1ETTERCAP-CURSES(8)          System Manager's Manual         ETTERCAP-CURSES(8)
2
3
4

NAME

6       ettercap - Man page for the Ncurses GUI.
7
8

GENERAL DESCRIPTION

10       The curses GUI is quite simple and intuitive.
11       It  is  menu-driven.  Every  flag  or  function  can be modified/called
12       through the upper menu. All user messages are  printed  in  the  bottom
13       window.  If you want to see the old messages, you can scroll the window
14       buffer by pressing the UP, DOWN, PPAGE, NPAGE keys.  The middle part is
15       used to display information or dialogs for the user.
16
17       The  menus can be opened by pressing the relative hotkey. For the menus
18       the hotkey is represented by the uppercase initial letter of the  title
19       (e.g.  'S'  for Sniffing, 'T' for Targets). The functions within a menu
20       can be called by pressing the hotkey depicted near the function name on
21       the  right.  Hotkeys  prefixed  with 'C-' are to be used in conjunction
22       with the CTRL key (e.g. 'C-f' means CTRL+f).
23
24       You can switch the focus between the objects on the screen by  pressing
25       the  TAB  key  or  by clicking on it with the mouse (if you are running
26       ettercap within an xterm). Mouse events are supported only through  the
27       xterm.  You  can use the mouse to select objects, open a menu, choose a
28       function, scroll the elevators for the scrolling windows, etc etc.
29
30       When you open multiple windows in the middle part, they  will  overlap.
31       Use the TAB key to switch between them. Use CTRL+Q to close the focused
32       window.
33       You can also use CTRL+Q to close the input dialog if you want to cancel
34       the requested input. (i.e. you have selected the wrong function and you
35       want to go back).
36
37       To have a quick help on the shortcuts you can use against a  particular
38       window press the SPACE key. A help window will be displayed with a list
39       of shortcuts that can be used. If the window does not appear, no short‐
40       cuts are available.
41
42
43

HOW TO SELECT IT

45       To use the ncurses GUI you have to:
46
47       - compile ettercap with ncurses support (obviously)
48       - run it with the -C flag
49
50       Passing  the  -C flag is sufficient, but if you want you can pass other
51       flags that will be automatically set for the ncurses GUI. You  will  be
52       able to override them using the menu to change the options.
53
54
55

ONCE STARTED

57       As  soon  as  ettercap  is  launched  with the Ncurses GUI, you will be
58       prompted with multiple choices. The first screen lets you select if you
59       want  to open a pcap file or dump the sniffed traffic to a file, if you
60       want unified sniffing or bridged one, permits you to set a pcap file on
61       the captured traffic and enables you to log all the sniffed data.
62
63       Once  you  have  selected  a  sniffing  method  (from  file, unified or
64       bridged) this screen will not be reachable anymore. The only way is  to
65       restart ettercap.
66
67
68       Let's analyze each menu in the start screen:
69
70
71       File
72
73              Open...
74                     Open  a pcap file and analyze it. All the functionalities
75                     available for live sniffing are in place except for those
76                     sending  or  forwarding  packets  (mitm  attacks  and  so
77                     on...).
78
79              Dump to file...
80                     All the traffic sniffed  by  the  live  capture  will  be
81                     dumped  to  that file. The filters, not the targets, have
82                     effects on this file, as all the packets received by pcap
83                     will be dumped. The only way to not dump a certain packet
84                     is to set a proper pcap filter (see below).
85
86              Exit
87                     Exits from ettercap and returns to the command prompt.
88
89
90
91
92       Sniff
93
94              Unified sniffing...
95                     Choosing this function you will be prompted to select the
96                     network  interface  to be used for sniffing. The first up
97                     and running interface is suggested in the input box.  For
98                     an  explanation  of  what  unified  sniffing is, refer to
99                     ettercap(8).
100                     TIP: if you use the 'u' hotkey, this step will be skipped
101                     and the default interface is automatically selected.
102
103              Bridged sniffing...
104                     After  selecting  the two interfaces to be used, you will
105                     enter the Bridged sniffing mode. For  an  explanation  of
106                     what bridged sniffing is, refer to ettercap(8).
107
108              Set pcap filter...
109                     Here you can insert a tcpdump-like filter for the captur‐
110                     ing process.
111                     IMPORTANT: if you manage to use a mitm  attack,  remember
112                     that  if  ettercap  does not see a packet, it will NOT be
113                     forwarded. So be sure of what you are doing by setting  a
114                     pcap filter.
115
116
117
118       Options
119
120              Unoffensive
121                     This  enable/disable  the  unoffensive flag. The asterisk
122                     '*' means "the option is enabled". Otherwise  the  option
123                     is not enabled.
124
125              Promisc mode
126                     Enable/disable the promisc mode for the live capture on a
127                     network interface.  This is an "asterisk-option"  as  the
128                     unoffensive one.
129
130              Set netmask
131                     Use  the  specified netmask instead of the one associated
132                     with the current iface. This option is useful if you have
133                     the  NIC  with  an  associated netmask of class B and you
134                     want to scan (with the arp scan) only a C class.
135
136
137
138

THE INTERESTING PART

140       Once you have selected an offline sniffing or a live capture, the upper
141       menu is modified and you can start to do the interesting things...
142       Some of the following menu are only available in live capture.
143
144
145
146       Start
147
148              Start sniffing
149                     Starts  the  sniffing  process depending on what you have
150                     selected on startup (live or from file)
151
152              Stop sniffing
153                     Stops the sniffing thread.
154
155              Exit
156                     Returns to your favourite shell ;)
157
158
159
160
161       Targets
162
163              Current Targets
164                     Displays a list of hosts in each TARGET. You  can  selec‐
165                     tively remove a host by selecting it and press 'd' or add
166                     a new host pressing 'a'. To switch between the two lists,
167                     use the ARROWS keys.
168
169              Select TARGET(s)
170                     Lets  you  select  the  TARGET(s)  as explained in etter‐
171                     cap(8). The syntax is the same as for  the  command  line
172                     specification.
173
174              Protocol...
175                     You can choose to sniff only TCP, only UDP or both (ALL).
176
177              Reverse matching
178                     Reverse  the  matching of a packet. It is equivalent to a
179                     NOT before the target specification.
180
181              Wipe Targets
182                     Restores both TARGETS to ANY/ANY/ANY
183
184
185
186       Hosts
187
188              Hosts list
189                     Displays the list of hosts detected through an  ARP  scan
190                     or converted from the passive profiles. This list is used
191                     by MITM attacks when the ANY target is  selected,  so  if
192                     you want to exclude a host from the attack, simply delete
193                     it from the list.
194                     You can remove a host from the list by pressing 'd',  add
195                     it  to  TARGET1  by  pressing '1' or add it to TARGET2 by
196                     pressing '2'.
197
198              Scan for hosts
199                     Perform the ARP scan of the netmask  if  no  TARGETS  are
200                     selected.  If  TARGETS  was  specified  it only scans for
201                     those hosts.
202
203              Load from file...
204                     Loads the hosts list from a file  previously  saved  with
205                     "save to file" or hand crafted.
206
207              Save to file...
208                     Save the current hosts list to a file.
209
210
211
212       View
213
214              Connections
215                     Displays the connection list. To see detailed information
216                     about a connection press 'd', or press 'k' to kill it. To
217                     see  the traffic for a specific connection, select it and
218                     press enter. Once the two-panel  interface  is  displayed
219                     you  can move the focus with the arrow keys. Press 'j' to
220                     switch between joined and split visualization. Press  'k'
221                     to kill the connection. Press 'y' to inject interactively
222                     and 'Y' to inject a file. Note that it is important which
223                     panel  has the focus as the injected data will be sent to
224                     that address.
225                     HINT:  connections  marked  with  an   asterisk   contain
226                     account(s) information.
227
228              Profiles
229                     Diplays  the passive profile hosts list. Selecting a host
230                     will display the relative details (including account with
231                     user and pass for that host).
232                     You  can  convert the passive profile list into the hosts
233                     list by pressing 'c'.  To purge remote hosts, press  'l'.
234                     To  purge  local  hosts, press 'r'. You can also dump the
235                     current profile to a file by  pressing  'd';  the  dumped
236                     file can be opened with etterlog(8).
237                     HINT: profiles marked with an asterisk contain account(s)
238                     information.
239
240              Statistics
241                     Displays some statistics about the sniffing process.
242
243              Resolve IP addresses
244                     Enables DNS resolution for all the  sniffed  IP  address.
245                     CAUTION:  this  will extremely slow down ettercap. By the
246                     way the passive  dns  resolution  is  always  active.  It
247                     sniffs  dns  replies and stores them in a cache. If an ip
248                     address is present in that cache, it  will  be  automati‐
249                     cally resolved. It is dns resolution for free... ;)
250
251              Visualization method
252                     Change  the  visualization  method  for the sniffed data.
253                     Available methods: ascii, hex, ebcdic, text, html.
254
255              Visualization regex
256                     Set the visualization regular  expression.  Only  packets
257                     matching  this  regex will be displayed in the connection
258                     data window.
259
260              Set the WiFi key
261                     Set the WiFi key used to decrypt WiFi encrypted  packets.
262                     See ettercap(8) for the format of the key.
263
264
265
266       Mitm
267
268              [...]  For  each type of attack, a menu entry is displayed. Sim‐
269                     ply select the attack you want  and  fill  the  arguments
270                     when  asked.  You  can activate more than one attack at a
271                     time.
272
273              Stop mitm attack(s)
274                     Stops all the mitm attacks currently active.
275
276
277
278       Filters
279
280              Load a filter...
281                     Load a precompiled filter file. The file must be compiled
282                     with etterfilter(8) before it can be loaded.
283
284              Stop filtering
285                     Unload the filter and stop filtering the connections.
286
287
288
289       Logging
290
291              Log all packets and infos...
292                     Given a file name, it will create two files: filename.eci
293                     (for information about hosts) and filename.ecp  (for  all
294                     the  interesting  packets).  This  is  the same as the -L
295                     option.
296
297              Log only infos...
298                     This is used only to sniff information about hosts  (same
299                     as the -l option).
300
301              Stop logging info
302                     Come on... it is self explanatory.
303
304              Log user messages...
305                     Will  log all the messages appearing in the bottom window
306                     (same as -m option).
307
308              Compressed file
309                     Asterisk-option to control whether  or  not  the  logfile
310                     should be compressed.
311
312
313
314       Plugins
315
316              Manage the plugins
317                     Opens  the  plugin  management  window.  You can select a
318                     plugin and  activate  it  by  pressing  'enter'.  Plugins
319                     already  active  can  be  recognized  by  the  [1] symbol
320                     instead of [0]. If you select an active plugin,  it  will
321                     be deactivated.
322
323              Load a plugin...
324                     You  can  load  a  plugin file that is not in the default
325                     search path. (remember that you  can  browse  directories
326                     with EC_UID permissions).
327
328
329

ORIGINAL AUTHORS

331       Alberto Ornaghi (ALoR) <alor@users.sf.net>
332       Marco Valleri (NaGA) <naga@antifork.org>
333

PROJECT STEWARDS

335       Emilio Escobar (exfil)  <eescobar@gmail.com>
336       Eric Milam (Brav0Hax)  <jbrav.hax@gmail.com>
337

OFFICIAL DEVELOPERS

339       Mike Ryan (justfalter)  <falter@gmail.com>
340       Gianfranco Costamagna (LocutusOfBorg)  <costamagnagianfranco@yahoo.it>
341       Antonio Collarino (sniper)  <anto.collarino@gmail.com>
342       Ryan Linn   <sussuro@happypacket.net>
343       Jacob Baines   <baines.jacob@gmail.com>
344

CONTRIBUTORS

346       Dhiru Kholia (kholia)  <dhiru@openwall.com>
347       Alexander Koeppe (koeppea)  <format_c@online.de>
348       Martin Bos (PureHate)  <purehate@backtrack.com>
349       Enrique Sanchez
350       Gisle Vanem  <giva@bgnett.no>
351       Johannes Bauer  <JohannesBauer@gmx.de>
352       Daten (Bryan Schneiders)  <daten@dnetc.org>
353
354
355

SEE ALSO

357       ettercap(8)      ettercap_plugins(8)     etterlog(8)     etterfilter(8)
358       etter.conf(5) ettercap-pkexec(8)
359
360ettercap 0.8.2                                              ETTERCAP-CURSES(8)
Impressum