NAME
ettercap NG-0.7.3 - A multipurpose sniffer/content filter for man in the middle attacks
CONTENTS
It is a free and open source tool that can launch Man-in-the-Middle attacks. You can use this tool for network analysis and security auditing and it can be run on various operation systems, like Linux, BSD, Mac OS X and Windows.
- Ettercap free download - Ettercap for Linux, and many more programs. Ettercap free download - Ettercap for Linux, and many more programs. Ettercap free download - Ettercap for Linux, and many more.
- To download and install Ettercap with its graphical interface: apt-get install ettercap-gtk: To see the Ettercap dependencies: #apt-cache depends ettercap-gtk ettercap-gtk. Replaces: ettercap If you liked our tutorials, don't hesitate to support us and visit our sponsors!
Synopsis
Description
Target Specification
Privileges Dropping
Ssl Mitm Attack
Options
Examples
Authors
Availability
Cvs
Bugs
Philological History
The Lord Of The (Token)Ring
Last words
***** IMPORTANT NOTE ******
Since ettercap NG (formerly 0.7.0), all the options have been changed. Even the targetspecification has been changed. Please read carefully this man page.
SYNOPSIS
ettercap [OPTIONS] [TARGET1] [TARGET2]TARGET is in the form MAC/IPs/PORTs
where IPs and PORTs can be ranges (e.g. /192.168.0.1-30,40,50/20,22,25)
DESCRIPTION
Ettercap was born as a sniffer for switched LAN (and obviously even 'hubbed' ones),but during the development process it has gained more and more features that havechanged it to a powerful and flexible tool for man-in-the-middle attacks.It supports active and passive dissection of many protocols (even ciphered ones)and includes many features for network and host analysis (such as OS fingerprint).It has two main sniffing options:
UNIFIED, this method sniffs all the packets that pass on the cable. You can choose to put or not theinterface in promisc mode (-p option). The packet not directed to the hostrunning ettercap will be forwarded automatically using layer 3 routing. So youcan use a mitm attack launched from a different tool and let ettercap modify thepackets and forward them for you.
The kernel ip_forwarding is always disabled by ettercap. This is done toprevent to forward a packet twice (one by ettercap and one by the kernel).This is an invasive behaviour on gateways. So we recommend you to use ettercapon the gateways ONLY with the UNOFFENSIVE MODE ENABLED. Since ettercap listensonly on one network interface, launching it on the gateway in offensive modewill not allow packets to be rerouted back from the second interface.
BRIDGED, it uses two network interfaces and forward the traffic from one to the otherwhile performing sniffing and content filtering. This sniffing method istotally stealthy since there is no way to find that someone is in the middle onthe cable. You can look at this method as a mitm attack at layer 1. You willbe in the middle of the cable between two entities. Don’t use it on gateways orit will transform your gateway into a bridge. HINT: you can use the contentfiltering engine to drop packets that should not pass. This way ettercap willwork as an inline IPS ;)
You can also perform man in the middle attacks while using the unifiedsniffing. You can choose the mitm attack that you prefer. The mitmattack module is independent from the sniffing and filtering process, so you canlaunch several attacks at the same time or use your own tool for the attack. Thecrucial point is that the packets have to arrive to ettercap with the correctmac address and a different ip address (only these packets will be forwarded).
The most relevant ettercap features are:
SSH1 support : you can sniff User and Pass, and even the data of an SSH1 connection. ettercap is thefirst software capable to sniff an SSH connection in FULL-DUPLEX
SSL support : you can sniff SSL secured data... a fake certificate is presented to the client andthe session is decrypted.
Characters injection in an established connection : you can inject characters to the server (emulating commands) or to the client (emulating replies)maintaining the connection alive !!
Packet filtering/dropping: You can set up a filter script that searches for a particular string (even hex) in the TCPor UDP payload and replace it with yours or drop the entire packet. Thefiltering engine can match any field of the network protocols and modifywhatever you want (see etterfilter(8)).
Remote traffic sniffing through tunnels and route mangling: You can play with linux cooked interfaces or use the integrated plugin to snifftunneled or route-mangled remote connections and perform mitm attacks on them.
Plug-ins support : You can create your own plugin using the ettercap’s API.
Password collector for : TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP,SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG (other protocols coming soon...)
Passive OS fingerprint: you scan passively the lan (without sending any packet) and gather detailed info aboutthe hosts in the LAN: Operating System, running services, open ports, IP, mac addressand network adapter vendor.
Kill a connection: from the connections list you can kill all the connections you want
TARGET SPECIFICATION
There is no concept of SOURCE nor DEST. The two targets are intended to filtertraffic coming from one to the other and vice-versa (since the connection isbidirectional).TARGET is in the form MAC/IPs/PORTs. If you want you can omit any of its partsand this will represent an ANY in that part.
e.g.
'//80' means ANY mac address, ANY ip and ONLY port 80
'/10.0.0.1/' means ANY mac address, ONLY ip 10.0.0.1 and ANY port
MAC must be unique and in the form 00:11:22:33:44:55
IPs is a range of IP in dotted notation. You can specify range with the - (hyphen)and single ip with , (comma). You can also use ; (semicolon) to indicatedifferent ip addresses.
e.g.
'10.0.0.1-5;10.0.1.33' expands into ip 10.0.0.1, 2, 3, 4, 5 and 10.0.1.33
PORTs is a range of PORTS. You can specify range with the - (hyphen) and single portwith , (comma).
e.g.
'20-25,80,110' expands into ports 20, 21, 22, 23, 24, 25, 80 and 110
NOTE:
you can reverse the matching of the TARGET by adding the -R option to thecommand line. So if you want to sniff ALL the traffic BUT the one coming orgoing to 10.0.0.1 you can specify './ettercap -R /10.0.0.1/'
NOTE:
TARGETs are also responsible of the initial scan of the lan. You can use themto restrict the scan to only a subset of the hosts in the netmask. The resultof the merging between the two targets will be scanned. remember that notspecifying a target means 'no target', but specifying '//' means 'all the hosts inthe subnet.
PRIVILEGES DROPPING
ettercap needs root privileges to open the Link Layer sockets. After theinitialization phase, the root privs are not needed anymore, so ettercap dropsthem to UID = 65535 (nobody). Since ettercap has to write (create) log files,it must be executed in a directory with the right permissions (e.g. /tmp/). Ifyou want to drop privs to a different uid, you can export the environmentvariable EC_UID with the value of the uid you want to drop the privs to (e.g.export EC_UID=500) or set the correct parameter in the etter.conf file.
SSL MITM ATTACK
While performing the SSL mitm attack, ettercap substitutes the real sslcertificate with its own. The fake certificate is created on the fly and allthe fields are filled according to the real cert presented by the server. Onlythe issuer is modified and signed with the private key contained in the ’etter.sll.crt’file. If you want to use a different private key you have to regenerate thisfile. To regenerate the cert file use the following commands:openssl genrsa -out etter.ssl.crt 1024
openssl req -new -key etter.ssl.crt -out tmp.csr
openssl x509 -req -days 1825 -in tmp.csr -signkey etter.ssl.crt -out tmp.new
cat tmp.new >> etter.ssl.crt
rm -f tmp.new tmp.csrNOTE: SSL mitm is not available (for now) in bridged mode.
How To Use Ettercap
OPTIONS
Options that make sense together can generally be combined. ettercap will warn the userabout unsupported option combinations.| SNIFFING AND ATTACK OPTIONS | ||||||||||||
| ettercap NG has a new unified sniffing method. This implies that ip_forwardingin the kernel is always disabled and the forwarding is done by ettercap. Everypacket with destination mac address equal to the host’s mac address anddestination ip address different for the one bound to the iface will beforwarded by ettercap. Before forwarding them, ettercap can content filter,sniff, log or drop them. It does not matter how these packets are hijacked,ettercap will process them. You can even use external programs to hijackpacket. You have full control of what ettercap should receive. You can use the internalmitm attacks, set the interface in promisc mode, use plugins or use everymethod you want. IMPORTANT NOTE: if you run ettercap on a gateway, remember to re-enable theip_forwarding after you have killed ettercap. Since ettercap drops itsprivileges, it cannot restore the ip_forwarding for you. | ||||||||||||
| -M, --mitm <METHOD:ARGS> | ||||||||||||
| MITM attack This option will activate the man in the middle attack. The mimt attack istotally independent from the sniffing. The aim of the attack is to hijackpackets and redirect them to ettercap. The sniffing engine will forward them ifnecessary. You can choose the mitm attack that you prefer and also combine some of them toperform different attacks at the same time. If a mitm method requires some parameters you can specify them after the colon.(e.g. -M dhcp:ip_pool,netmask,etc ) The following mitm attacks are available:
| ||||||||||||
| -o, --only-mitm | ||||||||||||
| This options disables the sniffing thread and enables only the mitm attack.Useful if you want to use ettercap to perform mitm attacks and another sniffer(such as ethereal) to sniff the traffic. Keep in mind that the packets are notforwarded by ettercap. The kernel will be responsible for the forwarding.Remember to activate the 'ip forwarding' feature in your kernel. | ||||||||||||
| -f, --pcapfilter <FILTER> | ||||||||||||
| Set a capturing filter in the pcap library. The format is the same astcpdump(1). Remember that this kind of filter will not sniff packets out of thewire, so if you want to perform a mitm attack, ettercap will not be able toforward hijacked packets. These filters are useful to decrease the network load impact into ettercapdecoding module. | ||||||||||||
| -B, --bridge <IFACE> | ||||||||||||
| BRIDGED sniffing You need two network interfaces. ettercap will forward form one to the otherall the traffic it sees. It is useful for man in the middle at the physicallayer. It is totally stealthy since it is passive and there is no way for anuser to see the attacker. You can content filter all the traffic as you were a transparent proxy for the'cable'. | ||||||||||||
| OFF LINE SNIFFING -r, --read <FILE> | ||||||||||||
| OFF LINE sniffing With this option enabled, ettercap will sniff packets from a pcap compatiblefile instead of capturing from the wire. This is useful if you have a file dumped from tcpdump or ethereal and you wantto make an analysis (search for passwords or passive fingerprint) on it. Obviously you cannot use 'active' sniffing (arp poisoning or bridging) whilesniffing from a file. | ||||||||||||
| -w, --write <FILE> | ||||||||||||
| WRITE packet to a pcap file This is useful if you have to use 'active' sniffing (arp poison) on a switchedLAN but you want to analyze the packets with tcpdump or ethereal. You can usethis option to dump the packets to a file and then load it into your favouriteapplication. NOTE: dump file collect ALL the packets disregarding the TARGET. This is donebecause you may want to log even protocols not supported by ettercap, so youcan analyze them with other tools. TIP: you can use the -w option in conjunction with the -r one. This way youwill be able to filter the payload of the dumped packets or decryptWEP-encrypted WiFi traffic and dump them to another file. | ||||||||||||
| USER INTERFACES OPTIONS -T, --text | ||||||||||||
| The text only interface, only printf ;) It is quite interactive, press ’h’ in every moment to get help on what youcan do. | ||||||||||||
| -q, --quiet | ||||||||||||
| Quiet mode. It can be used only in conjunction with the console interface. Itdoes not print packet content. It is useful if you want to convert pcap file toettercap log files. example: ettercap -Tq -L dumpfile -r pcapfile | ||||||||||||
| -s, --script <COMMANDS> | ||||||||||||
| With this option you can feed ettercap with command as they were typed on thekeyboard by the user. This way you can use ettercap within your favouritescripts. There is a special command you can issue thru this command: s(x). thiscommand will sleep for x seconds. example: ettercap -T -s ’lq’ will print the list of the hosts and exit | ||||||||||||
| -C, --curses | ||||||||||||
| Ncurses based GUI. See ettercap_curses(8) for a full description. | ||||||||||||
| The nice GTK2 interface (thanks Daten...). | ||||||||||||
| -D, --daemonize | ||||||||||||
| Daemonize ettercap. This option will detach ettercap from the currentcontrolling terminal and set it as a daemon. You can combine this feature withthe 'log' option to log all the traffic in the background. If the daemon failsfor any reason, it will create the file './ettercap_daemonized.log' inwhich the error caught by ettercap will be reported. Furthermore, if you want to havea complete debug of the daemon process, you are encouraged to recompileettercap in debug mode. | ||||||||||||
| GENERAL OPTIONS -i, --iface <IFACE> | ||||||||||||
| Use this <IFACE> instead of the default one. The interface can be unconfigured(requires libnet >= 1.1.2), but in this case you cannot use MITM attacks andyou should set the unoffensive flag. | ||||||||||||
| -I, --iflist | ||||||||||||
| This option will print the list of all available network interfaces that can beused within ettercap. The option is particulary usefull under windows where thename of the interface is not so obvious as under *nix. | ||||||||||||
| -n, --netmask <NETMASK> | ||||||||||||
| Use this <NETMASK> instead of the one associated with the current iface. Thisoption is useful if you have the NIC with an associated netmask of class B andyou want to scan (with the arp scan) only a class C. | ||||||||||||
| -R, --reversed | ||||||||||||
| Reverse the matching in the TARGET selection. It means not(TARGET). All but theselected TARGET. | ||||||||||||
| -t, --proto <PROTO> | ||||||||||||
| Sniff only PROTO packets (default is TCP + UDP). This is useful if you want to select a port via the TARGET specification butyou want to differentiate between tcp or udp. PROTO can be 'tcp', 'udp' or 'all' for both. | ||||||||||||
| -z, --silent | ||||||||||||
| Do not perform the initial ARP scan of the LAN. NOTE: you will not have the hosts list, so you can’t use the multipoison feature.you can only select two hosts for an ARP poisoning attack, specifying themthrough the TARGETs | ||||||||||||
| -p, --nopromisc | ||||||||||||
| Usually, ettercap will put the interface in promisc mode to sniff all thetraffic on the wire. If you want to sniff only your connections, use this flagto NOT enable the promisc mode. | ||||||||||||
| -u, --unoffensive | ||||||||||||
| Every time ettercap starts, it disables ip forwarding in the kernel and begins toforward packets itself. This option prevent to do that, so the responsibilityof ip forwarding is left to the kernel. This options is useful if you want to run multiple ettercap instances. You willhave one instance (the one without the -u option) forwarding the packets, andall the other instances doing their work without forwarding them. Otherwise you willget packet duplicates. It also disables the internal creation of the sessions for each connection. Itincreases performances, but you will not be able to modify packets on the fly. If you want to use a mitm attack you have to use a separate instance. You have to use this option if the interface is unconfigured (without an ipaddress.) This is also useful if you want to run ettercap on the gateway. It will notdisable the forwarding and the gateway will correctly route the packets. | ||||||||||||
| -j, --load-hosts <FILENAME> | ||||||||||||
| It can be used to load a hosts list from a file created by the -k option. (see below) | ||||||||||||
| -k, --save-hosts <FILENAME> | ||||||||||||
| Saves the hosts list to a file. Useful when you have many hosts and you don’t want todo an ARP storm at startup any time you use ettercap. Simply use this options and dumpthe list to a file, then to load the information from it use the -j <filename> option. | ||||||||||||
| -P, --plugin <PLUGIN> | ||||||||||||
| Run the selected PLUGIN. Many plugins need target specification, use TARGET asalways. In console mode (-C option), standalone plugins are executed and then theapplication exits. Hook plugins are activated and the normal sniffing isperformed. To have a list of the available external plugins use 'list' (without quotes) asplugin name (e.g. ./ettercap -P list). NOTE: you can also activate plugins directly from the interfaces (always press'h' to get the inline help) More detailed info about plugins and about how to write your own are found inthe man page ettercap_plugin(8) | ||||||||||||
| -F, --filter <FILE> | ||||||||||||
| Load the filter from the file <FILE>. The filter must be compiled withetterfilter(8). The utility will compile the filter script and produce anettercap-compliant binary filter file. Read the etterfilter(8) man page for thelist of functions you can use inside a filter script. NOTE: these filters are different from those set with --pcapfilter. An ettercapfilter is a content filter and can modify the payload of a packet beforeforwarding it. Pcap filter are used to capture only certain packets. NOTE: you can use filters on pcapfile to modify them and save to another file,but in this case you have to pay attention on what you are doing, sinceettercap will not recalculate checksums, nor split packets exceeding the mtu(snaplen) nor anything like that. | ||||||||||||
| -W, --wep-key <KEY> | ||||||||||||
| You can specify a WEP key to decrypt WiFi packets. Only the packets decryptedsuccessfully will be passed to the decoders stack, the others will be skippedwith a message. The parameter has the following syntax: N:T:KEY. Where N is the bit length of thewep key (64, 128 or 256), T is the type of the string (’s’ for string and ’p’ forpassphrase). KEY can be a string or an escaped hex sequences. example: | ||||||||||||
| -a, --config <CONFIG> | ||||||||||||
| Loads an alternative config file instead of the default in /etc/etter.conf.This is useful if you have many preconfigured files for different situations. | ||||||||||||
| VISUALIZATION OPTIONS | ||||||||||||
| -e, --regex <REGEX> | ||||||||||||
| Handle only packets that match the regex. This option is useful in conjunction with -L. It logs only packets that matchthe posix regex REGEX. It impacts even the visualization of the sniffed packets. If it is set onlypackets matching the regex will be displayed. | ||||||||||||
| -V, --visual <FORMAT> | ||||||||||||
| Use this option to set the visualization method for the packets to bedisplayed. FORMAT may be one of the following:
| ||||||||||||
| Resolve ip addresses into hostnames. NOTE: this may seriously slow down ettercap while logging passive information.Every time a new host is found, a query to the dns is performed. Ettercap keepsa cache for already resolved host to increase the speed, but new hosts need anew query and the dns may take up to 2 or 3 seconds to respond for an unknownhost. HINT: ettercap collects the dns replies it sniffs in the resolution table, soeven if you specify to not resolve the hostnames, some of them will be resolvedbecause the reply was previously sniffed. think about it as a passive dnsresolution for free... ;) | ||||||||||||
| -E, --ext-headers | ||||||||||||
| Print extended headers for every displayed packet. (e.g. mac addresses) | ||||||||||||
| -Q, --superquiet | ||||||||||||
| Super quiet mode. Do not print users and passwords as they are collected. Onlystore them in the profiles. It can be useful to run ettercap in text only modebut you don’t want to be flooded with dissectors messages. Useful when usingplugins because the sniffing process is always active, it will print all thecollected infos, with this option you can suppress these messages. NOTE: this options automatically sets the -q option. example: ettercap -TzQP finger /192.168.0.1/22 | ||||||||||||
| LOGGING OPTIONS -L, --log <LOGFILE> | ||||||||||||
| Log all the packets to binary files. These files can be parsed by etterlog(8) toextract human readable data. With this option, all packets sniffed by ettercapwill be logged, together with all the passive info (host info + user & pass) it cancollect. Given a LOGFILE, ettercap will create LOGFILE.ecp (for packets) andLOGFILE.eci (for the infos). NOTE: if you specify this option on command line you don’t have to take care ofprivileges since the log file is opened in the startup phase (with highprivs). But if you enable the log option while ettercap is already started, youhave to be in a directory where uid = 65535 or uid = EC_UID can write. NOTE: the logfiles can be compressed with the deflate algorithm using the -coption. | ||||||||||||
| -l, --log-info <LOGFILE> | ||||||||||||
| Very similar to -L but it logs only passive information + users and passwordsfor each host. The file will be named LOGFILE.eci | ||||||||||||
| -m, --log-msg <LOGFILE> | ||||||||||||
| It stores in <LOGFILE> all the user messages printed by ettercap. This can beuseful when you are using ettercap in daemon mode or if you want to track downall the messages. Indeed, some dissectors print messages but theirinformation is not stored anywhere, so this is the only way to keep track ofthem. | ||||||||||||
| -c, --compress | ||||||||||||
| Compress the logfile with the gzip algorithm while it is dumped. etterlog(8) iscapable of handling both compressed and uncompressed log files. | ||||||||||||
| -o, --only-local | ||||||||||||
| Stores profiles information belonging only to the LAN hosts. NOTE: this option is effective only against the profiles collected in memory.While logging to a file ALL the hosts are logged. If you want to split them, usethe related etterlog(8) option. | ||||||||||||
| -O, --only-remote | ||||||||||||
| Stores profiles information belonging only to remote hosts. | ||||||||||||
| STANDARD OPTIONS -U, --update | ||||||||||||
| Connects to the ettercap website (ettercap.sf.net) and retrieve the latestdatabases used by ettercap. If you want only to check if an update is available, prepend the -z option.The order does matter: ettercap -zU SECURITY NOTE: The updates are not signed so an attacker may poison your DNS serverand force the updateNG.php to feed ettercap with fake databases.This can harm to your system since it can overwrite any file containingthe string 'Revision: '. | ||||||||||||
| -v, --version | ||||||||||||
| Print the version and exit. | ||||||||||||
| prints the help screen with a short summary of the available options. | ||||||||||||
EXAMPLES
Here are some examples of using ettercap.| ettercap -Tp | |
Use the console interface and do not put the interface in promisc mode. Youwill see only your traffic. | |
| ettercap -Tzq | |
Use the console interface, do not ARP scan the net and be quiet. The packetcontent will not be displayed, but user and passwords, as well as othermessages, will be displayed. | |
| ettercap -T -j /tmp/victims -M arp /10.0.0.1-7/ /10.0.0.10-20/ | |
Will load the hosts list from /tmp/victims and perform an ARP poisoning attackagainst the two target. The list will be joined with the target and theresulting list is used for ARP poisoning. | |
| ettercap -T -M arp // // | |
Perform the ARP poisoning attack against all the hosts in the LAN. BE CAREFUL!! | |
| ettercap -T -M arp:remote /192.168.1.1/ /192.168.1.2-10/ | |
Perform the ARP poisoning against the gateway and the host in the lan between 2and 10. The ’remote’ option is needed to be able to sniff the remote trafficthe hosts make through the gateway. | |
| ettercap -Tzq //110 | |
| Sniff only the pop3 protocol from every hosts. | |
| ettercap -Tzq /10.0.0.1/21,22,23 | |
Sniff telnet, ftp and ssh connections to 10.0.0.1. | |
| ettercap -P list | |
Prints the list of all available plugins | |
AUTHORS
Alberto Ornaghi (ALoR) <alor@users.sf.net>
Marco Valleri (NaGA) <naga@antifork.org>
SEE ALSO
etter.conf(5)ettercap_curses(8)ettercap_plugins(8)etterlog(8)etterfilter(8)
AVAILABILITY
http://ettercap.sourceforge.net/download/
CVS
cvs -d:pserver:anonymous@cvs.ettercap.sf.net:/cvsroot/ettercap login
cvs -d:pserver:anonymous@cvs.ettercap.sf.net:/cvsroot/ettercap co ettercap_ng
BUGS
Our software never has bugs.It just develops random features. ;)
KNOWN-BUGS
- ettercap doesn’t handle fragmented packets... only the first segmentwill be displayed by the sniffer. However all the fragments are correctlyforwarded.
+ please send bug-report, patches or suggestions to <alor@users.sourceforge.net>or visit http://ettercap.sourceforge.net/forum/ and post it in the BUGS section.
+ to report a bug, follow the instructions in the README.BUGS file
PHILOLOGICAL HISTORY
'Even if blessed with a feeble intelligence, they are cruel and smart...'this is the description of Ettercap, a monster of the RPG Advanced Dungeons & Dragon.The name 'ettercap' was chosen because it has an assonance with 'ethercap' whichmeans 'ethernet capture' (what ettercap actually does) and also because suchmonsters have a powerful poison... and you know, arp poisoning... ;)
The Lord Of The (Token)Ring
(the fellowship of the packet)Ettercap Tool
'One Ring to link them all, One Ring to ping them,
one Ring to bring them all and in the darkness sniff them.'
Last words
'Programming today is a race between software engineers striving to buildbigger and better idiot-proof programs, and the Universe trying to producebigger and better idiots. So far, the Universe is winning.' - Rich Cook
Top of page |
Ettercap Download Windows 10
| ettercap NG-0.7.3 | ETTERCAP (8) |
Ettercap Win64
Generated by manServer 1.07 from /usr/local/man/man8/ettercap.8 using man macros.
Ettercap Tutorial
Printable version of this article
Ettercap Graphical
15 most recent posts on Irongeek.com: