November 9, 2004

The men behind ettercapNG

Author: Federico Biancuzzi

In 2001 two Italians released the first beta version of ettercap, a network protocol analyzer. This summer they released ettercapNG, which was completely rewritten from scratch with better, modular code, making it easier to add new features and write and submit patches. Ettercap is now covered in most security books. It's number 9 in the Top 75 Security Tools list of the Nmap Hackers mailing list. NewsForge recently caught up with its authors, Alberto Ornaghi (a.k.a. ALoR) and Marco Valleri (a.k.a. NaGA). Each is 26 years old, and they work as security consultants for two different company in Milan.

NewsForge: How did your interest in network security started?

ALoR and NaGA:
We were studying for a university exam on networking, and we noticed that network security was more fun than differential equations.

NF: Ettercap was your first open source project. What have you learned about the open source community by developing ettercap?

ALoR and NaGA:
You really realize that it works when you receive a patch for your code from a guy that lives in a country that is 12 time zones from you.

NF: What differences are there in the development process and code organization between ettercap and ettercapNG?

ALoR and NaGA:
Black and white. Ettercap started as a small project. We received very positive feedback from all over the world after the first release. So we decided to implement the huge feature requests from the users. While the code was growing bigger and bigger we realized that we had to change our development process. Something more modular and well-structured was needed to easily implement the new features we were planning for the future. So we rewrote the code from scratch with the big picture in mind. Clean code is required if you want other people to understand it and give you patches.

NF: Why have you chosen to abandon the first-generation standalone engine and introduce a new engine based on external libraries like libpcap / libnet?

ALoR and NaGA:
Because we were too tired to follow the non-standardized implementation of each operating system. Using external libs, that do the dirty jobs for you, makes your programs more portable and maintainable.

NF: Why did you choose the GNU General Public License to distribuite your code?

ALoR and NaGA:
We learned many things from other open source projects, so we want to contribute to the community with another open source project. We chose the GPL because it's the most used, so it has to be the best. :)

We don't care about the license dispute between BSD and GPL; what we care about is that the code is released under an open source license and that other people can learn from it.

NF: I live in Italy as you do and I know that in our country it's nearly impossible to find any economic support for this type of project. How could the community help you? Are you looking for Internet services, hardware, maybe a better job?

ALoR and NaGA:
Donations. On the ettercap Web site you can use PayPal to offer us a beer.

Also, it is difficult to test protocols used only by proprietary and very expensive appliances. People interested in our project can give us remote access to systems that we can't buy. We want to thank those who, in the past, gave us such access. Oh, and if you have a Cisco 6500 that you don't use, you can send it to us.

NF: Have you ever noted that some of the best-known open source network tools (ettercap, ntop, hping, windump / winpcap) are developed by Italians? Why do you think we are so interested in networking and security?

ALoR and NaGA:
Here in Italy there aren't private structures that pay for pure research. Research is funded only if there is a short-term return on investment. So Italians do research independently in their spare time and publish their work to the open source community. Investors should consider Italy's potential.

NF:I know you were speakers at the Black Hat Conferences 2003 in Amsterdam and Las Vegas. Do you plan to be present at any other shows?

ALoR and NaGA:
Currently we are quite bored with speaking about man in the middle (MITM) attacks. We will be present in the future, but with completely different topics.

NF: What exactly?

ALoR and NaGA:
Who knows? Probably something about new exploiting techniques.

NF: How can we fight against ARP spoofing?

ALoR and NaGA:
You always have to find a compromise between optimal security and usability. On the client side you can use an IDS or a personal firewall that monitors for suspicious ARP activity. You can also set static ARP entries, but that is hard to deploy and maintain. By the way, this kind of protections can be fooled easily by other kinds of MITM attacks, such as port stealing (implemented in ettercap). The best approach is to use network appliances that are specifically designed to prevent this kind of threat. A big vendor has done great work on it but its products are still too expensive for the average user.

NF: Is there any method to spot ettercap while it's running inside a network?

ALoR and NaGA:
Ettercap itself can spot other active sniffers' activity, both in passive and active ways. Every attack has a specific pattern that can be spotted. Some attacks, such as ARP poisoning, can be spotted on the client side by a good personal firewall. Other attacks, such as port stealing, can only be stopped by administrators tuning network appliances or using network intrusion detection systems.

NF: Are you looking for developers or testers for any particular platforms?

ALoR and NaGA:
We are always happy to find new developers. We are currently searching for Mac OS X developers.

NF: Have you heard of any innovative or unexpected use of ettercap, like creating redundancy by sharing the same MAC address?

ALoR and NaGA:
Ettercap NG is a very flexible tool. We've heard about some unexpected uses of its filtering engine. One guy reported that he played with proprietary video streaming. Others used it as a protocol fuzzer, others as a rudimentary firewall. Someone is trying to use it as a traffic shaper, but that is out of its scope.

NF: I know this is an embarrassing question, but have you ever thought that there are probably more people running ettercap for illegal purposes than those studying how it works or using it for authorized tests?

ALoR and NaGA:
Yes. Hey, Nobel invented dynamite for legal purposes and we all know how the story ended. We develop a tool. We are not responsible for the use the people make of it.

NF: Ettercap has been supporting the MITM attack on SSHv1 session for years. Sadly most of the (Open)SSH servers on the Internet support both versions of SSH instead of SSH-2.00. Don't you think that it's time for people to learn that SSHv1 is not secure and use only SSHv2?

ALoR and NaGA:
Yes. And it is even worst to send and receive email in clear text. But users (and even system administrators) are too lazy to change their behaviour. Security and compatibility don't fit in the same sentence.

By the way SSHv2 is vulnerable to some MITM attacks too.

NF: What type of MITM attacks can be used against SSHv2?

ALoR and NaGA:
You can launch a downgrade attack with the integrated filtering engine (banner substitution). You can also fool the RSA/DSA key storage method by proposing a different type of key that the client has never seen before. This method is implemented in SSHarp and will be featured in ettercap very soon.

NF: Do you plan to include a feature to sniff and decrypt an SSHv2 session if one or both private keys are known, maybe thanks to social engineering?

ALoR and NaGA:
We planned to feature full transparent SSH2 sniffing in future releases (actually SSHarp performs a "proxy" attack).

NF: What is port stealing? How does it work?

ALoR and NaGA:
This technique is useful to sniff in a switched environment when ARP poisoning is not effective (for example, where static mapped ARPs are used). It floods the LAN with ARP packets. The destination MAC address of each "stealing" packet is the same as the attacker's one (other NICs won't see these packets), the source MAC address will be one of the MACs of the victims. This process "steals" the switch's port of each victim.

Using low delays, packets destined for "stolen" MAC addresses will be received by the attacker, winning the race condition with the real port owner. When the attacker receives packets for "stolen" hosts, it stops the flooding process and performs an ARP request for the real destination of the packet. When it receives the ARP reply it's sure that the victim has "taken back" his port, so ettercap can re-send the packet to the destination as is. Now we can re-start the flooding process and wait for new packets.

NF: Does the NG version provide any wireless-specific feature?

ALoR and NaGA:
Yes, it can sniff and decrypt WEP-secured traffic, providing the correct key. You can use your preferred WEP-cracking tool to obtain it.

NF: What hardware and OS do you use for ettercap development?

ALoR and NaGA:
Linux on x86 is the main development platform. We also have Solaris on SPARC, and VMware covers all the rest.

NF: Why have you chosen to create a version for Windows?

ALoR and NaGA:
Because our mailboxes were full of users' requests for Windows porting and our antispam filter started to get confused. :)

NF: What features would you like to include in future versions?

ALoR and NaGA:
One of the next versions will include a feature to extract complete files from active connections for common protocols like HTTP, FTP, POP, SMTP, and TFTP. Obviously we will also try to add as many new protocol dissectors as we can. At the moment I can cite TACACS, Microsoft RPC, PostgreSQL, pcAnywhere, TDS, Microsoft SQL Server, YahooMSG, rdesktop, and MSN9. There are also some ideas about how to handle fragmented packets and to permit sniffing on multiple interfaces of the same gateway. Also, decoding the internal connection made via SOCKS could be useful. We're planning to add IPv6 support to take advantage of some interesting features of that new protocol, like router discovery (NDIS MITM!). I think we'll write a Rendezvous MITM plug-in too. Finally, SSH2 dissection -- yes, it can be done.

Category:

  • Security
Click Here!