1ETTERCAP-PLUGINS(8) System Manager's Manual ETTERCAP-PLUGINS(8)
2
3
4
6 ettercap-plugins - A collection of plugins for ettercap
7
8
10 Ettercap(8) supports loadable modules at runtime. They are called plug‐
11 ins and they come within the source tarball. They are automatically
12 compiled if your system supports them or until you specify -DEN‐
13 ABLE_PLUGINS=OFF option to the cmake configure script.
14 Some of older ettercap plugins (roper, banshee, and so on) have not
15 been ported in the new version. By the way, you can achieve the same
16 results by using new filtering engine.
17 If you use interactive mode, most plugins need to "Start Sniff" before
18 using them.
19
20
21 To have a list of plugins installed in your system do that command:
22
23 ettercap -P list
24
25
26 The following is a list of available plugins:
27
28
29 arp_cop
30
31 It reports suspicious ARP activity by passively monitoring ARP
32 requests/replies. It can report ARP posioning attempts, or sim‐
33 ple IP-conflicts or IP-changes. If you build the initial host
34 list the plugin will run more accurately.
35
36 example :
37
38 ettercap -TQP arp_cop //
39
40
41
42 autoadd
43
44 It will automatically add new victims to the ARP poisoning mitm
45 attack when they come up. It looks for ARP requests on the lan
46 and when detected it will add the host to the victims list if it
47 was specified in the TARGET. The host is added when an arp
48 request is seen form it, since communicating hosts are alive :)
49
50
51
52 chk_poison
53
54 It performs a check to see if the arp poisoning module of etter‐
55 cap was successful. It sends spoofed ICMP echo packets to all
56 the victims of the poisoning pretending to be each of the other
57 targets. If we can catch an ICMP reply with our MAC address as
58 destination it means that the poisoning between those two tar‐
59 gets is successful. It checks both ways of each communication.
60 This plugin makes sense only where poisoning makes sense. The
61 test fails if you specify only one target in silent mode. You
62 can't run this plugin from command line because the poisoning
63 process is not started yet. You have to launch it from the
64 proper menu.
65
66
67
68 dns_spoof
69
70 This plugin intercepts DNS query and reply with a spoofed
71 answer. You can choose to which addresses the plugin has to
72 reply, and the expiry time in seconds (TTL) by modifying the
73 etter.dns file. The plugin intercepts A, AAAA, PTR, MX, WINS,
74 SRV and TXT request. If it was an A request, the name is
75 searched in the file and the IP address is returned (you can use
76 wildcards in the name).
77 The same applies if it was a AAAA request.
78
79 TTL is an optional field which is specified as the last option
80 in an entry in the etter.dns file. The TTL is specified in a
81 number of seconds from 0 to 2^31-1 (see RFC 2181). TTL is speci‐
82 fied on a per-host basis. If the TTL is not specified for a par‐
83 ticular host, the default value is 3600 seconds (1 hour).
84
85 If it was a PTR request, the IP address is searched in the file
86 and the name is returned (except for those name containing a
87 wildcard). For PTR requests, IPv4 or IPv6 addresses are sup‐
88 ported.
89
90 In case of MX request a special reply is crafted. The host is
91 resolved with a fake host 'mail.host' and the additional record
92 contains the IP address of 'mail.host'. The first address that
93 matches is returned, so be careful with the order. The IP
94 address for MX requests can be a IPv4 or a IPv6 address.
95
96 If the request was a WINS request, the name is searched in the
97 file and the IP address is returned.
98
99 In case of SRV request, a special reply is crafted. The host is
100 resolved with a fake host 'srv.host' and the additional record
101 contains the IP address of 'srv.host'. The IP address for SRV
102 requests can be a IPv4 or a IPv6 address.
103
104 In case of a TXT request, the string defined is being returned.
105 The string has to be wrapped in double quotes. Wildcards for the
106 requested name can also be used.
107
108 A special reply can be spoofed for A or AAAA requests, if the
109 'undefined address' is specified as the IP address in the file.
110 Then the client gets a response which stops resolution process‐
111 ing imediately. This way one can control which address family is
112 being used to access a dual-stacked host.
113
114 In the case of an ANY request, all matching results of type A,
115 AAAA, MX and TXT are returned in the reply. If the 'undefined
116 address' for A or AAAA records is defined, nothing is returned
117 for these types whether or not the name matches.
118
119
120
121 mdns_spoof
122
123 This plugin does the same as the dns_spoof plugin described
124 above, despite that it listens for mDNS (Multicast DNS) queries
125 on UDP port 5353. To choose to which address the plugin shall
126 reply, you have to modify a diffent file called etter.mdns. Due
127 to the nature of mDNS, the plugin intercepts only A, AAAA, PTR
128 and SRV requests.
129
130 The way the mdns_spoof plugin interprets the etter.mdns file and
131 the rules that apply are the same as with the dns_spoof plugin,
132 although currently the mdns_spoof plugin lacks support for cus‐
133 tom TTL. The TTL for all spoofed mDNS replies is 3600 seconds (1
134 hour).
135
136
137
138 dos_attack
139
140 This plugin runs a d.o.s. attack against a victim IP address. It
141 first "scans" the victim to find open ports, then starts to
142 flood these ports with SYN packets, using a "phantom" address as
143 source IP. Then it uses fake ARP replies to intercept packets
144 for the phantom host. When it receives SYN-ACK from the victim,
145 it replies with an ACK packet creating an ESTABLISHED connec‐
146 tion. You have to use a free IP address in your subnet to cre‐
147 ate the "phantom" host (you can use find_ip for this purpose).
148 You can't run this plugin in unoffensive mode.
149 This plugin is based on the original Naptha DoS attack
150 (http://razor.bindview.com/publish/advisories/adv_NAPTHA.html)
151
152 example :
153
154 ettercap -TQP dos_attack
155
156
157 dummy
158
159 Only a template to demonstrate how to write a plugin.
160
161
162
163 find_conn
164
165 Very simple plugin that listens for ARP requests to show you all
166 the targets an host wants to talk to. It can also help you find‐
167 ing addresses in an unknown LAN.
168
169 example :
170
171 ettercap -TQzP find_conn
172
173 ettercap -TQu -i eth0 -P find_conn
174
175
176
177 find_ettercap
178
179 Try to identify ettercap packets sent on the LAN. It could be
180 useful to detect if someone is using ettercap. Do not rely on it
181 100% since the tests are only on particular sequence/identifica‐
182 tion numbers.
183
184
185
186 find_ip
187
188 Find the first unused IP address in the range specified by the
189 user in the target list. Some other plugins (such as gre_relay)
190 need an unused IP address of the LAN to create a "fake" host.
191 It can also be useful to obtain an IP address in an unknown LAN
192 where there is no dhcp server. You can use find_conn to deter‐
193 mine the IP addressing of the LAN, and then find_ip. You have
194 to build host list to use this plugin so you can't use it in
195 unoffensive mode. If you don't have an IP address for your
196 interface, give it a bogus one (e.g. if the LAN is
197 192.168.0.0/24, use 10.0.0.1 to avoid conflicting IP), then
198 launch this plugin specifying the subnet range. You can run it
199 either from the command line or from the proper menu.
200
201 example :
202
203 ettercap -TQP find_ip //
204
205 ettercap -TQP find_ip /192.168.0.1-254/
206
207
208
209 finger
210
211 Uses the passive fingerprint capabilities to fingerprint a
212 remote host. It does a connect() to the remote host to force the
213 kernel to reply to the SYN with a SYN+ACK packet. The reply will
214 be collected and the fingerprint is displayed. The connect()
215 obey to the connect_timeout parameter in etter.conf(5). You can
216 specify a target on command-line or let the plugin ask the tar‐
217 get host to be fingerprinted. You can also specify multiple tar‐
218 get with the usual multi-target specification (see ettercap(8)).
219 if you specify multiple ports, all the ports will be tested on
220 all the IPs.
221
222 example :
223
224 ettercap -TzP finger /192.168.0.1/22
225 ettercap -TzP finger /192.168.0.1-50/22,23,25
226
227
228
229 finger_submit
230
231 Use this plugin to submit a fingerprint to the ettercap website.
232 If you found an unknown fingerprint, but you know for sure the
233 operating system of the target, you can submit it so it will be
234 inserted in the database in the next ettercap release. We need
235 your help to increase the passive fingerprint database. Thank
236 you very much.
237
238 example :
239
240 ettercap -TzP finger_submit
241
242
243 fraggle_attack
244
245 This plugin performs a DoS attack because it sends a large
246 amount of UDP echo and chargen traffic to all hosts in target2
247 with a fake source ip address (victim).
248
249 example (192.168.0.5 is the victim):
250
251 ettercap -i eth1 -Tq /192.168.0.5/ // -P fraggle_attack
252
253
254 gre_relay
255
256 This plugin can be used to sniff GRE-redirected remote traffic.
257 The basic idea is to create a GRE tunnel that sends all the
258 traffic on a router interface to the ettercap machine. The plug‐
259 in will send back the GRE packets to the router, after ettercap
260 "manipulation" (you can use "active" plugins such as smb_down,
261 ssh decryption, filters, etc... on redirected traffic) It needs
262 a "fake" host where the traffic has to be redirected to (to
263 avoid kernel's responses). The "fake" IP will be the tunnel end‐
264 point. Gre_relay plugin will impersonate the "fake" host. To
265 find an unused IP address for the "fake" host you can use
266 find_ip plugin. Based on the original Tunnelx technique by
267 Anthony C. Zboralski (http://www.phrack.org/ar‐
268 chives/issues/56/10.txt).
269
270
271 gw_discover
272
273 This plugin try to discover the gateway of the lan by sending
274 TCP SYN packets to a remote host. The packet has the destination
275 IP of a remote host and the destination mac address of a local
276 host. If ettercap receives the SYN+ACK packet, the host which
277 own the source mac address of the reply is the gatway. This
278 operation is repeated for each host in the 'host list', so you
279 need to have a valid host list before launching this plugin.
280
281 example :
282
283 ettercap -TP gw_discover /192.168.0.1-50/
284
285
286 isolate
287
288 The isolate plugin will isolate an host form the LAN. It will
289 poison the victim's arp cache with its own mac address associ‐
290 ated with all the host it tries to contact. This way the host
291 will not be able to contact other hosts because the packet will
292 never reach the wire.
293 You can specify all the host or only a group. the targets speci‐
294 fication work this way: the target1 is the victim and must be a
295 single host, the target2 can be a range of addresses and repre‐
296 sent the hosts that will be blocked to the victim.
297
298 examples :
299
300 ettercap -TzqP isolate /192.168.0.1/ //
301 ettercap -TP isolate /192.168.0.1/ /192.168.0.2-30/
302
303
304
305 krb5_downgrade
306
307 It downgrades Kerberos V5 security by modifying the etype values
308 in client AS-REQ packets. This way, obtained hashes can be eas‐
309 ily cracked by John the Ripper (JtR). You have to be in the
310 "middle" of the connection to successfully use it. It hooks the
311 kerberos dissector, so you have to keep it active.
312
313
314 link_type
315
316 It performs a check of the link type (hub or switch) by sending
317 a spoofed ARP request and listening for replies. It needs at
318 least one entry in the host list to perform the check. With two
319 or more hosts the test will be more accurate.
320
321 example :
322
323 ettercap -TQP link_type /192.168.0.1/
324 ettercap -TQP link_type //
325
326
327 pptp_chapms1
328
329 It forces the pptp tunnel to negotiate MS-CHAPv1 authentication
330 instead of MS-CHAPv2, that is usually easier to crack (for exam‐
331 ple with LC4). You have to be in the "middle" of the connection
332 to use it successfully. It hooks the ppp dissector, so you have
333 to keep them active.
334
335
336 pptp_clear
337
338 Forces no compression/encryption for pptp tunnels during negoti‐
339 ation. It could fail if client (or the server) is configured to
340 hang off the tunnel if no encryption is negotiated. You have to
341 be in the "middle" of the connection to use it successfully. It
342 hooks the ppp dissector, so you have to keep them active.
343
344
345 pptp_pap
346
347 It forces the pptp tunnel to negotiate PAP (cleartext) authenti‐
348 cation. It could fail if PAP is not supported, if pap_secret
349 file is missing, or in case windows is configured with
350 "authomatic use of domain account". (It could fail for many
351 other reasons too). You have to be in the "middle" of the con‐
352 nection to use it successfully. It hooks the ppp dissector, so
353 you have to keep them active.
354
355
356 pptp_reneg
357
358 Forces re-negotiation on an existing pptp tunnel. You can force
359 re-negotiation for grabbing passwords already sent. Furthermore
360 you can launch it to use pptp_pap, pptp_chapms1 or pptp_clear on
361 existing tunnels (those plugins work only during negotiation
362 phase). You have to be in the "middle" of the connection to use
363 it successfully. It hooks the ppp dissector, so you have to
364 keep them active.
365
366
367 rand_flood
368
369 Floods the LAN with random MAC addresses. Some switches will
370 fail open in repeating mode, facilitating sniffing. The delay
371 between each packet is based on the port_steal_send_delay value
372 in etter.conf.
373 It is useful only on ethernet switches.
374
375 example :
376
377 ettercap -TP rand_flood
378
379
380
381 remote_browser
382
383 It sends to the browser the URLs sniffed thru HTTP sessions. So
384 you are able to see the webpages in real time. The command exe‐
385 cuted is configurable in the etter.conf(5) file. It sends to the
386 browser only the GET requests and only for webpages, ignoring
387 single request to images or other amenities. Don't use it to
388 view your own connection :)
389
390
391
392 reply_arp
393
394 Simple arp responder. When it intercepts an arp request for a
395 host in the targets' lists, it replies with attacker's MAC
396 address.
397
398 example :
399
400 ettercap -TQzP reply_arp /192.168.0.1/
401 ettercap -TQzP reply_arp //
402
403
404 repoison_arp
405
406 It solicits poisoning packets after broadcast ARP requests (or
407 replies) from a posioned host. For example: we are poisoning
408 Group1 impersonating Host2. If Host2 makes a broadcast ARP
409 request for Host3, it is possible that Group1 caches the right
410 MAC address for Host2 contained in the ARP packet. This plugin
411 re-poisons Group1 cache immediately after a legal broadcast ARP
412 request (or reply).
413 This plugin is effective only during an arp-posioning session.
414 In conjunction with the reply_arp plugin, repoison_arp is a good
415 support for the standard arp-poisoning mitm method.
416
417 example :
418
419 ettercap -T -M arp:remote -P repoison_arp /192.168.0.10-20/
420 /192.168.0.1/
421
422
423 scan_poisoner
424
425 Check if someone is poisoning between some host in the list and
426 us. First of all it checks if two hosts in the list have the
427 same mac address. It could mean that one of those is poisoning
428 us pretending to be the other. It could generate many false-
429 positives in a proxy-arp environment. You have to build hosts
430 list to perform this check. After that, it sends icmp echo
431 packets to each host in the list and checks if the source mac
432 address of the reply differs from the address we have stored in
433 the list for that ip. It could mean that someone is poisoning
434 that host pretending to have our ip address and forwards inter‐
435 cepted packets to us. You can't perform this active test in
436 unoffensive mode.
437
438 example :
439
440 ettercap -TQP scan_poisoner //
441
442
443 search_promisc
444
445 It tries to find if anyone is sniffing in promisc mode. It sends
446 two different kinds of malformed arp request to each target in
447 the host list and waits for replies. If a reply arrives from the
448 target host, it's more or less probable that this target has the
449 NIC in promisc mode. It could generate false-positives. You can
450 launch it either from the command line or from the plugin menu.
451 Since it listens for arp replies it is better that you don't use
452 it while sending arp request.
453
454 example :
455
456 ettercap -TQP search_promisc /192.168.0.1/
457 ettercap -TQP search_promisc //
458
459
460
461 smb_clear
462
463 It forces the client to send smb password in clear-text by man‐
464 gling protocol negotiation. You have to be in the "middle" of
465 the connection to successfully use it. It hooks the smb dissec‐
466 tor, so you have to keep it active. If you use it against a
467 windows client it will probably result in a failure. Try it
468 against a *nix smbclient :)
469
470
471
472 smb_down
473
474 It forces the client to not to use NTLM2 password exchange dur‐
475 ing smb authentication. This way, obtained hashes can be easily
476 cracked by LC4. You have to be in the "middle" of the connec‐
477 tion to successfully use it. It hooks the smb dissector, so you
478 have to keep it active.
479
480
481 smurf_attack
482
483 The Smurf Attack is a DoS attack in which huge numbers of ICMP
484 packets with the intended victim(s) IP(s) in target1 are sent to
485 the hosts in target2. This causes all hosts on the target2 to
486 reply to the ICMP request, causing significant traffic to the
487 victim's computer(s).
488
489 example (192.168.0.5 is the victim):
490
491 ettercap -i eth1 -Tq /192.168.0.5/ // -P fraggle_attack
492
493
494 sslstrip
495
496 While performing the SSL mitm attack, ettercap substitutes the
497 real ssl certificate with its own. The fake certificate is cre‐
498 ated on the fly and all the fields are filled according to the
499 real cert presented by the server. Only the issuer is modified
500 and signed with the private key contained in the 'etter.ssl.crt'
501 file. If you want to use a different private key you have to
502 regenerate this file. To regenerate the cert file use the fol‐
503 lowing commands:
504
505 openssl genrsa -out etter.ssl.crt 1024
506 openssl req -new -key etter.ssl.crt -out tmp.csr
507 openssl x509 -req -days 1825 -in tmp.csr -signkey etter.ssl.crt
508 -out tmp.new
509 cat tmp.new >> etter.ssl.crt
510 rm -f tmp.new tmp.csr
511
512 NOTE: SSL mitm is not available (for now) in bridged mode.
513
514 NOTE: You can use the --certificate/--private-key long options
515 if you want to specify a different file rather than the
516 etter.ssl.crt file.
517
518
519
520 stp_mangler
521
522 It sends spanning tree BPDUs pretending to be a switch with the
523 highest priority. Once in the "root" of the spanning tree,
524 ettercap can receive all the "unmanaged" network traffic.
525 It is useful only against a group of switches running STP.
526 If there is another switch with the highest priority, try to
527 manually decrease your MAC address before running it.
528
529 example :
530
531 ettercap -TP stp_mangler
532
533
534
536 Alberto Ornaghi (ALoR) <alor@users.sf.net>
537 Marco Valleri (NaGA) <naga@antifork.org>
538
540 Emilio Escobar (exfil) <eescobar@gmail.com>
541 Eric Milam (Brav0Hax) <jbrav.hax@gmail.com>
542
544 Mike Ryan (justfalter) <falter@gmail.com>
545 Gianfranco Costamagna (LocutusOfBorg) <costamagnagianfranco@yahoo.it>
546 Antonio Collarino (sniper) <anto.collarino@gmail.com>
547 Ryan Linn <sussuro@happypacket.net>
548 Jacob Baines <baines.jacob@gmail.com>
549
551 Dhiru Kholia (kholia) <dhiru@openwall.com>
552 Alexander Koeppe (koeppea) <format_c@online.de>
553 Martin Bos (PureHate) <purehate@backtrack.com>
554 Enrique Sanchez
555 Gisle Vanem <giva@bgnett.no>
556 Johannes Bauer <JohannesBauer@gmx.de>
557 Daten (Bryan Schneiders) <daten@dnetc.org>
558
559
560
562 ettercap(8) ettercap_curses(8) etterlog(8) etterfilter(8) etter.conf(5)
563 ettercap-pkexec(8)
564
565ettercap 0.8.2 ETTERCAP-PLUGINS(8)