Ettercap is a comprehensive suite for man-in-the-middle attacks (MiTM). It features sniffing of live connections, content filtering on the fly and many other interesting tricks.
It also supports active and passive dissection of many protocols and includes many features for network and host analysis.
Ettercap works by putting the network interface into promiscuous mode and by ARP poisoning the target machines. Thereby it can act as a ‘man in the middle’ and unleash various attacks on the victims. Ettercap has plugin support so that the features can be extended by adding new plugins.
Ettercap supports active and passive dissection of many protocols (including ciphered ones) and provides many features for network and host analysis. Ettercap offers four modes of operation:
- IP-based: packets are filtered based on IP source and destination.
- MAC-based: packets are filtered based on MAC address, useful for sniffing connections through a gateway.
- ARP-based: uses ARP poisoning to sniff on a switched LAN between two hosts (full-duplex).
- PublicARP-based: uses ARP poisoning to sniff on a switched LAN from a victim host to all other hosts (half-duplex).
In addition, the software also offers the following features:
- Character injection into an established connection: characters can be injected into a server (emulating commands) or to a client (emulating replies) while maintaining a live connection.
- SSH1 support: the sniffing of a username and password, and even the data of an SSH1 connection. Ettercap is the first software capable of sniffing an SSH connection in full duplex.
- HTTPS support: the sniffing of HTTP SSL secured data—even when the connection is made through a proxy.
- Remote traffic through a GRE tunnel: the sniffing of remote traffic through a GRE tunnel from a remote Cisco router, and perform a man-in-the-middle attack on it.
- Plug-in support: creation of custom plugins using Ettercap’s API.
- Password collectors for: TELNET, FTP, POP, IMAP, rlogin, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, Napster, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, Half-Life, Quake 3, MSN, YMSG
- Packet filtering/dropping: setting up a filter that searches for a particular string (or hexadecimal sequence) in the TCP or UDP payload and replaces it with a custom string/sequence of choice, or drops the entire packet.
- OS fingerprinting: determine the OS of the victim host and its network adapter.
- Kill a connection: killing connections of choice from the connections-list.
- Passive scanning of the LAN: retrieval of information about hosts on the LAN, their open ports, the version numbers of available services, the type of the host (gateway, router or simple PC) and estimated distances in number of hops.
- Hijacking of DNS requests.
- Ettercap also has the ability to actively or passively find other poisoners on the LAN.
The options are as follows:
Usage: ettercap [OPTIONS] [TARGET1] [TARGET2]
TARGET is in the format MAC/IPs/PORTs (see the man for further detail)
Sniffing and Attack options:
-M, --mitm <METHOD:ARGS> perform a mitm attack
-o, --only-mitm don't sniff, only perform the mitm attack
-B, --bridge <IFACE> use bridged sniff (needs 2 ifaces)
-p, --nopromisc do not put the iface in promisc mode
-u, --unoffensive do not forward packets
-r, --read <file> read data from pcapfile <file>
-f, --pcapfilter <string> set the pcap filter <string>
-R, --reversed use reversed TARGET matching
-t, --proto <proto> sniff only this proto (default is all)
User Interface Type:
-T, --text use text only GUI
-q, --quiet do not display packet contents
-s, --script <CMD> issue these commands to the GUI
-C, --curses use curses GUI
-G, --gtk use GTK+ GUI
-D, --daemon daemonize ettercap (no GUI)
-w, --write <file> write sniffed data to pcapfile <file>
-L, --log <logfile> log all the traffic to this <logfile>
-l, --log-info <logfile> log only passive infos to this <logfile>
-m, --log-msg <logfile> log all the messages to this <logfile>
-c, --compress use gzip compression on log files
-d, --dns resolves ip addresses into hostnames
-V, --visual <format> set the visualization format
-e, --regex <regex> visualize only packets matching this regex
-E, --ext-headers print extended header for every pck
-Q, --superquiet do not display user and password
-i, --iface <iface> use this network interface
-I, --iflist show all the network interfaces
-n, --netmask <netmask> force this <netmask> on iface
-P, --plugin <plugin> launch this <plugin>
-F, --filter <file> load the filter <file> (content filter)
-z, --silent do not perform the initial ARP scan
-j, --load-hosts <file> load the hosts list from <file>
-k, --save-hosts <file> save the hosts list to <file>
-W, --wep-key <wkey> use this wep key to decrypt wifi packets
-a, --config <config> use the alterative config file <config>
-U, --update updates the databases from ettercap website
-v, --version prints the version and exit
-h, --help this help screen
Ettercap source compilation requires the following dependencies:
- Libpcap & dev libraries
- Libnet1 & dev libraries
- Libpthread & dev libraries
- CMake 2.6
- LibSSL & dev libraries
- LibGTK & dev libraries
- Libncurses & dev libraries
- Libpcre & dev libraries
You can download Ettercap here:
ettercap-v0.8.2.tar.gz (Includes dependencies)
Or read more here.