1ETTERCAP-PLUGINS(8) System Manager's Manual ETTERCAP-PLUGINS(8)
2
6 ettercap-plugins NG-0.7.3 - A collection of plugins for ettercap
7
10 Ettercap(8) supports loadable modules at runtime. They are called plug‐
11 ins and they come within the source tarball. They are automatically
12 compiled if your system supports them or until you specify the --dis‐
13 able-plugins option to the configure script.
14 Some of older ettercap plugins (roper, banshee, and so on) have not
15 been ported in the new version. By the way, you can achieve the same
16 results by using new filtering engine.
17 If you use interactive mode, most plugins need to "Start Sniff" before
18 using them.
19 To have a list of plugins installed in your system do that command:
22 ettercap -P list
24 The following is a list of available plugins:
27 arp_cop
30 It reports suspicious ARP activity by passively monitoring ARP
32 requests/replies. It can report ARP posioning attempts, or sim‐
33 ple IP-conflicts or IP-changes. If you build the initial host
34 list the plugin will run more accurately.
35 example :
37 ettercap -TQP arp_cop //
39 autoadd
43 It will automatically add new victims to the ARP poisoning mitm
45 attack when they come up. It looks for ARP requests on the lan
46 and when detected it will add the host to the victims list if it
47 was specified in the TARGET. The host is added when an arp
48 request is seen form it, since communicating hosts are alive :)
49 chk_poison
53 It performs a check to see if the arp poisoning module of etter‐
55 cap was successful. It sends spoofed ICMP echo packets to all
56 the victims of the poisoning pretending to be each of the other
57 targets. If we can catch an ICMP reply with our MAC address as
58 destination it means that the poisoning between those two tar‐
59 gets is successful. It checks both ways of each communication.
60 This plugin makes sense only where poisoning makes sense. The
61 test fails if you specify only one target in silent mode. You
62 can't run this plugin from command line because the poisoning
63 process is not started yet. You have to launch it from the
64 proper menu.
65 dns_spoof
69 This plugin intercepts DNS query and reply with a spoofed
71 answer. You can chose to which address the plugin has to reply
72 by modifying the etter.dns file. The plugin intercepts A, PTR
73 and MX request. If it was an A request, the name is searched in
74 the file and the ip address is returned (you can use wildcards
75 in the name). If if was a PTR request, the ip is searched in the
76 file and the name is returned (except for those name containing
77 a wildcard). In case of MX request a special reply is crafted.
78 The host is resolved with a fake host 'mail.host' and the addi‐
79 tional record contains the ip address of 'mail.host'. The first
80 address or name that matches is returned, so be careful with the
81 order.
82 dos_attack
85 This plugin runs a d.o.s. attack against a victim IP address. It
87 first "scans" the victim to find open ports, then starts to
88 flood these ports with SYN packets, using a "phantom" address as
89 source IP. Then it uses fake ARP replies to intercept packets
90 for the phantom host. When it receives SYN-ACK from the victim,
91 it replies with an ACK packet creating an ESTABLISHED connec‐
92 tion. You have to use a free IP address in your subnet to cre‐
93 ate the "phantom" host (you can use find_ip for this purpose).
94 You can't run this plugin in unoffensive mode.
95 This plugin is based on the original Naptha DoS attack
96 (http://razor.bindview.com/publish/advisories/adv_NAPTHA.html)
97 example :
99 ettercap -TQP dos_attack
101 dummy
104 Only a template to demonstrate how to write a plugin.
106 find_conn
110 Very simple plugin that listens for ARP requests to show you all
112 the targets an host wants to talk to. It can also help you find‐
113 ing addresses in an unknown LAN.
114 example :
116 ettercap -TQzP find_conn
118 ettercap -TQu -i eth0 -P find_conn
120 find_ettercap
124 Try to identify ettercap packets sent on the LAN. It could be
126 useful to detect if someone is using ettercap. Do not rely on it
127 100% since the tests are only on particular sequence/identifica‐
128 tion numbers.
129 find_ip
133 Find the first unused IP address in the range specified by the
135 user in the target list. Some other plugins (such as gre_relay)
136 need an unused IP address of the LAN to create a "fake" host.
137 It can also be useful to obtain an IP address in an unknown LAN
138 where there is no dhcp server. You can use find_conn to deter‐
139 mine the IP addressing of the LAN, and then find_ip. You have
140 to build host list to use this plugin so you can't use it in
141 unoffensive mode. If you don't have an IP address for your
142 interface, give it a bogus one (e.g. if the LAN is
143 192.168.0.0/24, use 10.0.0.1 to avoid conflicting IP), then
144 launch this plugin specifying the subnet range. You can run it
145 either from the command line or from the proper menu.
146 example :
148 ettercap -TQP find_ip //
150 ettercap -TQP find_ip /192.168.0.1-254/
152 finger
156 Uses the passive fingerprint capabilities to fingerprint a
158 remote host. It does a connect() to the remote host to force the
159 kernel to reply to the SYN with a SYN+ACK packet. The reply will
160 be collected and the fingerprint is displayed. The connect()
161 obey to the connect_timeout parameter in etter.conf(5). You can
162 specify a target on command-line or let the plugin ask the tar‐
163 get host to be fingerprinted. You can also specify multiple tar‐
164 get with the usual multi-target specification (see ettercap(8)).
165 if you specify multiple ports, all the ports will be tested on
166 all the IPs.
167 example :
169 ettercap -TzP finger /192.168.0.1/22
171 ettercap -TzP finger /192.168.0.1-50/22,23,25
172 finger_submit
176 Use this plugin to submit a fingerprint to the ettercap website.
178 If you found an unknown fingerprint, but you know for sure the
179 operating system of the target, you can submit it so it will be
180 inserted in the database in the next ettercap release. We need
181 your help to increase the passive fingerprint database. Thank
182 you very much.
183 example :
185 ettercap -TzP finger_submit
187 gre_relay
190 This plugin can be used to sniff GRE-redirected remote traffic.
192 The basic idea is to create a GRE tunnel that sends all the
193 traffic on a router interface to the ettercap machine. The plug‐
194 in will send back the GRE packets to the router, after ettercap
195 "manipulation" (you can use "active" plugins such as smb_down,
196 ssh decryption, filters, etc... on redirected traffic) It needs
197 a "fake" host where the traffic has to be redirected to (to
198 avoid kernel's responses). The "fake" IP will be the tunnel end‐
199 point. Gre_relay plugin will impersonate the "fake" host. To
200 find an unused IP address for the "fake" host you can use
201 find_ip plugin. Based on the original Tunnelx technique by
202 Anthony C. Zboralski published in
203 http://www.phrack.org/show.php?p=56&a=10 by HERT.
204 gw_discover
207 This plugin try to discover the gateway of the lan by sending
209 TCP SYN packets to a remote host. The packet has the destination
210 IP of a remote host and the destination mac address of a local
211 host. If ettercap receives the SYN+ACK packet, the host which
212 own the source mac address of the reply is the gatway. This
213 operation is repeated for each host in the 'host list', so you
214 need to have a valid host list before launching this plugin.
215 example :
217 ettercap -TP gw_discover /192.168.0.1-50/
219 isolate
222 The isolate plugin will isolate an host form the LAN. It will
224 poison the victim's arp cache with its own mac address associ‐
225 ated with all the host it tries to contact. This way the host
226 will not be able to contact other hosts because the packet will
227 never reach the wire.
228 You can specify all the host or only a group. the targets speci‐
229 fication work this way: the target1 is the victim and must be a
230 single host, the target2 can be a range of addresses and repre‐
231 sent the hosts that will be blocked to the victim.
232 examples :
234 ettercap -TzqP isolate /192.168.0.1/ //
236 ettercap -TP isolate /192.168.0.1/ /192.168.0.2-30/
237 link_type
241 It performs a check of the link type (hub or switch) by sending
243 a spoofed ARP request and listening for replies. It needs at
244 least one entry in the host list to perform the check. With two
245 or more hosts the test will be more accurate.
246 example :
248 ettercap -TQP link_type /192.168.0.1/
250 ettercap -TQP link_type //
251 pptp_chapms1
254 It forces the pptp tunnel to negotiate MS-CHAPv1 authentication
256 instead of MS-CHAPv2, that is usually easier to crack (for exam‐
257 ple with LC4). You have to be in the "middle" of the connection
258 to use it successfully. It hooks the ppp dissector, so you have
259 to keep them active.
260 pptp_clear
263 Forces no compression/encryption for pptp tunnels during negoti‐
265 ation. It could fail if client (or the server) is configured to
266 hang off the tunnel if no encryption is negotiated. You have to
267 be in the "middle" of the connection to use it successfully. It
268 hooks the ppp dissector, so you have to keep them active.
269 pptp_pap
272 It forces the pptp tunnel to negotiate PAP (cleartext) authenti‐
274 cation. It could fail if PAP is not supported, if pap_secret
275 file is missing, or in case windows is configured with
276 "authomatic use of domain account". (It could fail for many
277 other reasons too). You have to be in the "middle" of the con‐
278 nection to use it successfully. It hooks the ppp dissector, so
279 you have to keep them active.
280 pptp_reneg
283 Forces re-negotiation on an existing pptp tunnel. You can force
285 re-negotiation for grabbing passwords already sent. Furthermore
286 you can launch it to use pptp_pap, pptp_chapms1 or pptp_clear on
287 existing tunnels (those plugins work only during negotiation
288 phase). You have to be in the "middle" of the connection to use
289 it successfully. It hooks the ppp dissector, so you have to
290 keep them active.
291 rand_flood
294 Floods the LAN with random MAC addresses. Some switches will
296 fail open in repeating mode, facilitating sniffing. The delay
297 between each packet is based on the port_steal_send_delay value
298 in etter.conf.
299 It is useful only on ethernet switches.
300 example :
302 ettercap -TP rand_flood
304 remote_browser
308 It sends to the browser the URLs sniffed thru HTTP sessions. So
310 you are able to see the webpages in real time. The command exe‐
311 cuted is configurable in the etter.conf(5) file. It sends to the
312 browser only the GET requests and only for webpages, ignoring
313 single request to images or other amenities. Don't use it to
314 view your own connection :)
315 reply_arp
319 Simple arp responder. When it intercepts an arp request for a
321 host in the targets' lists, it replies with attacker's MAC
322 address.
323 example :
325 ettercap -TQzP reply_arp /192.168.0.1/
327 ettercap -TQzP reply_arp //
328 repoison_arp
331 It solicits poisoning packets after broadcast ARP requests (or
333 replies) from a posioned host. For example: we are poisoning
334 Group1 impersonating Host2. If Host2 makes a broadcast ARP
335 request for Host3, it is possible that Group1 caches the right
336 MAC address for Host2 contained in the ARP packet. This plugin
337 re-poisons Group1 cache immediately after a legal broadcast ARP
338 request (or reply).
339 This plugin is effective only during an arp-posioning session.
340 In conjuction with reply_arp plugin, repoison_arp is a good sup‐
341 port for standard arp-poisoning mitm method.
342 example :
344 ettercap -T -M arp:remote -P repoison_arp /192.168.0.10-20/
346 /192.168.0.1/
347 scan_poisoner
350 Check if someone is poisoning between some host in the list and
352 us. First of all it checks if two hosts in the list have the
353 same mac address. It could mean that one of those is poisoning
354 us pretending to be the other. It could generate many false-
355 positives in a proxy-arp environment. You have to build hosts
356 list to perform this check. After that, it sends icmp echo
357 packets to each host in the list and checks if the source mac
358 address of the reply differs from the address we have stored in
359 the list for that ip. It could mean that someone is poisoning
360 that host pretending to have our ip address and forwards inter‐
361 cepted packets to us. You can't perform this active test in
362 unoffensive mode.
363 example :
365 ettercap -TQP scan_poisoner //
367 search_promisc
370 It tries to find if anyone is sniffing in promisc mode. It sends
372 two different kinds of malformed arp request to each target in
373 the host list and waits for replies. If a reply arrives from the
374 target host, it's more or less probable that this target has the
375 NIC in promisc mode. It could generate false-positives. You can
376 launch it either from the command line or from the plugin menu.
377 Since it listens for arp replies it is better that you don't use
378 it while sending arp request.
379 example :
381 ettercap -TQP search_promisc /192.168.0.1/
383 ettercap -TQP search_promisc //
384 smb_clear
388 It forces the client to send smb password in clear-text by man‐
390 gling protocol negotiation. You have to be in the "middle" of
391 the connection to successfully use it. It hooks the smb dissec‐
392 tor, so you have to keep it active. If you use it against a
393 windows client it will probably result in a failure. Try it
394 against a *nix smbclient :)
395 smb_down
399 It forces the client to not to use NTLM2 password exchange dur‐
401 ing smb authentication. This way, obtained hashes can be easily
402 cracked by LC4. You have to be in the "middle" of the connec‐
403 tion to successfully use it. It hooks the smb dissector, so you
404 have to keep it active.
405 stp_mangler
408 It sends spanning tree BPDUs pretending to be a switch with the
410 highest priority. Once in the "root" of the spanning tree,
411 ettercap can receive all the "unmanaged" network traffic.
412 It is useful only against a group of switches running STP.
413 If there is another switch with the highest priority, try to
414 manually decrease your MAC address before running it.
415 example :
417 ettercap -TP stp_mangler
419
422 ettercap(8) ettercap_curses(8) etterlog(8) etterfilter(8) etter.conf(5)
423ettercap NG-0.7.3 ETTERCAP-PLUGINS(8)