Network sniffing alone will only show you traffic your computer is supposed to receive. In the Stop and Listen challenge all the traffic was broadcast, so it was essentially public and received by every computer on the network.
Most traffic is sent unicast, which means it's only intended to be received by a single other host on the network. If you are sending a file to another computer on your network, it will be sent unicast to that one other computer. If you are requesting a web page, you will send your request unicast [1] to the web server, and it will send it's response unicast back to you.
In order to intercept and extract delicious secrets from the most traffic on a network. You will need to execute a man-in-the-middle (MitM) attack. One of the simplest reliable MitM attacks is ARP spoofing.
Most applications know the computer they want to reach by IP address (layer 3), and do not know their MAC address by default. This is true of hosts on the local network, and on the Internet. In order to send a message on the local (layer 2) network, the sender needs the MAC (layer 2) address of recipient. This applies when sending a message to another peer on your network (e.g. to play a LAN game of Counter Strike) and when sending a message to your router to be relayed to the Internet.
Address Resolution Protocol (ARP) is a protocol that allows a sender with only the IP address of the recipient, to determine the MAC address of the recipient. It's incredibly simple. The sender simply broadcasts to the network "Who has 192.168.1.1?" and someone responds with "00:DE:AD:BE:EF:01 has 192.168.1.1". Any messages for 192.168.1.1 will now be sent to 00:DE:AD:BE:EF:01 đź‘Ś
What makes this so fantastically broken [2] is that there is absolutely no authentication checks on the response, and so anybody can respond that they own any IP address. In fact, they don't even need to wait for someone to ask, they can just broadcast that they own it! 🎉
After running this attack, which is known as ARP spoofing or ARP poisoning, all of the poisoned devices will send their traffic to the attack computer instead of to the correct host.
While connected to the Stuck in the Middle challenge, open Wireshark. Add the !arp filter. [3]
Using ettercap, the following incantation starts an ARP poisoning attack on the target network.
# Poison the whole network using Ettercap.
$ ettercap -T -M ARP -i tap0 /// ///
Breaking down the arguments to the ettercap command:
-T specifies that we want to use the text (i.e. CLI) interface. Using -C or -G will give curses or GTK based UIs instead.-M ARP specifies to use ARP poisoning as the MitM method. Other options include an ICMP redirect attack, rouge DHCP server mode, and Ethernet switch “port stealing”.-i tap0 specified that the network we want to attack is connected on tap0, the virtual port created by the OpenVPN tunnel. ⚠️ Make sure to set this option or ettercap may pick your WiFi interface and attack your “friends”./// /// This is a target specification, this target specification in particular indicates that all other hosts on the network are targets, and ettercap will attempt to intercept all traffic.bettercap for your MitM attack. Same effect, different commands [4]