To get started, you need to have the following requirements:

• A laptop running Kali Linux
• A wireless card that supports running as an access point

I assume you've had some experience with Wireshark (formerly known as Ethereal) by now.  Even if you're new to pen testing, it's hard to avoid Wireshark in lab environments. If you aren't familiar with this fantastic packet analyzer, you'll no doubt be familiar with packet analyzers in general. In fact, a sniffer is a great challenge for anyone learning how to code.  

So, I won't be covering the basics of Wireshark. We are all familiar with packet analyzers as a concept; we know about Wireshark's color-coded protocol analysis and so on. We're going to take Wireshark beyond theory and ordinary capture, and apply it to some practical examples.

In the previous chapter, we fooled around with ARP poisoning in Ettercap. I'm like every other normal person: I love a good ARP spoof. However, it's infamously noisy. It just screams, HEY! I'M A BAD GUY, SEND ME ALL THE DATA! Did you fire up Wireshark during the attack? Even Wireshark knows that something is wrong and warns the analyst "duplicate use detected!" It's the nature of the beast when we're convincing the network to send everything to a single interface – what is called unified sniffing.

Now, we're going to take man-in-the-middle to the next level with bridged sniffing, which is bridging together two interfaces on our Kali box and conducting our operations between the two interfaces. Those interfaces are local to us and bridged...

We've seen just how powerful Ettercap can be out-of-the-box. Where Ettercap really shines is its content filtering engine and its ability to interpret custom scripts. Ettercap makes man-in-the-middle attacks a no-brainer; however, with filters, we can turn a Kali box running Ettercap into, for instance, an IDS. Imagine the combined power of our bridged sniffing attack and custom filters designed to interpret packets and take action on them: dropping them, and even modifying them in transit.

Let's take a look at a basic example to whet our appetite. You may immediately notice the C-like syntax and the similarity to Wireshark display filters. There's a lot of conceptual overlap here; you'll find that analysis of patterns with Wireshark can yield some powerful Ettercap filters:

if (ip.proto == TCP) {
  if (tcp...

Any good pen tester has a variety of tools at his or her disposal. Often, there are different tools that are comparable to each other in functionality, but one does something better than the other and vice versa. A common pain point for the pen tester is the wonderfully powerful tool that is no longer supported, so you make do with what was last updated a decade ago. Hey, if it ain't broke, don't fix it – some attacks, like ARP spoofing, don't change over the years at their core. However, any bugs that were present are there for life. Ettercap has proven itself to security practitioners, and we've seen its power here, but I'm going to wrap up the sniffing and spoofing discussion with the new kid on the block (relatively speaking): BetterCAP.

First, we can grab BetterCAP on Kali very easily as it&apos...

In this chapter, we learned about passive versus active sniffing. We started by exploring wireless LANs in monitor mode, which allowed us to capture data without revealing our presence. We used Airodump-ng to organize the wireless environment and inform more precise sniffing with Wireshark. After exploring the basics with Wireshark, we moved on to advanced statistical analysis of both passive and active sniffing methods. For the active sniffing phase, we connected to a network (thus revealing our presence) and captured data visible to our card. We applied advanced display filters to hone in on interesting packets. within even very large network dumps. We then moved on to advanced Ettercap sniffing techniques, focusing on bridged sniffing with two interfaces. To demonstrate the power of this attack, we configured a malicious access point and set up our Kali box to function...

1. You put your wireless card in monitor mode and capture raw wireless packets without associating with a WLAN. What sniffing concept is this?
2. The BSSID of an access point is the same as the hardware's _____________.
3. Individual devices that are participating in conversations are called ___________ by Wireshark.
4. What is the Wireshark display filter used to find any packet with the TCP ACK flag set?
5. When writing Ettercap filters, you can put a space between a function name and the opening parenthesis. (True | False)
6. What Ettercap filter function will quietly prevent packets from passing to a destination?
7. How do you reduce the verbosity of Ettercap's command line interface?
8. What is the file extension of a binary Ettercap filter?
9. What does ICMP stand for?

• Ettercap main page—https://linux.die.net/man/8/ettercap
• Etterfilter main page which includes details about scripting syntax—https://linux.die.net/man/8/etterfilter.
• Advanced Wireshark usage guide—https://www.wireshark.org/docs/wsug_html_chunked/ChapterAdvanced.html
• RFC 792
• RFC 793