1ETTERCAP-PLUGINS(8)         System Manager's Manual        ETTERCAP-PLUGINS(8)
2
3
4

NAME

6       ettercap-plugins - A collection of plugins for ettercap
7
8

DESCRIPTION

10       Ettercap(8) supports loadable modules at runtime. They are called plug‐
11       ins and they come within the source  tarball.  They  are  automatically
12       compiled  if  your  system  supports  them  or  until you specify -DEN‐
13       ABLE_PLUGINS=OFF option to the cmake configure script.
14       Some of older ettercap plugins (roper, banshee, and  so  on)  have  not
15       been  ported  in the new version.  By the way, you can achieve the same
16       results by using new filtering engine.
17       If you use interactive mode, most plugins need to "Start Sniff"  before
18       using them.
19
20
21       To have a list of plugins installed in your system do that command:
22
23              ettercap -P list
24
25
26       The following is a list of available plugins:
27
28
29       arp_cop
30
31              It  reports  suspicious ARP activity by passively monitoring ARP
32              requests/replies.  It can report ARP posioning attempts, or sim‐
33              ple  IP-conflicts  or IP-changes.  If you build the initial host
34              list the plugin will run more accurately.
35
36              example :
37
38              ettercap -TQP arp_cop //
39
40
41
42       autoadd
43
44              It will automatically add new victims to the ARP poisoning  mitm
45              attack  when  they come up. It looks for ARP requests on the lan
46              and when detected it will add the host to the victims list if it
47              was  specified  in  the  TARGET.  The  host is added when an arp
48              request is seen form it, since communicating hosts are alive :)
49
50
51
52       chk_poison
53
54              It performs a check to see if the arp poisoning module of etter‐
55              cap  was  successful.  It sends spoofed ICMP echo packets to all
56              the victims of the poisoning pretending to be each of the  other
57              targets.  If  we can catch an ICMP reply with our MAC address as
58              destination it means that the poisoning between those  two  tar‐
59              gets  is  successful. It checks both ways of each communication.
60              This plugin makes sense only where poisoning makes  sense.   The
61              test  fails  if you specify only one target in silent mode.  You
62              can't run this plugin from command line  because  the  poisoning
63              process  is  not  started  yet.  You  have to launch it from the
64              proper menu.
65
66
67
68       dns_spoof
69
70              This plugin intercepts  DNS  query  and  reply  with  a  spoofed
71              answer.  You  can  choose  to  which addresses the plugin has to
72              reply, and the expiry time in seconds  (TTL)  by  modifying  the
73              etter.dns  file.  The  plugin intercepts A, AAAA, PTR, MX, WINS,
74              SRV and TXT request. If  it  was  an  A  request,  the  name  is
75              searched in the file and the IP address is returned (you can use
76              wildcards in the name).
77              The same applies if it was a AAAA request.
78
79              TTL is an optional field which is specified as the  last  option
80              in  an  entry  in  the etter.dns file. The TTL is specified in a
81              number of seconds from 0 to 2^31-1 (see RFC 2181). TTL is speci‐
82              fied on a per-host basis. If the TTL is not specified for a par‐
83              ticular host, the default value is 3600 seconds (1 hour).
84
85              If it was a PTR request, the IP address is searched in the  file
86              and  the  name  is  returned (except for those name containing a
87              wildcard). For PTR requests, IPv4 or  IPv6  addresses  are  sup‐
88              ported.
89
90              In  case  of  MX request a special reply is crafted. The host is
91              resolved with a fake host 'mail.host' and the additional  record
92              contains  the  IP address of 'mail.host'. The first address that
93              matches is returned, so  be  careful  with  the  order.  The  IP
94              address for MX requests can be a IPv4 or a IPv6 address.
95
96              If  the  request was a WINS request, the name is searched in the
97              file and the IP address is returned.
98
99              In case of SRV request, a special reply is crafted. The host  is
100              resolved  with  a fake host 'srv.host' and the additional record
101              contains the IP address of 'srv.host'. The IP  address  for  SRV
102              requests can be a IPv4 or a IPv6 address.
103
104              In  case of a TXT request, the string defined is being returned.
105              The string has to be wrapped in double quotes. Wildcards for the
106              requested name can also be used.
107
108              A  special  reply  can be spoofed for A or AAAA requests, if the
109              'undefined address' is specified as the IP address in the  file.
110              Then  the client gets a response which stops resolution process‐
111              ing imediately. This way one can control which address family is
112              being used to access a dual-stacked host.
113
114              In  the  case of an ANY request, all matching results of type A,
115              AAAA, MX and TXT are returned in the reply.  If  the  'undefined
116              address'  for  A or AAAA records is defined, nothing is returned
117              for these types whether or not the name matches.
118
119
120
121       mdns_spoof
122
123              This plugin does the same  as  the  dns_spoof  plugin  described
124              above,  despite that it listens for mDNS (Multicast DNS) queries
125              on UDP port 5353.  To choose to which address the  plugin  shall
126              reply,  you have to modify a diffent file called etter.mdns. Due
127              to the nature of mDNS, the plugin intercepts only A,  AAAA,  PTR
128              and SRV requests.
129
130              The way the mdns_spoof plugin interprets the etter.mdns file and
131              the rules that apply are the same as with the dns_spoof  plugin,
132              although  currently the mdns_spoof plugin lacks support for cus‐
133              tom TTL. The TTL for all spoofed mDNS replies is 3600 seconds (1
134              hour).
135
136
137
138       dos_attack
139
140              This plugin runs a d.o.s. attack against a victim IP address. It
141              first "scans" the victim to find  open  ports,  then  starts  to
142              flood these ports with SYN packets, using a "phantom" address as
143              source IP. Then it uses fake ARP replies  to  intercept  packets
144              for  the phantom host. When it receives SYN-ACK from the victim,
145              it replies with an ACK packet creating  an  ESTABLISHED  connec‐
146              tion.   You have to use a free IP address in your subnet to cre‐
147              ate the "phantom" host (you can use find_ip for  this  purpose).
148              You can't run this plugin in unoffensive mode.
149              This   plugin  is  based  on  the  original  Naptha  DoS  attack
150              (http://razor.bindview.com/publish/advisories/adv_NAPTHA.html)
151
152              example :
153
154              ettercap -TQP dos_attack
155
156
157       dummy
158
159              Only a template to demonstrate how to write a plugin.
160
161
162
163       find_conn
164
165              Very simple plugin that listens for ARP requests to show you all
166              the targets an host wants to talk to. It can also help you find‐
167              ing addresses in an unknown LAN.
168
169              example :
170
171              ettercap -TQzP find_conn
172
173              ettercap -TQu -i eth0 -P find_conn
174
175
176
177       find_ettercap
178
179              Try to identify ettercap packets sent on the LAN.  It  could  be
180              useful to detect if someone is using ettercap. Do not rely on it
181              100% since the tests are only on particular sequence/identifica‐
182              tion numbers.
183
184
185
186       find_ip
187
188              Find  the  first unused IP address in the range specified by the
189              user in the target list. Some other plugins (such as  gre_relay)
190              need  an  unused  IP address of the LAN to create a "fake" host.
191              It can also be useful to obtain an IP address in an unknown  LAN
192              where  there  is no dhcp server. You can use find_conn to deter‐
193              mine the IP addressing of the LAN, and then find_ip.   You  have
194              to  build  host  list  to use this plugin so you can't use it in
195              unoffensive mode. If you don't  have  an  IP  address  for  your
196              interface,   give   it   a   bogus  one  (e.g.  if  the  LAN  is
197              192.168.0.0/24, use 10.0.0.1  to  avoid  conflicting  IP),  then
198              launch  this plugin specifying the subnet range.  You can run it
199              either from the command line or from the proper menu.
200
201              example :
202
203              ettercap -TQP find_ip //
204
205              ettercap -TQP find_ip /192.168.0.1-254/
206
207
208
209       finger
210
211              Uses the  passive  fingerprint  capabilities  to  fingerprint  a
212              remote host. It does a connect() to the remote host to force the
213              kernel to reply to the SYN with a SYN+ACK packet. The reply will
214              be  collected  and  the  fingerprint is displayed. The connect()
215              obey to the connect_timeout parameter in etter.conf(5). You  can
216              specify  a target on command-line or let the plugin ask the tar‐
217              get host to be fingerprinted. You can also specify multiple tar‐
218              get with the usual multi-target specification (see ettercap(8)).
219              if you specify multiple ports, all the ports will be  tested  on
220              all the IPs.
221
222              example :
223
224              ettercap -TzP finger /192.168.0.1/22
225              ettercap -TzP finger /192.168.0.1-50/22,23,25
226
227
228
229       finger_submit
230
231              Use this plugin to submit a fingerprint to the ettercap website.
232              If you found an unknown fingerprint, but you know for  sure  the
233              operating  system of the target, you can submit it so it will be
234              inserted in the database in the next ettercap release.  We  need
235              your  help  to  increase the passive fingerprint database. Thank
236              you very much.
237
238              example :
239
240              ettercap -TzP finger_submit
241
242
243       fraggle_attack
244
245              This plugin performs a DoS  attack  because  it  sends  a  large
246              amount  of  UDP echo and chargen traffic to all hosts in target2
247              with a fake source ip address (victim).
248
249              example (192.168.0.5 is the victim):
250
251              ettercap -i eth1 -Tq /192.168.0.5/ // -P fraggle_attack
252
253
254       gre_relay
255
256              This plugin can be used to sniff GRE-redirected remote  traffic.
257              The  basic  idea  is  to  create a GRE tunnel that sends all the
258              traffic on a router interface to the ettercap machine. The plug‐
259              in  will send back the GRE packets to the router, after ettercap
260              "manipulation" (you can use "active" plugins such  as  smb_down,
261              ssh  decryption, filters, etc... on redirected traffic) It needs
262              a "fake" host where the traffic has  to  be  redirected  to  (to
263              avoid kernel's responses). The "fake" IP will be the tunnel end‐
264              point.  Gre_relay plugin will impersonate the "fake"  host.   To
265              find  an  unused  IP  address  for  the  "fake" host you can use
266              find_ip plugin.  Based on  the  original  Tunnelx  technique  by
267              Anthony       C.       Zboralski      (http://www.phrack.org/ar
268              chives/issues/56/10.txt).
269
270
271       gw_discover
272
273              This plugin try to discover the gateway of the  lan  by  sending
274              TCP SYN packets to a remote host. The packet has the destination
275              IP of a remote host and the destination mac address of  a  local
276              host.  If  ettercap  receives the SYN+ACK packet, the host which
277              own the source mac address of the reply  is  the  gatway.   This
278              operation  is  repeated for each host in the 'host list', so you
279              need to have a valid host list before launching this plugin.
280
281              example :
282
283              ettercap -TP gw_discover /192.168.0.1-50/
284
285
286       isolate
287
288              The isolate plugin will isolate an host form the  LAN.  It  will
289              poison  the  victim's arp cache with its own mac address associ‐
290              ated with all the host it tries to contact. This  way  the  host
291              will  not be able to contact other hosts because the packet will
292              never reach the wire.
293              You can specify all the host or only a group. the targets speci‐
294              fication  work this way: the target1 is the victim and must be a
295              single host, the target2 can be a range of addresses and  repre‐
296              sent the hosts that will be blocked to the victim.
297
298              examples :
299
300              ettercap -TzqP isolate /192.168.0.1/ //
301              ettercap -TP isolate /192.168.0.1/ /192.168.0.2-30/
302
303
304
305       krb5_downgrade
306
307              It downgrades Kerberos V5 security by modifying the etype values
308              in client AS-REQ packets. This way, obtained hashes can be  eas‐
309              ily  cracked  by  John  the  Ripper (JtR). You have to be in the
310              "middle" of the connection to successfully use it. It hooks  the
311              kerberos dissector, so you have to keep it active.
312
313
314       link_type
315
316              It  performs a check of the link type (hub or switch) by sending
317              a spoofed ARP request and listening for  replies.  It  needs  at
318              least  one entry in the host list to perform the check. With two
319              or more hosts the test will be more accurate.
320
321              example :
322
323              ettercap -TQP link_type /192.168.0.1/
324              ettercap -TQP link_type //
325
326
327       pptp_chapms1
328
329              It forces the pptp tunnel to negotiate MS-CHAPv1  authentication
330              instead of MS-CHAPv2, that is usually easier to crack (for exam‐
331              ple with LC4).  You have to be in the "middle" of the connection
332              to use it successfully.  It hooks the ppp dissector, so you have
333              to keep them active.
334
335
336       pptp_clear
337
338              Forces no compression/encryption for pptp tunnels during negoti‐
339              ation.  It could fail if client (or the server) is configured to
340              hang off the tunnel if no encryption is negotiated.  You have to
341              be in the "middle" of the connection to use it successfully.  It
342              hooks the ppp dissector, so you have to keep them active.
343
344
345       pptp_pap
346
347              It forces the pptp tunnel to negotiate PAP (cleartext) authenti‐
348              cation.   It  could  fail if PAP is not supported, if pap_secret
349              file  is  missing,  or  in  case  windows  is  configured   with
350              "authomatic  use  of  domain  account".  (It could fail for many
351              other reasons too).  You have to be in the "middle" of the  con‐
352              nection  to use it successfully.  It hooks the ppp dissector, so
353              you have to keep them active.
354
355
356       pptp_reneg
357
358              Forces re-negotiation on an existing pptp tunnel.  You can force
359              re-negotiation for grabbing passwords already sent.  Furthermore
360              you can launch it to use pptp_pap, pptp_chapms1 or pptp_clear on
361              existing  tunnels  (those  plugins  work only during negotiation
362              phase).  You have to be in the "middle" of the connection to use
363              it  successfully.   It  hooks  the ppp dissector, so you have to
364              keep them active.
365
366
367       rand_flood
368
369              Floods the LAN with random MAC  addresses.  Some  switches  will
370              fail  open  in  repeating mode, facilitating sniffing. The delay
371              between each packet is based on the port_steal_send_delay  value
372              in etter.conf.
373              It is useful only on ethernet switches.
374
375              example :
376
377              ettercap -TP rand_flood
378
379
380
381       remote_browser
382
383              It  sends to the browser the URLs sniffed thru HTTP sessions. So
384              you are able to see the webpages in real time. The command  exe‐
385              cuted is configurable in the etter.conf(5) file. It sends to the
386              browser only the GET requests and only  for  webpages,  ignoring
387              single  request  to  images or other amenities.  Don't use it to
388              view your own connection :)
389
390
391
392       reply_arp
393
394              Simple arp responder. When it intercepts an arp  request  for  a
395              host  in  the  targets'  lists,  it  replies with attacker's MAC
396              address.
397
398              example :
399
400              ettercap -TQzP reply_arp /192.168.0.1/
401              ettercap -TQzP reply_arp //
402
403
404       repoison_arp
405
406              It solicits poisoning packets after broadcast ARP  requests  (or
407              replies)  from  a  posioned host.  For example: we are poisoning
408              Group1 impersonating Host2.  If  Host2  makes  a  broadcast  ARP
409              request  for  Host3, it is possible that Group1 caches the right
410              MAC address for Host2 contained in the ARP packet.  This  plugin
411              re-poisons  Group1 cache immediately after a legal broadcast ARP
412              request (or reply).
413              This plugin is effective only during an arp-posioning session.
414              In conjunction with the reply_arp plugin, repoison_arp is a good
415              support for the standard arp-poisoning mitm method.
416
417              example :
418
419              ettercap  -T  -M  arp:remote  -P  repoison_arp /192.168.0.10-20/
420              /192.168.0.1/
421
422
423       scan_poisoner
424
425              Check if someone is poisoning between some host in the list  and
426              us.   First  of  all it checks if two hosts in the list have the
427              same mac address.  It could mean that one of those is  poisoning
428              us  pretending  to  be the other.  It could generate many false-
429              positives in a proxy-arp environment.  You have to  build  hosts
430              list  to  perform  this  check.   After that, it sends icmp echo
431              packets to each host in the list and checks if  the  source  mac
432              address  of the reply differs from the address we have stored in
433              the list for that ip.  It could mean that someone  is  poisoning
434              that  host pretending to have our ip address and forwards inter‐
435              cepted packets to us.  You can't perform  this  active  test  in
436              unoffensive mode.
437
438              example :
439
440              ettercap -TQP scan_poisoner //
441
442
443       search_promisc
444
445              It tries to find if anyone is sniffing in promisc mode. It sends
446              two different kinds of malformed arp request to each  target  in
447              the host list and waits for replies. If a reply arrives from the
448              target host, it's more or less probable that this target has the
449              NIC in promisc mode. It could generate false-positives.  You can
450              launch it either from the command line or from the plugin  menu.
451              Since it listens for arp replies it is better that you don't use
452              it while sending arp request.
453
454              example :
455
456              ettercap -TQP search_promisc /192.168.0.1/
457              ettercap -TQP search_promisc //
458
459
460
461       smb_clear
462
463              It forces the client to send smb password in clear-text by  man‐
464              gling  protocol  negotiation.  You have to be in the "middle" of
465              the connection to successfully use it. It hooks the smb  dissec‐
466              tor,  so  you  have  to keep it active.  If you use it against a
467              windows client it will probably result in  a  failure.   Try  it
468              against a *nix smbclient :)
469
470
471
472       smb_down
473
474              It  forces the client to not to use NTLM2 password exchange dur‐
475              ing smb authentication. This way, obtained hashes can be  easily
476              cracked  by  LC4.  You have to be in the "middle" of the connec‐
477              tion to successfully use it.  It hooks the smb dissector, so you
478              have to keep it active.
479
480
481       smurf_attack
482
483              The  Smurf  Attack is a DoS attack in which huge numbers of ICMP
484              packets with the intended victim(s) IP(s) in target1 are sent to
485              the  hosts  in  target2. This causes all hosts on the target2 to
486              reply to the ICMP request, causing significant  traffic  to  the
487              victim's computer(s).
488
489              example (192.168.0.5 is the victim):
490
491              ettercap -i eth1 -Tq /192.168.0.5/ // -P fraggle_attack
492
493
494       sslstrip
495
496              While  performing  the SSL mitm attack, ettercap substitutes the
497              real ssl certificate with its own.  The fake certificate is cre‐
498              ated  on  the fly and all the fields are filled according to the
499              real cert presented by the  server. Only the  issuer is modified
500              and signed with the private key contained in the 'etter.ssl.crt'
501              file.  If you want to use a different private key  you  have  to
502              regenerate  this  file. To regenerate the cert file use the fol‐
503              lowing commands:
504
505              openssl genrsa -out etter.ssl.crt 1024
506              openssl req -new -key etter.ssl.crt -out tmp.csr
507              openssl x509 -req -days 1825 -in tmp.csr -signkey  etter.ssl.crt
508              -out tmp.new
509              cat tmp.new >> etter.ssl.crt
510              rm -f tmp.new tmp.csr
511
512              NOTE: SSL mitm is not available (for now) in bridged mode.
513
514              NOTE:  You  can use the --certificate/--private-key long options
515              if you want  to  specify  a  different  file  rather   than  the
516              etter.ssl.crt file.
517
518
519
520       stp_mangler
521
522              It  sends spanning tree BPDUs pretending to be a switch with the
523              highest priority. Once in  the  "root"  of  the  spanning  tree,
524              ettercap can receive all the "unmanaged" network traffic.
525              It is useful only against a group of switches running STP.
526              If  there  is  another  switch with the highest priority, try to
527              manually decrease your MAC address before running it.
528
529              example :
530
531              ettercap -TP stp_mangler
532
533
534

ORIGINAL AUTHORS

536       Alberto Ornaghi (ALoR) <alor@users.sf.net>
537       Marco Valleri (NaGA) <naga@antifork.org>
538

PROJECT STEWARDS

540       Emilio Escobar (exfil)  <eescobar@gmail.com>
541       Eric Milam (Brav0Hax)  <jbrav.hax@gmail.com>
542

OFFICIAL DEVELOPERS

544       Mike Ryan (justfalter)  <falter@gmail.com>
545       Gianfranco Costamagna (LocutusOfBorg)  <costamagnagianfranco@yahoo.it>
546       Antonio Collarino (sniper)  <anto.collarino@gmail.com>
547       Ryan Linn   <sussuro@happypacket.net>
548       Jacob Baines   <baines.jacob@gmail.com>
549

CONTRIBUTORS

551       Dhiru Kholia (kholia)  <dhiru@openwall.com>
552       Alexander Koeppe (koeppea)  <format_c@online.de>
553       Martin Bos (PureHate)  <purehate@backtrack.com>
554       Enrique Sanchez
555       Gisle Vanem  <giva@bgnett.no>
556       Johannes Bauer  <JohannesBauer@gmx.de>
557       Daten (Bryan Schneiders)  <daten@dnetc.org>
558
559
560

SEE ALSO

562       ettercap(8) ettercap_curses(8) etterlog(8) etterfilter(8) etter.conf(5)
563       ettercap-pkexec(8)
564
565ettercap 0.8.2                                             ETTERCAP-PLUGINS(8)
Impressum