Basic Arp Poisoning with Ettercap

A simple one-liner in ettercap allows for the poisoning of a network to vastly improve the results gained in packet captures. This is a "noisy" method which will generate a large amount of traffic on a network and will be easily detected in any reasonably sophisticated infrastructure or by anyone running an IDS, however in small scale networks (a small business, coffee shop, public hotspot, etc.) it is unlikely to be noticed in the short run.

The quick and dirty:

root@zombi:~# ettercap -i wlan0 -T -q -M ARP /192.168.168.168/ //

This tells ettercap to use wireless inteface 0, go into Text mode, use quiet output, and start ARP poisoning the local gateway (in this instance, 192.168.168.168).

What ettercap will then do is start sending ARP reply packets to every other host on the network advertising the attackers machine as the correct route to send any packets destined for 192.168.168.168... that address being the gateway, this causes all traffic on the network that is outbound to the net to be sent through the attackers machine first where they can sniff or manipulate it at will.

As you can see, by firing up wireshark and telling it to filter for 'http' we can see the web traffic of other machines on the network, this packet being a simple weather update request from a smartphone on the network .. but you get the idea, it will show the attacker anything that's in clear text.

For information on how to Sniff encrypted connections, checkout these posts:
SSL Man In The Middle with Ettercap

Ettercap Revisited - sslstrip