercap is properly set up or you picked the correct interface.

Press on ‘hosts’ and hold ctrl down while you’re clicking on each of them and ‘add to target 1’ –  When done, you’re going to be pressing on ‘MITM’ and clicking on ‘ARP Poisoning’

A box will appear and you’ll mark ‘ Sniff remote connections ‘ and, of course OK. – Now, head over to Start and hit ‘Start Sniffing.’

You’ve actually just performed the Man in the Middle attack.

Let’s continue. We’re going to spy on the users on our network by sniffing what they’re browsing. We’re going to use urlsnarf. If you’re using Kali Linux, it already has this tool.

The command for the urlsnarf is following – ‘urlsnarf -i interface’ and you’ll now see information about which machines are browsing and what they’re browsing.

Inside Wireshark, we want to sniff, for example, usernames/passwords. It’s simple and easy! Type following in the filter ‘http’ and isn’t that beautiful? You’re seeing all the traffic and you’re looking for ‘post.’ Pay attention, and whenever you’re done, just stop Wireshark and go through it all.

(Go through different dSniff tools, and try out some others yourself. It doesn’t hurt :))


Feel free to PM me with any questions.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Glad that you all like this share. Hope that everyone can use this and hopefully also perfectly execute. Else pm me in advance if any problems.

    Best regards, Kevin Mark.

  2. It reminds me of my early days Hacking. Thks.

  3. This is a very helpful tutorial, thank you!

  4. Bettercap works better.

  5. Hello
    . i’ve noted that if I use arpspoof to redirect traffic of a certain host to me:

    arpspoof -i eth0 -t

    i get the packets as expected and with wireshark i see the poisoned arp requests. In the victim host i can see the poisoned arp table.

    OK, now if I add this arpspoof:

    arpspoof -i eth -t

    suddenly the victim arp table poisoned row disappear in favor of the correct one.
    Why does this happen?

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge



Is Linux Worth Learning in 2020?
Views: 742 / December 14, 2019
How do I Get MTA Certified?
Views: 1314 / December 12, 2019
How much does your PAM software really cost?
Views: 1751 / December 10, 2019
How Do I Get into Android Development?
Views: 2141 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?