1ETTER.CONF(5) File Formats Manual ETTER.CONF(5)
2
3
4
6 etter.conf - Ettercap configuration file
7
8
10 etter.conf is the configuration file that determines ettercap behav‐
11 iour. It is always loaded at startup and it configures some attributes
12 used at runtime.
13
14 The file contains entries of the form:
15
16 [section]
17 entry = value
18 ...
19
20 Each entry defines a variable that can be customized. Every value MUST
21 be an integer. Sections are used only to group together some variables.
22
23 NOTE: if you omit a variable in the conf file, it will be initialized
24 with the value 0. It is strongly discouraged to not initialize critical
25 variables such as "arp_poison_delay" or "connection_timeout".
26
27 The following is a list of available variables:
28
29
30
31 [privs]
32
33 ec_uid This variable specifies the UID to which privileges
34 are dropped at startup. After the socket at link
35 layer has been opened the privileges are dropped to
36 a specific uid different from root for security
37 reasons. etter.conf is the only file that is read
38 with root privs. Be sure that the specified uid has
39 enough privs to read other files (etter.*) You can
40 bypass this variable by setting the environment
41 variable EC_UID.
42
43
44
45
46 [mitm]
47
48 arp_storm_delay The value represents the milliseconds to wait
49 between two consecutive packets during the initial
50 ARP scan. You can increment this value to be less
51 aggressive at startup. The randomized scan plus a
52 high delay can fool some types of ARP scan detec‐
53 tors.
54
55
56 arp_poison_smart With this variable set, only 3 inital poisoned ARP
57 messages are sent to the victims. This poisoned
58 status is kept up by ettercap with responding to
59 ARP requests from victims that want to refresh
60 their ARP cache. This makes the ARP poisoning very
61 stealthy but may be unreliable on shared media such
62 as WiFi.
63
64
65 arp_poison_warm_up When the poisoning process starts, the inter-packet
66 delay is low for the first 5 poisons (to be sure
67 the poisoning process has been successful). After
68 the first 5 poisons, the delay is incremented (to
69 keep up the poisoning). This variable controls the
70 delay for the first 5 poisons. The value is in sec‐
71 onds.
72 The same delay is used when the victims are
73 restored to the original associations (RE-ARPing)
74 when ettercap is closed.
75
76
77 arp_poison_delay This variable controls the poisoning delay after
78 the first 5 poisons. The value is expressed in sec‐
79 onds. You can increase this value (to try to fool
80 the IDS) up to the timeout of the ARP cache (which
81 depends on the poisoned operating system).
82
83
84 arp_poison_icmp Enable the sending of a spoofed ICMP message to
85 force the targets to make an arp request. This will
86 create an arp entry in the host cache, so ettercap
87 will be able to win the race condition and poison
88 the target. Useful against targets that do not
89 accept gratuitous arp if the entry is not in the
90 cache.
91
92
93 arp_poison_reply Use ARP replies to poison the targets. This is the
94 classic attack.
95
96
97 arp_poison_request Use ARP request to poison the targets. Useful
98 against targets that cache even arp request values.
99
100
101 arp_poison_equal_mac
102 Set this option to 0 if you want to skip the poi‐
103 soning of two hosts with the same mac address. This
104 may happen if a NIC has one or more aliases on the
105 same network.
106
107
108 dhcp_lease_time This is the lease time (in seconds) for a dhcp
109 assignment. You can lower this value to permit the
110 victims to receive a correct dhcp reply after you
111 have stopped your attack. Using higher timeouts can
112 seriously mess up your network after the attack has
113 finished. On the other hand some clients will pre‐
114 fer a higher lease time, so you have to increase it
115 to win the race condition against the real server.
116
117
118 port_steal_delay This is the delay time (in milliseconds) between
119 stealing packets for the "port" mitm method. With
120 low delays you will be able to intercept more pack‐
121 ets, but you will generate more traffic. You have
122 to tune this value in order to find a good balance
123 between the number of intercepted packets, re-
124 transmitted packets and lost packets. This value
125 depends on full/half duplex channels, network driv‐
126 ers and adapters, network general configuration and
127 hardware.
128
129
130
131 port_steal_send_delay
132 This is the delay time (in microseconds) between
133 packets when the "port" mitm method has to re-send
134 packets queues. As said for port_steal_delay you
135 have to tune this option to the lowest acceptable
136 value.
137
138
139
140 ndp_poison_warm_up This option operates similar to the arp_poi‐
141 son_warm_up option. When the poisoning process
142 starts, this option controls the NDP poison delay
143 for the first 5 poisons (to be sure the poisoning
144 process has been successful). After the first 5
145 poisons, the delay is incremented (to keep up the
146 poisoning). This variable controls the delay for
147 the first 5 poisons. The value should be lower than
148 the ndp_poison_delay. The value is in seconds.
149 The same delay is used when the victims are
150 restored to the original associations
151 when ettercap is closed.
152
153
154 ndp_poison_delay This option is similar to the arp_poison_delay
155 option. It controls the delay in seconds for send‐
156 ing out the poisoned NDP packets to poison victim's
157 neighbor cache. This value may be increased to hide
158 from IDSs. But increasing the value increases as
159 well the probability for failing race conditions
160 during neighbor discovery and to miss some packets.
161
162
163 ndp_poison_send_delay
164 This option controls the delay in microseconds
165 between poisoned NDP packets are sent. This value
166 may be increased to hide from IDSs. But increasing
167 the value increases as well the probability for
168 failing race conditions during neighbor discovery
169 and to miss some packets.
170
171
172 ndp_poison_icmp Enable the sending of a spoofed ICMPv6 message to
173 motivate the targets to perform neighbor discovery.
174 This will create an entry in the host neighbor
175 cache, so ettercap will be able to win the race
176 condition and poison the target. Useful against
177 targets that do not accept neighbor advertisements
178 if the entry is not in the cache.
179
180
181 ndp_poison_equal_mac
182 Set this option to 0 if you want to skip the NDP
183 poisoning of two hosts with the same mac address.
184 This may happen if a NIC has one or more aliases on
185 the same network.
186
187
188 icmp6_probe_delay This option defines the time in seconds ettercap
189 waits for active IPv6 nodes to respond to the ICMP
190 probes. Decreasing this value could lead to miss
191 replies from active IPv6 nodes, hence miss them in
192 the host list. Increasing the value usually has no
193 impact; normally nodes can manage to answer during
194 the default delay.
195
196 NOTE: The ndp and icmp6 options are only available
197 if ettercap has been built with IPv6 support
198
199
200
201 [connections]
202
203 connection_timeout Every time a new connection is discovered, ettercap
204 allocates the needed structures. After a customiza‐
205 ble timeout, you can free these structures to keep
206 the memory usage low. This variable represents this
207 timeout. The value is expressed in seconds. This
208 timeout is applied even to the session tracking
209 system (the protocol state machine for dissectors).
210
211
212 connection_idle The number of seconds to wait before a connection
213 is marked as IDLE.
214
215
216 connection_buffer This variable controls the size of the buffer
217 linked to each connection. Every sniffed packet is
218 added to the buffer and when the buffer is full the
219 older packets are deleted to make room for newer
220 ones. This buffer is useful to view data that went
221 on the cable before you select and view a specific
222 connection. The higher this value, the higher the
223 ettercap memory occupation. By the way, the buffer
224 is dynamic, so if you set a buffer of 100.000 byte
225 it is not allocated all together at the first
226 packet of a connection, but it is filled as packets
227 arrive.
228
229
230 connect_timeout The timeout in seconds when using the connect()
231 syscall. Increase it if you get a "Connection time‐
232 out" error. This option has nothing to do with con‐
233 nections sniffed by ettercap. It is a timeout for
234 the connections made by ettercap to other hosts
235 (for example when fingerprinting remote host).
236
237
238
239
240 [stats]
241
242 sampling_rate Ettercap keeps some statistics on the processing
243 time of the bottom half (the sniffer) and top half
244 (the protocol decoder). These statistics are made
245 on the average processing time of sampling_rate
246 packets. You can decrease this value to have a more
247 accurate real-time picture of processing time or
248 increase it to have a smoother picture. The total
249 average will not change, but the worst value will
250 be heavily influenced by this value.
251
252
253
254
255 [misc]
256
257 close_on_eof When reading from a dump file and using console or
258 daemon UI, this variable is used to determine what
259 action has to be done on EOF. It is a boolean
260 value. If set to 1 ettercap will close itself (use‐
261 ful in scripts). Otherwise the session will con‐
262 tinue waiting for user input.
263
264
265 store_profiles Ettercap collects in memory a profile for each host
266 it detects. Users and passwords are collected
267 there. If you want to run ettercap in background
268 logging all the traffic, you may want to disable
269 the collecting in memory to save system memory. Set
270 this option to 0 (zero) to disable profiles collec‐
271 tion. A value of 1 will enable collection for all
272 the hosts, 2 will collect only local hosts and 3
273 only remote hosts (a host is considered remote if
274 it does not belong to the netmask).
275
276
277 aggressive_dissectors
278 Some dissectors (such as SSH and HTTPS) need to
279 modify the payload of the packets in order to col‐
280 lect passwords and perform a decryption attack. If
281 you want to disable the "dangerous" dissectors all
282 together, set this value to 0.
283
284
285 skip_forwarded If you set this value to 0 you will sniff even
286 packets forwarded by ettercap or by the kernel. It
287 will generate duplicate packets in conjunction with
288 the arp mitm method (for example). It could be use‐
289 ful while running ettercap in unoffensive mode on a
290 host with more than one network interface (waiting
291 for the multiple-interface feature...)
292
293
294 checksum_warning If you set the value to 0 the messages about incor‐
295 rect checksums will not be displayed in the user
296 messages windows (nor logged to a file with -m).
297 Note that this option will not disable the check on
298 the packets, but only prevent the message to be
299 displayed (see below).
300
301
302 checksum_check This option is used to completely disable the check
303 on the checksum of the packets that ettercap
304 receives. The check on the packets is performed to
305 avoid ettercap spotting thru bad checsum packets
306 (see Phrack 60.12). If you disable the check, you
307 will be able to sniff even bad checksummed packet,
308 but you will be spotted if someone is searching for
309 you...
310
311
312
313 [dissectors]
314
315 protocol_name This value represents the port on which the proto‐
316 col dissector has to be bound. A value of 0 will
317 disable the dissector. The name of the variable is
318 the same of the protocol name. You can specify a
319 non standard port for each dissector as well as
320 multiple ports. The syntax for multiport selection
321 is the following: port1,port2,port3,...
322 NOTE: some dissectors are conditionally compiled .
323 This means that depending on the libraries found in
324 your system some dissectors will be enabled and
325 some others will not. By default etter.conf con‐
326 tains all supported dissectors. if you got a
327 "FATAL: Dissector "xxx" does not exists (etter.conf
328 line yy)" error, you have to comment out the yy
329 line in etter.conf.
330
331
332
333 [curses]
334
335 color You can customize the colors of the curses GUI.
336 Simply set a field to one of the following values
337 and look at the GUI aspect :)
338 Here is a list of values: 0 Black, 1 Red, 2 Green,
339 3 Yellow, 4 Blue, 5 Magenta, 6 Cyan, 7 White
340
341
342
343 [strings]
344
345 utf8_encoding specifies the encoding to be used while displaying
346 the packets in UTF-8 format. Use the `iconv
347 --list` command for a list of supported encodings.
348
349
350 remote_broswer This command is executed by the remote_browser
351 plugin each time it catches a good URL request into
352 an HTTP connection. The command should be able to
353 get 2 parameters:
354
355 %host the Host: tag in the HTTP header. Used to
356 create the full request into the browser.
357
358 %url The page requested inside the GET request.
359
360
361 redir_command_on You must provide a valid command (or script) to
362 enable tcp redirection at the kernel level in order
363 to be able to use SSL dissection. Your script
364 should be able to get 3 parameters:
365
366 %iface The network interface on which the rule must
367 be set
368
369 %port The source port of the packets to be redi‐
370 rected (443 for HTTPS, 993 for imaps, etc).
371
372 %rport The internally bound port to which ettercap
373 listens for connections.
374 NOTE: this script is executed with an execve(), so you cannot use pipes
375 or output redirection as if you were in a shell. We suggest you to make
376 a script if you need those commands.
377
378
379 redir_command_off This script is used to remove the redirect rules
380 applied by 'redir_command_on'. You should note
381 that this script is called atexit() and thus it has
382 not high privileges. You should provide a setuid
383 program or set ec_uid to 0 in order to be sure that
384 the script is executed successfully.
385
386
388 Alberto Ornaghi (ALoR) <alor@users.sf.net>
389 Marco Valleri (NaGA) <naga@antifork.org>
390
392 Emilio Escobar (exfil) <eescobar@gmail.com>
393 Eric Milam (Brav0Hax) <jbrav.hax@gmail.com>
394
396 Mike Ryan (justfalter) <falter@gmail.com>
397 Gianfranco Costamagna (LocutusOfBorg) <costamagnagianfranco@yahoo.it>
398 Antonio Collarino (sniper) <anto.collarino@gmail.com>
399 Ryan Linn <sussuro@happypacket.net>
400 Jacob Baines <baines.jacob@gmail.com>
401
403 Dhiru Kholia (kholia) <dhiru@openwall.com>
404 Alexander Koeppe (koeppea) <format_c@online.de>
405 Martin Bos (PureHate) <purehate@backtrack.com>
406 Enrique Sanchez
407 Gisle Vanem <giva@bgnett.no>
408 Johannes Bauer <JohannesBauer@gmx.de>
409 Daten (Bryan Schneiders) <daten@dnetc.org>
410
411
412
414 ettercap(8) ettercap_curses(8) ettercap_plugins(8) etterlog(8) etter‐
415 filter(8) ettercap-pkexec(8)
416
417ettercap 0.8.2 ETTER.CONF(5)