How to do a MITM attack with ettercap and xplico

Theres a number of ways of doing a mitm attack like urlsnarf, driftnet however today i want do it using an intersting tool called xplico which makes it so easy to make sense of the captures data. apt-cache search has xplico as a Network Forensic Analysis Tool (NFAT) however we are gonna use it to damage instead. For more information on how arpspoofing works please visit. oxid.it. its not installed by default on kali but you can easily install it by running
apt-get install xplico.

Its slightly less than 30MB so it shouldnt take long.
we run the command then
ettercap -G

sniff --> unified snifffing --> eth0
select OK
hosts --> scan for hosts
you might want to run this command twice then
click hosts --> hosts list

My default gateway is 172.16.163.2 and the ip address of the target windows 7 box is 172.16.163.133.

Before we start we first check the arp table for the windows 7 box and find that the mac addresses for the windows 7 and kali box are different as should be. If you saw the animation of the arpspoofing from oxid.it you'll quickly notice that the first step is to fool the arp table of the viction that the kali box is the default gateway.

we go back to the kali box and click mitm select arp-poisoning and select the option of sniff remote connections and click OK.
be sure to enable port forwarding on the kali box by running the command
echo 1 >  /proc/sys/net/ipv4/ip_forward
otherwise the attack will be a dos since all the incoming packets will not be forwarded to the victim. You can run cat /proc/sys/net/ipv4/ip_forward to ensure that you've correctly enabled port forwarding. it should give you a value of one.

When we go back and check the arp table in the windows 7 machine we find that the mac address for the default gateway and the kali box are the same. In our case the mac address's for 172.16.163.131 (kali box) and 172.16.163.2(default gateway). so we've success fully fooled the windows 7 box into thinking that the mac address of the default gateway and is that of our kali box.

we then fireup xplico as shown in the screen shot below. We need to first start apache since xplico runs with a webserver. the netstat command is to ensure that xplico is running(it runs on port 9876)


Browse to http://localhost:9876 login with credentials username and password xplico:xplico



On the left side of the xplico interface theres a pane where you can create a  new case. so we'll click new case then select live acquisition and then give the case a name. we'll call ours MITM and then click create. you can even upload a previously captured pcap file and decode the data on it.



we'll then enter our newly created case by clicking MITM then click new session and give the session a name. we'll again use MITM and then click create.


we're then given an message saying that the session has been created. we then click MITM and we're presented with a session data interface. We then select the  interface to listen on. In our case its eth0. Yours might be different if you're intercepting on say wlan0.

we then go to our Windows 7 box and start browsing. I've searched for flags in bing.



Over at the kali box we can see the images we searched shown as in the screenshot. What makes xplico special is that it sorts and makes sense of the captured data gives it to us in an easy gui interface and from the left pane you can see a range of formats from images to videos to emails (if they're in plain text) you can see the dns' the the target has queried and a range of other stuff.

It might take a bit to decode the captured data depending on the size of the traffic of the target. This is no doubt an amazing tool which you can use to increase your foothold on a network. It has a range of other amazing features like capturing chat messages etc.  Try it out!!!