1ETTERCAP-PLUGINS(8) System Manager's Manual ETTERCAP-PLUGINS(8)
2
6 ettercap-plugins - A collection of plugins for ettercap
7
10 Ettercap(8) supports loadable modules at runtime. They are called plug‐
11 ins and they come within the source tarball. They are automatically
12 compiled if your system supports them or until you specify -DEN‐
13 ABLE_PLUGINS=OFF option to the cmake configure script.
14 Some of older ettercap plugins (roper, banshee, and so on) have not
15 been ported in the new version. By the way, you can achieve the same
16 results by using new filtering engine.
17 If you use interactive mode, most plugins need to "Start Sniff" before
18 using them.
19 To have a list of plugins installed in your system do that command:
22 ettercap -P list
24 The following is a list of available plugins:
27 arp_cop
30 It reports suspicious ARP activity by passively monitoring ARP
32 requests/replies. It can report ARP posioning attempts, or sim‐
33 ple IP-conflicts or IP-changes. If you build the initial host
34 list the plugin will run more accurately.
35 example :
37 ettercap -TQP arp_cop //
39 autoadd
43 It will automatically add new victims to the ARP poisoning mitm
45 attack when they come up. It looks for ARP requests on the lan
46 and when detected it will add the host to the victims list if it
47 was specified in the TARGET. The host is added when an arp
48 request is seen form it, since communicating hosts are alive :)
49 chk_poison
53 It performs a check to see if the arp poisoning module of etter‐
55 cap was successful. It sends spoofed ICMP echo packets to all
56 the victims of the poisoning pretending to be each of the other
57 targets. If we can catch an ICMP reply with our MAC address as
58 destination it means that the poisoning between those two tar‐
59 gets is successful. It checks both ways of each communication.
60 This plugin makes sense only where poisoning makes sense. The
61 test fails if you specify only one target in silent mode. You
62 can't run this plugin from command line because the poisoning
63 process is not started yet. You have to launch it from the
64 proper menu.
65 dns_spoof
69 This plugin intercepts DNS query and reply with a spoofed
71 answer. You can choose to which addresses the plugin has to
72 reply, and the expiry time in seconds (TTL) by modifying the
73 etter.dns file. The plugin intercepts A, AAAA, PTR, MX, WINS,
74 SRV and TXT request. If it was an A request, the name is
75 searched in the file and the IP address is returned (you can use
76 wildcards in the name).
77 The same applies if it was a AAAA request.
78 TTL is an optional field which is specified as the last option
80 in an entry in the etter.dns file. The TTL is specified in a
81 number of seconds from 0 to 2^31-1 (see RFC 2181). TTL is speci‐
82 fied on a per-host basis. If the TTL is not specified for a par‐
83 ticular host, the default value is 3600 seconds (1 hour).
84 If it was a PTR request, the IP address is searched in the file
86 and the name is returned (except for those name containing a
87 wildcard). For PTR requests, IPv4 or IPv6 addresses are sup‐
88 ported.
89 In case of MX request a special reply is crafted. The host is
91 resolved with a fake host 'mail.host' and the additional record
92 contains the IP address of 'mail.host'. The first address that
93 matches is returned, so be careful with the order. The IP
94 address for MX requests can be a IPv4 or a IPv6 address.
95 If the request was a WINS request, the name is searched in the
97 file and the IP address is returned.
98 In case of SRV request, a special reply is crafted. The host is
100 resolved with a fake host 'srv.host' and the additional record
101 contains the IP address of 'srv.host'. The IP address for SRV
102 requests can be a IPv4 or a IPv6 address.
103 In case of a TXT request, the string defined is being returned.
105 The string has to be wrapped in double quotes. Wildcards for the
106 requested name can also be used.
107 A special reply can be spoofed for A or AAAA requests, if the
109 'undefined address' is specified as the IP address in the file.
110 Then the client gets a response which stops resolution process‐
111 ing imediately. This way one can control which address family is
112 being used to access a dual-stacked host.
113 In the case of an ANY request, all matching results of type A,
115 AAAA, MX and TXT are returned in the reply. If the 'undefined
116 address' for A or AAAA records is defined, nothing is returned
117 for these types whether or not the name matches.
118 mdns_spoof
122 This plugin does the same as the dns_spoof plugin described
124 above, despite that it listens for mDNS (Multicast DNS) queries
125 on UDP port 5353. To choose to which address the plugin shall
126 reply, you have to modify a diffent file called etter.mdns. Due
127 to the nature of mDNS, the plugin intercepts only A, AAAA, PTR
128 and SRV requests.
129 The way the mdns_spoof plugin interprets the etter.mdns file and
131 the rules that apply are the same as with the dns_spoof plugin,
132 although currently the mdns_spoof plugin lacks support for cus‐
133 tom TTL. The TTL for all spoofed mDNS replies is 3600 seconds (1
134 hour).
135 dos_attack
139 This plugin runs a d.o.s. attack against a victim IP address. It
141 first "scans" the victim to find open ports, then starts to
142 flood these ports with SYN packets, using a "phantom" address as
143 source IP. Then it uses fake ARP replies to intercept packets
144 for the phantom host. When it receives SYN-ACK from the victim,
145 it replies with an ACK packet creating an ESTABLISHED connec‐
146 tion. You have to use a free IP address in your subnet to cre‐
147 ate the "phantom" host (you can use find_ip for this purpose).
148 You can't run this plugin in unoffensive mode.
149 This plugin is based on the original Naptha DoS attack
150 (http://razor.bindview.com/publish/advisories/adv_NAPTHA.html)
151 example :
153 ettercap -TQP dos_attack
155 dummy
158 Only a template to demonstrate how to write a plugin.
160 find_conn
164 Very simple plugin that listens for ARP requests to show you all
166 the targets an host wants to talk to. It can also help you find‐
167 ing addresses in an unknown LAN.
168 example :
170 ettercap -TQzP find_conn
172 ettercap -TQu -i eth0 -P find_conn
174 find_ettercap
178 Try to identify ettercap packets sent on the LAN. It could be
180 useful to detect if someone is using ettercap. Do not rely on it
181 100% since the tests are only on particular sequence/identifica‐
182 tion numbers.
183 find_ip
187 Find the first unused IP address in the range specified by the
189 user in the target list. Some other plugins (such as gre_relay)
190 need an unused IP address of the LAN to create a "fake" host.
191 It can also be useful to obtain an IP address in an unknown LAN
192 where there is no dhcp server. You can use find_conn to deter‐
193 mine the IP addressing of the LAN, and then find_ip. You have
194 to build host list to use this plugin so you can't use it in
195 unoffensive mode. If you don't have an IP address for your
196 interface, give it a bogus one (e.g. if the LAN is
197 192.168.0.0/24, use 10.0.0.1 to avoid conflicting IP), then
198 launch this plugin specifying the subnet range. You can run it
199 either from the command line or from the proper menu.
200 example :
202 ettercap -TQP find_ip //
204 ettercap -TQP find_ip /192.168.0.1-254/
206 finger
210 Uses the passive fingerprint capabilities to fingerprint a
212 remote host. It does a connect() to the remote host to force the
213 kernel to reply to the SYN with a SYN+ACK packet. The reply will
214 be collected and the fingerprint is displayed. The connect()
215 obey to the connect_timeout parameter in etter.conf(5). You can
216 specify a target on command-line or let the plugin ask the tar‐
217 get host to be fingerprinted. You can also specify multiple tar‐
218 get with the usual multi-target specification (see ettercap(8)).
219 if you specify multiple ports, all the ports will be tested on
220 all the IPs.
221 example :
223 ettercap -TzP finger /192.168.0.1/22
225 ettercap -TzP finger /192.168.0.1-50/22,23,25
226 finger_submit
230 Use this plugin to submit a fingerprint to the ettercap website.
232 If you found an unknown fingerprint, but you know for sure the
233 operating system of the target, you can submit it so it will be
234 inserted in the database in the next ettercap release. We need
235 your help to increase the passive fingerprint database. Thank
236 you very much.
237 example :
239 ettercap -TzP finger_submit
241 fraggle_attack
244 This plugin performs a DoS attack because it sends a large
246 amount of UDP echo and chargen traffic to all hosts in target2
247 with a fake source ip address (victim).
248 example (192.168.0.5 is the victim):
250 ettercap -i eth1 -Tq /192.168.0.5/ // -P fraggle_attack
252 gre_relay
255 This plugin can be used to sniff GRE-redirected remote traffic.
257 The basic idea is to create a GRE tunnel that sends all the
258 traffic on a router interface to the ettercap machine. The plug‐
259 in will send back the GRE packets to the router, after ettercap
260 "manipulation" (you can use "active" plugins such as smb_down,
261 ssh decryption, filters, etc... on redirected traffic) It needs
262 a "fake" host where the traffic has to be redirected to (to
263 avoid kernel's responses). The "fake" IP will be the tunnel end‐
264 point. Gre_relay plugin will impersonate the "fake" host. To
265 find an unused IP address for the "fake" host you can use
266 find_ip plugin. Based on the original Tunnelx technique by
267 Anthony C. Zboralski.
268 gw_discover
271 This plugin try to discover the gateway of the lan by sending
273 TCP SYN packets to a remote host. The packet has the destination
274 IP of a remote host and the destination mac address of a local
275 host. If ettercap receives the SYN+ACK packet, the host which
276 own the source mac address of the reply is the gatway. This
277 operation is repeated for each host in the 'host list', so you
278 need to have a valid host list before launching this plugin.
279 example :
281 ettercap -TP gw_discover /192.168.0.1-50/
283 isolate
286 The isolate plugin will isolate an host form the LAN. It will
288 poison the victim's arp cache with its own mac address associ‐
289 ated with all the host it tries to contact. This way the host
290 will not be able to contact other hosts because the packet will
291 never reach the wire.
292 You can specify all the host or only a group. the targets speci‐
293 fication work this way: the target1 is the victim and must be a
294 single host, the target2 can be a range of addresses and repre‐
295 sent the hosts that will be blocked to the victim.
296 examples :
298 ettercap -TzqP isolate /192.168.0.1/ //
300 ettercap -TP isolate /192.168.0.1/ /192.168.0.2-30/
301 link_type
305 It performs a check of the link type (hub or switch) by sending
307 a spoofed ARP request and listening for replies. It needs at
308 least one entry in the host list to perform the check. With two
309 or more hosts the test will be more accurate.
310 example :
312 ettercap -TQP link_type /192.168.0.1/
314 ettercap -TQP link_type //
315 pptp_chapms1
318 It forces the pptp tunnel to negotiate MS-CHAPv1 authentication
320 instead of MS-CHAPv2, that is usually easier to crack (for exam‐
321 ple with LC4). You have to be in the "middle" of the connection
322 to use it successfully. It hooks the ppp dissector, so you have
323 to keep them active.
324 pptp_clear
327 Forces no compression/encryption for pptp tunnels during negoti‐
329 ation. It could fail if client (or the server) is configured to
330 hang off the tunnel if no encryption is negotiated. You have to
331 be in the "middle" of the connection to use it successfully. It
332 hooks the ppp dissector, so you have to keep them active.
333 pptp_pap
336 It forces the pptp tunnel to negotiate PAP (cleartext) authenti‐
338 cation. It could fail if PAP is not supported, if pap_secret
339 file is missing, or in case windows is configured with
340 "authomatic use of domain account". (It could fail for many
341 other reasons too). You have to be in the "middle" of the con‐
342 nection to use it successfully. It hooks the ppp dissector, so
343 you have to keep them active.
344 pptp_reneg
347 Forces re-negotiation on an existing pptp tunnel. You can force
349 re-negotiation for grabbing passwords already sent. Furthermore
350 you can launch it to use pptp_pap, pptp_chapms1 or pptp_clear on
351 existing tunnels (those plugins work only during negotiation
352 phase). You have to be in the "middle" of the connection to use
353 it successfully. It hooks the ppp dissector, so you have to
354 keep them active.
355 rand_flood
358 Floods the LAN with random MAC addresses. Some switches will
360 fail open in repeating mode, facilitating sniffing. The delay
361 between each packet is based on the port_steal_send_delay value
362 in etter.conf.
363 It is useful only on ethernet switches.
364 example :
366 ettercap -TP rand_flood
368 remote_browser
372 It sends to the browser the URLs sniffed thru HTTP sessions. So
374 you are able to see the webpages in real time. The command exe‐
375 cuted is configurable in the etter.conf(5) file. It sends to the
376 browser only the GET requests and only for webpages, ignoring
377 single request to images or other amenities. Don't use it to
378 view your own connection :)
379 reply_arp
383 Simple arp responder. When it intercepts an arp request for a
385 host in the targets' lists, it replies with attacker's MAC
386 address.
387 example :
389 ettercap -TQzP reply_arp /192.168.0.1/
391 ettercap -TQzP reply_arp //
392 repoison_arp
395 It solicits poisoning packets after broadcast ARP requests (or
397 replies) from a posioned host. For example: we are poisoning
398 Group1 impersonating Host2. If Host2 makes a broadcast ARP
399 request for Host3, it is possible that Group1 caches the right
400 MAC address for Host2 contained in the ARP packet. This plugin
401 re-poisons Group1 cache immediately after a legal broadcast ARP
402 request (or reply).
403 This plugin is effective only during an arp-posioning session.
404 In conjunction with the reply_arp plugin, repoison_arp is a good
405 support for the standard arp-poisoning mitm method.
406 example :
408 ettercap -T -M arp:remote -P repoison_arp /192.168.0.10-20/
410 /192.168.0.1/
411 scan_poisoner
414 Check if someone is poisoning between some host in the list and
416 us. First of all it checks if two hosts in the list have the
417 same mac address. It could mean that one of those is poisoning
418 us pretending to be the other. It could generate many false-
419 positives in a proxy-arp environment. You have to build hosts
420 list to perform this check. After that, it sends icmp echo
421 packets to each host in the list and checks if the source mac
422 address of the reply differs from the address we have stored in
423 the list for that ip. It could mean that someone is poisoning
424 that host pretending to have our ip address and forwards inter‐
425 cepted packets to us. You can't perform this active test in
426 unoffensive mode.
427 example :
429 ettercap -TQP scan_poisoner //
431 search_promisc
434 It tries to find if anyone is sniffing in promisc mode. It sends
436 two different kinds of malformed arp request to each target in
437 the host list and waits for replies. If a reply arrives from the
438 target host, it's more or less probable that this target has the
439 NIC in promisc mode. It could generate false-positives. You can
440 launch it either from the command line or from the plugin menu.
441 Since it listens for arp replies it is better that you don't use
442 it while sending arp request.
443 example :
445 ettercap -TQP search_promisc /192.168.0.1/
447 ettercap -TQP search_promisc //
448 smb_clear
452 It forces the client to send smb password in clear-text by man‐
454 gling protocol negotiation. You have to be in the "middle" of
455 the connection to successfully use it. It hooks the smb dissec‐
456 tor, so you have to keep it active. If you use it against a
457 windows client it will probably result in a failure. Try it
458 against a *nix smbclient :)
459 smb_down
463 It forces the client to not to use NTLM2 password exchange dur‐
465 ing smb authentication. This way, obtained hashes can be easily
466 cracked by LC4. You have to be in the "middle" of the connec‐
467 tion to successfully use it. It hooks the smb dissector, so you
468 have to keep it active.
469 smurf_attack
472 The Smurf Attack is a DoS attack in which huge numbers of ICMP
474 packets with the intended victim(s) IP(s) in target1 are sent to
475 the hosts in target2. This causes all hosts on the target2 to
476 reply to the ICMP request, causing significant traffic to the
477 victim's computer(s).
478 example (192.168.0.5 is the victim):
480 ettercap -i eth1 -Tq /192.168.0.5/ // -P fraggle_attack
482 sslstrip
485 While performing the SSL mitm attack, ettercap substitutes the
487 real ssl certificate with its own. The fake certificate is cre‐
488 ated on the fly and all the fields are filled according to the
489 real cert presented by the server. Only the issuer is modified
490 and signed with the private key contained in the 'etter.ssl.crt'
491 file. If you want to use a different private key you have to
492 regenerate this file. To regenerate the cert file use the fol‐
493 lowing commands:
494 openssl genrsa -out etter.ssl.crt 1024
496 openssl req -new -key etter.ssl.crt -out tmp.csr
497 openssl x509 -req -days 1825 -in tmp.csr -signkey etter.ssl.crt
498 -out tmp.new
499 cat tmp.new >> etter.ssl.crt
500 rm -f tmp.new tmp.csr
501 NOTE: SSL mitm is not available (for now) in bridged mode.
503 NOTE: You can use the --certificate/--private-key long options
505 if you want to specify a different file rather than the
506 etter.ssl.crt file.
507 stp_mangler
511 It sends spanning tree BPDUs pretending to be a switch with the
513 highest priority. Once in the "root" of the spanning tree,
514 ettercap can receive all the "unmanaged" network traffic.
515 It is useful only against a group of switches running STP.
516 If there is another switch with the highest priority, try to
517 manually decrease your MAC address before running it.
518 example :
520 ettercap -TP stp_mangler
522
526 Alberto Ornaghi (ALoR) <alor@users.sf.net>
527 Marco Valleri (NaGA) <naga@antifork.org>
528
530 Emilio Escobar (exfil) <eescobar@gmail.com>
531 Eric Milam (Brav0Hax) <jbrav.hax@gmail.com>
532
534 Mike Ryan (justfalter) <falter@gmail.com>
535 Gianfranco Costamagna (LocutusOfBorg) <costamagnagianfranco@yahoo.it>
536 Antonio Collarino (sniper) <anto.collarino@gmail.com>
537 Ryan Linn <sussuro@happypacket.net>
538 Jacob Baines <baines.jacob@gmail.com>
539
541 Dhiru Kholia (kholia) <dhiru@openwall.com>
542 Alexander Koeppe (koeppea) <format_c@online.de>
543 Martin Bos (PureHate) <purehate@backtrack.com>
544 Enrique Sanchez
545 Gisle Vanem <giva@bgnett.no>
546 Johannes Bauer <JohannesBauer@gmx.de>
547 Daten (Bryan Schneiders) <daten@dnetc.org>
548
552 ettercap(8) ettercap_curses(8) etterlog(8) etterfilter(8) etter.conf(5)
553 ettercap-pkexec(8)
554ettercap 0.8.2 ETTERCAP-PLUGINS(8)