1ETTER.CONF(5)                 File Formats Manual                ETTER.CONF(5)
2
3
4

NAME

6       etter.conf - Ettercap configuration file
7
8

DESCRIPTION

10       etter.conf  is  the  configuration file that determines ettercap behav‐
11       iour. It is always loaded at startup and it configures some  attributes
12       used at runtime.
13
14       The file contains entries of the form:
15
16              [section]
17              entry = value
18              ...
19
20       Each  entry defines a variable that can be customized. Every value MUST
21       be an integer. Sections are used only to group together some variables.
22
23       NOTE: if you omit a variable in the conf file, it will  be  initialized
24       with the value 0. It is strongly discouraged to not initialize critical
25       variables such as "arp_poison_delay" or "connection_timeout".
26
27       The following is a list of available variables:
28
29
30
31       [privs]
32
33       ec_uid              This variable specifies the UID to which privileges
34                           are  dropped  at  startup. After the socket at link
35                           layer has been opened the privileges are dropped to
36                           a  specific  uid  different  from root for security
37                           reasons. etter.conf is the only file that  is  read
38                           with root privs. Be sure that the specified uid has
39                           enough privs to read other files (etter.*)  You can
40                           bypass  this  variable  by  setting the environment
41                           variable EC_UID.
42
43
44
45
46       [mitm]
47
48       arp_storm_delay     The  value  represents  the  milliseconds  to  wait
49                           between  two consecutive packets during the initial
50                           ARP scan. You can increment this value to  be  less
51                           aggressive  at  startup. The randomized scan plus a
52                           high delay can fool some types of ARP  scan  detec‐
53                           tors.
54
55
56       arp_poison_smart    With  this variable set, only 3 inital poisoned ARP
57                           messages are sent to  the  victims.  This  poisoned
58                           status  is  kept  up by ettercap with responding to
59                           ARP requests from  victims  that  want  to  refresh
60                           their  ARP cache. This makes the ARP poisoning very
61                           stealthy but may be unreliable on shared media such
62                           as WiFi.
63
64
65       arp_poison_warm_up  When the poisoning process starts, the inter-packet
66                           delay is low for the first 5 poisons  (to  be  sure
67                           the  poisoning  process has been successful). After
68                           the first 5 poisons, the delay is  incremented  (to
69                           keep  up the poisoning). This variable controls the
70                           delay for the first 5 poisons. The value is in sec‐
71                           onds.
72                           The  same  delay  is  used  when  the  victims  are
73                           restored to the original  associations  (RE-ARPing)
74                           when ettercap is closed.
75
76
77       arp_poison_delay    This  variable  controls  the poisoning delay after
78                           the first 5 poisons. The value is expressed in sec‐
79                           onds.  You  can increase this value (to try to fool
80                           the IDS) up to the timeout of the ARP cache  (which
81                           depends on the poisoned operating system).
82
83
84       arp_poison_icmp     Enable  the  sending  of  a spoofed ICMP message to
85                           force the targets to make an arp request. This will
86                           create  an arp entry in the host cache, so ettercap
87                           will be able to win the race condition  and  poison
88                           the  target.  Useful  against  targets  that do not
89                           accept gratuitous arp if the entry is  not  in  the
90                           cache.
91
92
93       arp_poison_reply    Use  ARP replies to poison the targets. This is the
94                           classic attack.
95
96
97       arp_poison_request  Use ARP  request  to  poison  the  targets.  Useful
98                           against targets that cache even arp request values.
99
100
101       arp_poison_equal_mac
102                           Set  this  option to 0 if you want to skip the poi‐
103                           soning of two hosts with the same mac address. This
104                           may  happen if a NIC has one or more aliases on the
105                           same network.
106
107
108       dhcp_lease_time     This is the lease time  (in  seconds)  for  a  dhcp
109                           assignment.  You can lower this value to permit the
110                           victims to receive a correct dhcp reply  after  you
111                           have stopped your attack. Using higher timeouts can
112                           seriously mess up your network after the attack has
113                           finished.  On the other hand some clients will pre‐
114                           fer a higher lease time, so you have to increase it
115                           to win the race condition against the real server.
116
117
118       port_steal_delay    This  is  the  delay time (in milliseconds) between
119                           stealing packets for the "port" mitm  method.  With
120                           low delays you will be able to intercept more pack‐
121                           ets, but you will generate more traffic.  You  have
122                           to  tune this value in order to find a good balance
123                           between the  number  of  intercepted  packets,  re-
124                           transmitted  packets  and lost packets.  This value
125                           depends on full/half duplex channels, network driv‐
126                           ers and adapters, network general configuration and
127                           hardware.
128
129
130
131       port_steal_send_delay
132                           This is the delay time  (in  microseconds)  between
133                           packets  when the "port" mitm method has to re-send
134                           packets queues. As said  for  port_steal_delay  you
135                           have  to  tune this option to the lowest acceptable
136                           value.
137
138
139
140       ndp_poison_warm_up  This  option  operates  similar  to  the   arp_poi‐
141                           son_warm_up  option.   When  the  poisoning process
142                           starts, this option controls the NDP  poison  delay
143                           for  the  first 5 poisons (to be sure the poisoning
144                           process has been successful).  After  the  first  5
145                           poisons,  the  delay is incremented (to keep up the
146                           poisoning).  This variable controls the  delay  for
147                           the first 5 poisons. The value should be lower than
148                           the ndp_poison_delay. The value is in seconds.
149                           The  same  delay  is  used  when  the  victims  are
150                           restored to the original associations
151                            when ettercap is closed.
152
153
154       ndp_poison_delay    This  option  is  similar  to  the arp_poison_delay
155                           option.  It controls the delay in seconds for send‐
156                           ing out the poisoned NDP packets to poison victim's
157                           neighbor cache. This value may be increased to hide
158                           from  IDSs.   But increasing the value increases as
159                           well the probability for  failing  race  conditions
160                           during neighbor discovery and to miss some packets.
161
162
163       ndp_poison_send_delay
164                           This  option  controls  the  delay  in microseconds
165                           between poisoned NDP packets are sent.  This  value
166                           may  be increased to hide from IDSs. But increasing
167                           the value increases as  well  the  probability  for
168                           failing  race  conditions during neighbor discovery
169                           and to miss some packets.
170
171
172       ndp_poison_icmp     Enable the sending of a spoofed ICMPv6  message  to
173                           motivate the targets to perform neighbor discovery.
174                           This will create an  entry  in  the  host  neighbor
175                           cache,  so  ettercap  will  be able to win the race
176                           condition and poison  the  target.  Useful  against
177                           targets  that do not accept neighbor advertisements
178                           if the entry is not in the cache.
179
180
181       ndp_poison_equal_mac
182                           Set this option to 0 if you want to  skip  the  NDP
183                           poisoning  of  two hosts with the same mac address.
184                           This may happen if a NIC has one or more aliases on
185                           the same network.
186
187
188       icmp6_probe_delay   This  option  defines  the time in seconds ettercap
189                           waits for active IPv6 nodes to respond to the  ICMP
190                           probes.  Decreasing  this  value could lead to miss
191                           replies from active IPv6 nodes, hence miss them  in
192                           the  host list. Increasing the value usually has no
193                           impact; normally nodes can manage to answer  during
194                           the default delay.
195
196                           NOTE:  The ndp and icmp6 options are only available
197                           if ettercap has been built with IPv6 support
198
199
200
201       [connections]
202
203       connection_timeout  Every time a new connection is discovered, ettercap
204                           allocates the needed structures. After a customiza‐
205                           ble timeout, you can free these structures to  keep
206                           the memory usage low. This variable represents this
207                           timeout. The value is expressed  in  seconds.  This
208                           timeout  is  applied  even  to the session tracking
209                           system (the protocol state machine for dissectors).
210
211
212       connection_idle     The number of seconds to wait before  a  connection
213                           is marked as IDLE.
214
215
216       connection_buffer   This  variable  controls  the  size  of  the buffer
217                           linked to each connection.  Every sniffed packet is
218                           added to the buffer and when the buffer is full the
219                           older packets are deleted to make  room  for  newer
220                           ones.  This buffer is useful to view data that went
221                           on the cable before you select and view a  specific
222                           connection.  The  higher this value, the higher the
223                           ettercap memory occupation.  By the way, the buffer
224                           is  dynamic, so if you set a buffer of 100.000 byte
225                           it is not  allocated  all  together  at  the  first
226                           packet of a connection, but it is filled as packets
227                           arrive.
228
229
230       connect_timeout     The timeout in seconds  when  using  the  connect()
231                           syscall. Increase it if you get a "Connection time‐
232                           out" error. This option has nothing to do with con‐
233                           nections  sniffed  by ettercap. It is a timeout for
234                           the connections made by  ettercap  to  other  hosts
235                           (for example when fingerprinting remote host).
236
237
238
239
240       [stats]
241
242       sampling_rate       Ettercap  keeps  some  statistics on the processing
243                           time of the bottom half (the sniffer) and top  half
244                           (the  protocol  decoder). These statistics are made
245                           on the average  processing  time  of  sampling_rate
246                           packets. You can decrease this value to have a more
247                           accurate real-time picture of  processing  time  or
248                           increase  it  to have a smoother picture. The total
249                           average will not change, but the worst  value  will
250                           be heavily influenced by this value.
251
252
253
254
255       [misc]
256
257       close_on_eof        When  reading from a dump file and using console or
258                           daemon UI, this variable is used to determine  what
259                           action  has  to  be  done  on  EOF. It is a boolean
260                           value. If set to 1 ettercap will close itself (use‐
261                           ful  in  scripts).  Otherwise the session will con‐
262                           tinue waiting for user input.
263
264
265       store_profiles      Ettercap collects in memory a profile for each host
266                           it  detects.  Users  and  passwords  are  collected
267                           there. If you want to run  ettercap  in  background
268                           logging  all  the  traffic, you may want to disable
269                           the collecting in memory to save system memory. Set
270                           this option to 0 (zero) to disable profiles collec‐
271                           tion.  A value of 1 will enable collection for  all
272                           the  hosts,  2  will collect only local hosts and 3
273                           only remote hosts (a host is considered  remote  if
274                           it does not belong to the netmask).
275
276
277       aggressive_dissectors
278                           Some  dissectors  (such  as  SSH and HTTPS) need to
279                           modify the payload of the packets in order to  col‐
280                           lect  passwords and perform a decryption attack. If
281                           you want to disable the "dangerous" dissectors  all
282                           together, set this value to 0.
283
284
285       skip_forwarded      If  you  set  this  value  to 0 you will sniff even
286                           packets forwarded by ettercap or by the kernel.  It
287                           will generate duplicate packets in conjunction with
288                           the arp mitm method (for example). It could be use‐
289                           ful while running ettercap in unoffensive mode on a
290                           host with more than one network interface  (waiting
291                           for the multiple-interface feature...)
292
293
294       checksum_warning    If you set the value to 0 the messages about incor‐
295                           rect checksums will not be displayed  in  the  user
296                           messages windows (nor logged to a file with -m).
297                           Note that this option will not disable the check on
298                           the packets, but only prevent  the  message  to  be
299                           displayed (see below).
300
301
302       checksum_check      This option is used to completely disable the check
303                           on  the  checksum  of  the  packets  that  ettercap
304                           receives.  The check on the packets is performed to
305                           avoid ettercap spotting thru  bad  checsum  packets
306                           (see  Phrack  60.12). If you disable the check, you
307                           will be able to sniff even bad checksummed  packet,
308                           but you will be spotted if someone is searching for
309                           you...
310
311
312       sniffing_at_startup If this option is set  to  1,  then  ettercap  will
313                           immediately start unified or bridged sniffing after
314                           the setup phase has  been  completed.  This  option
315                           helps  to  avoid traffic blocking when a MITM tech‐
316                           nique has  been  started  but  forgotten  to  start
317                           sniffing.  Therefore  this  options  is set to 1 by
318                           default.
319                           If this behaviour is not desired set  it  to  0  to
320                           manually  control  the status of unified or bridged
321                           sniffing after ettercap startet.  However, sniffing
322                           can be stopped and started at any time while etter‐
323                           cap runs.
324
325
326       geoip_support_enable
327                           This option controls if GeoIP information shall  be
328                           processed  for IP addresses whether or not ettercap
329                           has been built with GeoIP support.
330
331
332       gtkui_prefer_dark_theme
333                           This option tries to enforce the  dark  variant  of
334                           the  applied  theme. However this does only have an
335                           effect if the applied theme provides a  dark  vari‐
336                           ant.  Normally the desktop environment controls the
337                           theme of applications. But some lightweight desktop
338                           environments  doesn't support a configuraton option
339                           for dark themes even when the theme provides a dark
340                           variant.  To leave the theme variant setting to the
341                           desktop environment this option  is  set  to  0  by
342                           default.
343                           NOTE:  This option is only relevant in GTK mode and
344                           if ettercap has been built with full GTK3 support.
345
346
347
348       [dissectors]
349
350       protocol_name       This value represents the port on which the  proto‐
351                           col  dissector  has  to be bound. A value of 0 will
352                           disable the dissector. The name of the variable  is
353                           the  same  of  the protocol name. You can specify a
354                           non standard port for each  dissector  as  well  as
355                           multiple  ports. The syntax for multiport selection
356                           is the following: port1,port2,port3,...
357                           NOTE: some dissectors are conditionally compiled  .
358                           This means that depending on the libraries found in
359                           your system some dissectors  will  be  enabled  and
360                           some  others  will  not. By default etter.conf con‐
361                           tains  all  supported  dissectors.  if  you  got  a
362                           "FATAL: Dissector "xxx" does not exists (etter.conf
363                           line yy)" error, you have to  comment  out  the  yy
364                           line in etter.conf.
365
366
367
368       [curses]
369
370       color               You can customize the colors of the curses GUI.
371                           Simply  set  a field to one of the following values
372                           and look at the GUI aspect :)
373                           Here is a list of values: 0 Black, 1 Red, 2  Green,
374                           3 Yellow, 4 Blue, 5 Magenta, 6 Cyan, 7 White
375
376
377
378       [strings]
379
380       utf8_encoding       specifies  the encoding to be used while displaying
381                           the  packets  in  UTF-8  format.   Use  the  `iconv
382                           --list` command for a list of supported encodings.
383
384
385       remote_browser      This  command  is  executed  by  the remote_browser
386                           plugin each time it catches a good URL request into
387                           an  HTTP connection.  The command should be able to
388                           get 2 parameters:
389
390                           %host  the Host: tag in the HTTP  header.  Used  to
391                                  create the full request into the browser.
392
393                           %url   The page requested inside the GET request.
394
395
396       redir_command_on    You  must  provide  a  valid command (or script) to
397                           enable tcp redirection at the kernel level in order
398                           to  be  able  to  use  SSL  dissection. Your script
399                           should be able to get 5 parameters:
400
401                           %iface The network interface on which the rule must
402                                  be set
403
404                           %source
405                                  The  source IP or network matching the pack‐
406                                  ets to be redirected (default is  0.0.0.0/0,
407                                  ::/0 resp. or any)
408
409                           %destination
410                                  The  destination  IP or network matching the
411                                  packets  to  be   redirected   (default   is
412                                  0.0.0.0/0, ::/0 resp. or any)
413
414                           %port  The  source  port of the packets to be redi‐
415                                  rected (443 for HTTPS, 993 for imaps, etc).
416
417                           %rport The internally bound port to which  ettercap
418                                  listens for connections.
419       NOTE: this script is executed with an execve(), so you cannot use pipes
420       or output redirection as if you were in a shell. We suggest you to make
421       a script if you need those commands.
422
423       NOTE: for this to work, you must set ec_uid to a UID what is privileged
424       to execute the redir_command or provide a setuid program.
425
426
427       redir_command_off   This script is used to remove  the  redirect  rules
428                           applied  by  'redir_command_on'.   You  should note
429                           that this script is called atexit() and thus it has
430                           not  high  privileges.  You should provide a setuid
431                           program or set ec_uid to 0 in order to be sure that
432                           the script is executed successfully.
433
434

ORIGINAL AUTHORS

436       Alberto Ornaghi (ALoR) <alor@users.sf.net>
437       Marco Valleri (NaGA) <naga@antifork.org>
438

PROJECT STEWARDS

440       Emilio Escobar (exfil)  <eescobar@gmail.com>
441       Eric Milam (Brav0Hax)  <jbrav.hax@gmail.com>
442

OFFICIAL DEVELOPERS

444       Mike Ryan (justfalter)  <falter@gmail.com>
445       Gianfranco Costamagna (LocutusOfBorg)  <costamagnagianfranco@yahoo.it>
446       Antonio Collarino (sniper)  <anto.collarino@gmail.com>
447       Ryan Linn   <sussuro@happypacket.net>
448       Jacob Baines   <baines.jacob@gmail.com>
449

CONTRIBUTORS

451       Dhiru Kholia (kholia)  <dhiru@openwall.com>
452       Alexander Koeppe (koeppea)  <format_c@online.de>
453       Martin Bos (PureHate)  <purehate@backtrack.com>
454       Enrique Sanchez
455       Gisle Vanem  <giva@bgnett.no>
456       Johannes Bauer  <JohannesBauer@gmx.de>
457       Daten (Bryan Schneiders)  <daten@dnetc.org>
458
459
460

SEE ALSO

462       ettercap(8)  ettercap_curses(8)  ettercap_plugins(8) etterlog(8) etter‐
463       filter(8) ettercap-pkexec(8)
464
465ettercap 0.8.2                                                   ETTER.CONF(5)
Impressum