Network Attacks Lab


Many of these attacks will work on both WIRED and WIRELESS targets.

You can use any of:

1) Ubuntu Desktop WIRED, or

2) Boot BackTrack Desktop WIRED, or

3) Boot BackTrack on your Notebook WIRELESS

The three tools we will try are: 

dsniff tools, ettercap, and aircrack



1 -- % dsniff

Let's run %dsniff, and see if we sniff any passwords

or password hashes during this lab.

a) open a Terminal window in your 2ndary Workspace

b) in that Terminal just type:


Just leave it running in that window.

We'll come back and look at this window at the end of the lab

2 -- % macof

("macof" stands for "MAC OverFlow...").

Let's flood the lookup table of the switch and see if we start

to see more traffic.  First we want to launch a traffic analysis

tool, such as %iptraf, to see what the normal traffic rate is.

a) run iptraf, select monitor mode for your main interface


b) leave that running in a window

c) open another window and run


d) did you start seeing a lot more TCP connections

in the iptraf window? __________________________________

3 -- % arpspoof

a) Pick 2 machines in your group for this exercise.

Machine #1 is the VICTIM

Write Down the IP Address of Machine #1 ___________________

Visit the Website

Look at your ARP Cache.  ( arp -a, or ip show neighbor )

What is the MAC Address of the Gateway? ___________________

b) Machine #2 is the Attacker

-- Install/Start APACHE on Machine #2

-- Change the Default Webpage on Machine #2 to Say: "Owned by Group #<Your Group>"

  This is probably in the directory /var/www/html/index.html

-- Check your webpage with a browser so you know it is working.

c) figure out what the IP Address of the Default Gateway

is on your network.  Example: netstat -r -n

Default route should start with then the Gateway IP address

d) Attack Machine #1 from Machine #2

arpspoof -t <VICTIM-IP-ADDRESS> GW-IP-Address

e) now have the VICTIM connect to

Did they see your webpage? _____________________________

f) Have the VICTIM look at the ARP Cache.

What is the MAC Address of the Gateway?____________________

If this attack does not work, try it one more time.



1 -- % ettercap MITM #1

Let's see if we can run a Man-In-The-Middle Attack.

For this exercise, we need three machines: 2 Victims

and 1 Attacker.  Write down the IP Addresses:

a) IP of VICTIM #1 _________________________________________

b) IP of VICTIM #2 _________________________________________

c) IP of ATTACKER ________________________________________

Run A Sniffer On the ATTACKER Machine to Watch For Traffic

ex. tshark -n -i eth0



d) try the attack

ettercap -T -M arp  /victim1/    /victim2/

  e) now have VICTIM1 send traffic to VICTIM2, 

      for example, on VICTIM1 say:

telnet <IP-OF-VICTIM2>

  f)  Did you see the traffic on the ATTACKER machine?________________

2 -- % ettercap MITM #2

Keep your traffic sniffer running on the attack machine.

Let's try another attack with ettercap.

a) IP of VICTIM_________________________________

b) IP of GATEWAY______________________________

ettercap -T -M arp:remote /VICTIM-IP/ /GATEWAY-IP/ 

c) Try some Remote Traffic on the VICTIM, ex.

d) Do you see the traffic on the ATTACKER machine?____________________

         e) Add the plugin option

         ettercap -T -P repoison_arp arp:remote /VICTIM-IP/ /GATEWAY-IP/ 

         Try it again.



Let's try and knock someone off of their AP connection.

We'll send management frames to disassociate them from their AP.

a) select a wireless VICTIM

b) what is the wireless MAC Address of VICTIM ____________________

c) what is the wireless MAC Address of the AP_____________________

(Just have the victim look at %iwconfig output)

d) Launch the attack:

aireplay -0 1  -a VICTIM-MAC  -c AP-MAC [interface]

NOTE: the MAC notation is: 00:11:22:33:44:55

e) did the VICTIM lose connection during the attack???_________________

--- END