1ETTERCAP(8)                 System Manager's Manual                ETTERCAP(8)
2
3
4

NAME

6       ettercap  -  multipurpose  sniffer/content filter for man in the middle
7       attacks
8
9

***** IMPORTANT NOTE ******

11       Since ettercap NG (formerly 0.7.0), all the options have been  changed.
12       Even  the  target specification has been changed. Please read carefully
13       this man page.
14
15

SYNOPSIS

17       ettercap [OPTIONS] [TARGET1] [TARGET2]
18
19       If IPv6 is enabled:
20       TARGET is in the form MAC/IPs/IPv6/PORTs
21       Otherwise,
22       TARGET is in the form MAC/IPs/PORTs
23       where IPs and PORTs can be ranges (e.g. /192.168.0.1-30,40,50/20,22,25)
24

DESCRIPTION

26       Ettercap was born as a sniffer for switched  LAN  (and  obviously  even
27       "hubbed"  ones),  but during the development process it has gained more
28       and more features that have changed it to a powerful and flexible  tool
29       for  man-in-the-middle attacks.  It supports active and passive dissec‐
30       tion of many protocols (even ciphered ones) and includes many  features
31       for network and host analysis (such as OS fingerprint).
32
33       It has two main sniffing options:
34
35       UNIFIED, this method sniffs all the packets that pass on the cable. You
36       can choose to put or not the interface in promisc mode (-p option). The
37       packet  not  directed  to  the  host running ettercap will be forwarded
38       automatically using layer 3 routing. So  you  can  use  a  mitm  attack
39       launched  from a different tool and let ettercap modify the packets and
40       forward them for you.
41       The kernel ip_forwarding is always disabled by ettercap. This  is  done
42       to  prevent a forward of a packet twice (one by ettercap and one by the
43       kernel).  This is an invasive behaviour on gateways.  So  we  recommend
44       you  to  use  ettercap  on  the gateways ONLY with the UNOFFENSIVE MODE
45       ENABLED. Since ettercap listens only on one network interface,  launch‐
46       ing  it  on  the gateway in offensive mode will not allow packets to be
47       rerouted back from the second interface.
48
49       BRIDGED, it uses two network interfaces and forward  the  traffic  from
50       one  to the other while performing sniffing and content filtering. This
51       sniffing method is totally stealthy since there is no way to find  that
52       someone  is in the middle on the cable.  You can look at this method as
53       a mitm attack at layer 1. You will  be  in  the  middle  of  the  cable
54       between  two  entities.  Don't  use it on gateways or it will transform
55       your gateway into a bridge. HINT: you can  use  the  content  filtering
56       engine  to  drop  packets  that should not pass. This way ettercap will
57       work as an inline IPS ;)
58
59       You can also perform man in the middle attacks while using the  unified
60       sniffing.  You  can  choose  the  mitm attack that you prefer. The mitm
61       attack module is independent from the sniffing and  filtering  process,
62       so you can launch several attacks at the same time or use your own tool
63       for the attack. The crucial point is that the packets have to arrive to
64       ettercap  with the correct mac address and a different ip address (only
65       these packets will be forwarded).
66
67       The most relevant ettercap features are:
68
69       SSH1 support : you can sniff User and Pass, and even  the  data  of  an
70       SSH1 connection. ettercap is the first software capable to sniff an SSH
71       connection in FULL-DUPLEX
72
73       SSL support : you can sniff SSL secured data... a fake  certificate  is
74       presented to the client and the session is decrypted.
75
76       Characters  injection  in  an  established  connection : you can inject
77       characters to the server (emulating commands) or to the client (emulat‐
78       ing replies) maintaining the connection alive !!
79
80       Packet filtering/dropping: You can set up a filter script that searches
81       for a particular string (even hex)  in  the  TCP  or  UDP  payload  and
82       replace  it  with yours or drop the entire packet. The filtering engine
83       can match any field of the network protocols and  modify  whatever  you
84       want (see etterfilter(8)).
85
86       Remote  traffic  sniffing  through  tunnels and route mangling: You can
87       play with linux cooked interfaces or use the integrated plugin to sniff
88       tunneled  or  route-mangled remote connections and perform mitm attacks
89       on them.
90
91       Plug-ins support : You can create your own plugin using the  ettercap's
92       API.
93
94       Password  collector  for  :  TELNET,  FTP, POP, RLOGIN, SSH1, ICQ, SMB,
95       MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP  4,  VNC,
96       LDAP,  NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG (other protocols coming
97       soon...)
98
99       Passive OS fingerprint: you scan passively the lan (without sending any
100       packet)  and gather detailed info about the hosts in the LAN: Operating
101       System, running services, open  ports,  IP,  mac  address  and  network
102       adapter vendor.
103
104       Kill  a connection: from the connections list you can kill all the con‐
105       nections you want
106
107
108

TARGET SPECIFICATION

110       There is no concept of SOURCE nor DEST. The two targets are intended to
111       filter  traffic  coming from one to the other and vice-versa (since the
112       connection is bidirectional).
113
114       TARGET is in the form MAC/IPs/PORTs.
115       NOTE: If IPv6 is enabled, TARGET is in the form MAC/IPs/IPv6/PORTs.
116
117       If you want you can omit any of its parts and this  will  represent  an
118       ANY in that part.
119       e.g.
120       "//80" means ANY mac address, ANY ip and ONLY port 80
121       "/10.0.0.1/" means ANY mac address, ONLY ip 10.0.0.1 and ANY port
122
123       MAC must be unique and in the form 00:11:22:33:44:55
124
125       IPs is a range of IP in dotted notation. You can specify range with the
126       - (hyphen) and single ip with , (comma). You can also use ; (semicolon)
127       to indicate different ip addresses.
128       e.g.
129       "10.0.0.1-5;10.0.1.33"  expands  into  ip  10.0.0.1,  2,  3,  4,  5 and
130       10.0.1.33
131
132       PORTs is a range of PORTS. You can specify range with  the  -  (hyphen)
133       and single port with , (comma).
134       e.g.
135       "20-25,80,110" expands into ports 20, 21, 22, 23, 24, 25, 80 and 110
136
137       NOTE:
138       you  can  reverse the matching of the TARGET by adding the -R option to
139       the command line. So if you want to sniff ALL the traffic BUT  the  one
140       coming or going to 10.0.0.1 you can specify "./ettercap -R /10.0.0.1/"
141
142       NOTE:
143       TARGETs  are  also  responsible of the initial scan of the lan. You can
144       use them to restrict the scan to only a subset of the hosts in the net‐
145       mask.  The  result  of  the  merging  between  the  two targets will be
146       scanned. remember that not specifying a target means "no  target",  but
147       specifying "//" means "all the hosts in the subnet".
148

PRIVILEGES DROPPING

150       ettercap  needs  root  privileges to open the Link Layer sockets. After
151       the initialization phase, the root privs are  not  needed  anymore,  so
152       ettercap  drops  them  to  UID  = 65535 (nobody). Since ettercap has to
153       write (create) log files, it must be executed in a directory  with  the
154       right  permissions (e.g. /tmp/). If you want to drop privs to a differ‐
155       ent uid, you can export the environment variable EC_UID with the  value
156       of  the  uid you want to drop the privs to (e.g.  export EC_UID=500) or
157       set the correct parameter in the etter.conf file.
158
159
160

SSL MITM ATTACK

162       SSL mitm attack is dependent on TCP traffic  redirection  to  a  custom
163       listener  port  of ettercap. The redir_command_on and redir_command_off
164       configuration variables take care of this (see "etter.conf(5)").
165       However, when ettercap starts, traffic for any source and any  destina‐
166       tion  targeted  for  the  redirectable  services  will be redirected to
167       ettercap and the SSL stream will be intercepted.
168       This may not be the desired behaviour. Therefore you can adjust the re‐
169       direct  rules  after  ettercap has been started using the selected user
170       interface.
171
172       While performing the SSL mitm attack, ettercap substitutes the real ssl
173       certificate  with  its  own. The fake certificate is created on the fly
174       and all the fields are filled according to the real cert  presented  by
175       the server. Only the issuer is modified and signed with the private key
176       contained in the 'etter.ssl.crt' file. If you want to use  a  different
177       private  key  you  have to regenerate this file. To regenerate the cert
178       file use the following commands:
179
180       openssl genrsa -out etter.ssl.crt 1024
181       openssl req -new -key etter.ssl.crt -out tmp.csr
182       openssl x509 -req -days 1825 -in tmp.csr  -signkey  etter.ssl.crt  -out
183       tmp.new
184       cat tmp.new >> etter.ssl.crt
185       rm -f tmp.new tmp.csr
186
187       NOTE: SSL mitm is not available (for now) in bridged mode.
188
189       NOTE:  You  can use the --certificate/--private-key long options if you
190       want to specify a different file rather than the etter.ssl.crt file.
191
192
193

OPTIONS

195       Options that make sense together can generally  be  combined.  ettercap
196       will warn the user about unsupported option combinations.
197
198       SNIFFING AND ATTACK OPTIONS
199
200       ettercap  NG  has  a  new  unified  sniffing  method. This implies that
201       ip_forwarding in the kernel is always disabled and  the  forwarding  is
202       done  by  ettercap.  Every packet with destination mac address equal to
203       the host's mac address and destination ip address different for the one
204       bound  to  the  iface  will be forwarded by ettercap. Before forwarding
205       them, ettercap can content filter, sniff, log or drop them. It does not
206       matter  how these packets are hijacked, ettercap will process them. You
207       can even use external programs to hijack packet.
208       You have full control of what ettercap should receive. You can use  the
209       internal  mitm  attacks, set the interface in promisc mode, use plugins
210       or use every method you want.
211
212       IMPORTANT NOTE: if you run ettercap on a gateway, remember to re-enable
213       the  ip_forwarding after you have killed ettercap. Since ettercap drops
214       its privileges, it cannot restore the ip_forwarding for you.
215
216       -M, --mitm <METHOD:ARGS>
217              MITM attack
218              This option will activate the man in the middle attack. The mitm
219              attack  is totally independent from the sniffing. The aim of the
220              attack is to hijack packets and redirect them to  ettercap.  The
221              sniffing engine will forward them if necessary.
222              You  can choose the mitm attack that you prefer and also combine
223              some of them to perform different attacks at the same time.
224              If a mitm method requires some parameters you can  specify  them
225              after the colon.  (e.g.  -M dhcp:ip_pool,netmask,etc )
226
227              The following mitm attacks are available:
228
229              arp ([remote],[oneway])
230                     This method implements the ARP poisoning mitm attack. ARP
231                     requests/replies are sent to the victims to poison  their
232                     ARP  cache.  Once the cache has been poisoned the victims
233                     will send all packets to the attacker which, in turn, can
234                     modify and forward them to the real destination.
235
236                     In  silent  mode  (-z  option)  only  the first target is
237                     selected, if you want to poison multiple target in silent
238                     mode use the -j option to load a list from a file.
239
240                     You can select empty targets and they will be expanded as
241                     'ANY' (all the hosts in the  LAN).  The  target  list  is
242                     joined  with the hosts list (created by the arp scan) and
243                     the result is  used  to  determine  the  victims  of  the
244                     attack.
245
246                     The  parameter "remote" is optional and you have to spec‐
247                     ify it if you want to sniff remote ip address poisoning a
248                     gateway. Indeed if you specify a victim and the gw in the
249                     TARGETS, ettercap  will  sniff  only  connection  between
250                     them,  but  to  enable ettercap to sniff connections that
251                     pass thru the gw, you have to use this parameter.
252
253                     The parameter "oneway" will force ettercap to poison only
254                     from  TARGET1  to  TARGET2.  Useful if you want to poison
255                     only the client and not the router (where an arp  watcher
256                     can be in place).
257
258                     Example:
259
260                     the targets are: /10.0.0.1-5/ /10.0.0.15-20/
261                     and   the  host  list  is:  10.0.0.1  10.0.0.3  10.0.0.16
262                     10.0.0.18
263
264                     the associations between the victims will be:
265                     1 and 16, 1 and 18, 3 and 16, 3 and 18
266
267                     if the targets overlap each other, the  association  with
268                     identical ip address will be skipped.
269
270                     NOTE:  if  you manage to poison a client, you have to set
271                     correct routing table in the kernel specifying the GW. If
272                     your  routing  table  is  incorrect, the poisoned clients
273                     will not be able to navigate the Internet.
274
275
276
277              icmp (MAC/IP)
278                     This attack  implements  ICMP  redirection.  It  sends  a
279                     spoofed  icmp  redirect  message  to the hosts in the lan
280                     pretending to be a better route for internet. All connec‐
281                     tions  to  internet  will  be  redirected to the attacker
282                     which, in turn, will forward them to  the  real  gateway.
283                     The  resulting  attack  is  a  HALF-DUPLEX mitm. Only the
284                     client is redirected, since the gateway will  not  accept
285                     redirect  messages  for  a directly connected network. BE
286                     SURE TO NOT USE FILTERS THAT MODIFY THE  PAYLOAD  LENGTH.
287                     you  can  use  a filter to modify packets, but the length
288                     must be the  same  since  the  tcp  sequences  cannot  be
289                     updated in both ways.
290                     You  have  to pass as argument the MAC and the IP address
291                     of the real gateway for the lan.
292                     Obviously you have to be able to sniff all  the  traffic.
293                     If  you  are on a switch you have to use a different mitm
294                     attack such as arp poisoning.
295
296                     NOTE: to restrict the  redirection  to  a  given  target,
297                     specify it as a TARGET
298
299                     Example:
300
301                     -M icmp:00:11:22:33:44:55/10.0.0.1
302
303                     will  redirect  all  the  connections that pass thru that
304                     gateway.
305
306
307
308              dhcp (ip_pool/netmask/dns)
309                     This attack implements DHCP spoofing. It pretends to be a
310                     DHCP  server and tries to win the race condition with the
311                     real one to force the client  to  accept  the  attacker's
312                     reply.  This  way  ettercap  is able to manipulate the GW
313                     parameter and hijack all the outgoing  traffic  generated
314                     by the clients.
315                     The resulting attack is a HALF-DUPLEX mitm. So be sure to
316                     use appropriate filters (see above in the ICMP section).
317
318                     You have to pass the ip pool to be used, the netmask  and
319                     the  ip  of  the dns server.  Since ettercap tries to win
320                     the race with the real server, it DOES NOT CHECK  if  the
321                     ip is already assigned. You have to specify an ip pool of
322                     FREE addresses to be used. The ip pool has the same  form
323                     of the target specification.
324
325                     If  the  client  sends  a  dhcp request (suggesting an ip
326                     address) ettercap will ack on that ip and modify only the
327                     gw option. If the client makes a dhcp discovery, ettercap
328                     will use the first unused ip address of the list you have
329                     specified on command line. Every discovery consumes an ip
330                     address. When the list is over, ettercap  stops  offering
331                     new ip addresses and will reply only to dhcp requests.
332                     If  you  don't  want  to  offer  any ip address, but only
333                     change the router information of  dhcp  request/ack,  you
334                     can specify an empty ip_pool.
335
336                     BIG WARNING: if you specify a list of ip that are in use,
337                     you will mess your network! In general, use  this  attack
338                     carefully.  It  can really mess things up!  When you stop
339                     the attack, all the victims will be still convinced  that
340                     ettercap is the gateway until the lease expires...
341
342                     Example:
343
344                     -M dhcp:192.168.0.30,35,50-60/255.255.255.0/192.168.0.1
345                     reply to DHCP offer and request.
346
347                     -M dhcp:/255.255.255.0/192.168.0.1
348                     reply only to DHCP request.
349
350
351              port ([remote],[tree])
352                     This  attack  implements Port Stealing. This technique is
353                     useful to sniff in a switched environment when  ARP  poi‐
354                     soning  is not effective (for example where static mapped
355                     ARPs are used).
356
357                     It floods the LAN (based on  port_steal_delay  option  in
358                     etter.conf)  with  ARP  packets. If you don't specify the
359                     "tree"  option,  the  destination  MAC  address  of  each
360                     "stealing"  packet  is  the  same  as  the attacker's one
361                     (other NICs won't see  these  packets),  the  source  MAC
362                     address  will  be  one of the MACs in the host list. This
363                     process "steals" the switch port of each victim  host  in
364                     the  host  list.   Using  low delays, packets destined to
365                     "stolen" MAC addresses will be received by the  attacker,
366                     winning  the  race  condition  with  the real port owner.
367                     When the attacker receives packets for "stolen" hosts, it
368                     stops  the  flooding  process and performs an ARP request
369                     for the real destination of the packet.  When it receives
370                     the  ARP reply it's sure that the victim has "taken back"
371                     his port, so ettercap can re-send the packet to the  des‐
372                     tination as is.  Now we can re-start the flooding process
373                     waiting for new packets.
374
375                     If you use the "tree" option, the destination MAC address
376                     of  each  stealing  packet  will be a bogus one, so these
377                     packets will be propagated to other  switches  (not  only
378                     the directly connected one). This way you will be able to
379                     steal ports on other switches in the tree (if  any),  but
380                     you  will generate a huge amount of traffic (according to
381                     port_steal_delay).  The  "remote"  option  has  the  same
382                     meaning as in "arp" mitm method.
383
384                     When  you  stop  the  attack,  ettercap  will send an ARP
385                     request to each stolen  host  giving  back  their  switch
386                     ports.
387                     You can perform either HALF or FULL DUPLEX mitm according
388                     to target selection.
389
390                     NOTE: Use this mitm method only on ethernet switches. Use
391                     it  carefully, it could produce performances loss or gen‐
392                     eral havoc.
393
394                     NOTE: You can NOT use this method in only-mitm  mode  (-o
395                     flag),  because  it  hooks  the  sniffing engine, and you
396                     can't use interactive data injection.
397
398                     NOTE: It could be dangerous to use it in conjunction with
399                     other mitm methods.
400
401                     NOTE:  This  mitm method doesn't work on Solaris and Win‐
402                     dows because of the lipcap and libnet design and the lack
403                     of  certain  ioctl().   (We  will  feature this method on
404                     these OSes if someone will request it...)
405
406                     Example:
407
408                     The targets are: /10.0.0.1/ /10.0.0.15/
409                     You will intercept and visualize traffic between 10.0.0.1
410                     and  10.0.0.15,  but you will receive all the traffic for
411                     10.0.0.1 and 10.0.0.15 too.
412
413                     The target is: /10.0.0.1/
414                     You will intercept and  visualize  all  the  traffic  for
415                     10.0.0.1.
416
417
418
419
420
421              ndp ([remote],[oneway])
422                     NOTE:  This MITM method is only supported if IPv6 support
423                     has been enabled.
424
425                     This method implements the NDP poisoning attack which  is
426                     used  for  MITM  of IPv6 connections. ND requests/replies
427                     are sent to the victims to poison their  neighbor  cache.
428                     Once  the  cache  has been poisoned the victims will send
429                     all IPv6 packets to the attacker which, in turn, can mod‐
430                     ify and forward them to the real destination.
431
432                     In  silent  mode  (-z  option)  only  the first target is
433                     selected, if you want to poison multiple target in silent
434                     mode use the -j option to load a list from a file.
435
436                     You can select empty targets and they will be expanded as
437                     'ANY' (all the hosts in the  LAN).  The  target  list  is
438                     joined  with the hosts list (created by the arp scan) and
439                     the result is  used  to  determine  the  victims  of  the
440                     attack.
441
442                     The  parameter "remote" is optional and you have to spec‐
443                     ify it if you want to sniff remote ip address poisoning a
444                     gateway. Indeed if you specify a victim and the gw in the
445                     TARGETS, ettercap  will  sniff  only  connection  between
446                     them,  but  to  enable ettercap to sniff connections that
447                     pass thru the gw, you have to use this parameter.
448
449                     The parameter "oneway" will force ettercap to poison only
450                     from  TARGET1  to  TARGET2.  Useful if you want to poison
451                     only the client and not the router (where an arp  watcher
452                     can be in place).
453
454                     Example:
455
456                     Targets         are:         //fe80::260d:afff:fe6e:f378/
457                     //2001:db8::2:1/
458                     Ranges of IPv6 addresses are not yet supported.
459
460                     NOTE: if you manage to poison a client, you have  to  set
461                     correct routing table in the kernel specifying the GW. If
462                     your routing table is  incorrect,  the  poisoned  clients
463                     will not be able to navigate the Internet.
464
465                     NOTE:  in  IPv6  usually  the  link-local  address of the
466                     router is being used as the  gateway  address.  Therefore
467                     you  need  to set the link-local address of the router as
468                     one target and the global-unicast address of  the  victim
469                     as  the  other  in order to set up a successful IPv6 MITM
470                     attack using NDP poisoning.
471
472
473       -o, --only-mitm
474              This options disables the sniffing thread and enables  only  the
475              mitm attack.  Useful if you want to use ettercap to perform mitm
476              attacks and another sniffer (such as  wireshark)  to  sniff  the
477              traffic.  Keep  in  mind  that  the packets are not forwarded by
478              ettercap. The kernel will be  responsible  for  the  forwarding.
479              Remember to activate the "ip forwarding" feature in your kernel.
480
481
482       -f, --pcapfilter <FILTER>
483              Set  a  capturing  filter in the pcap library. The format is the
484              same as tcpdump(1). Remember that this kind of filter  will  not
485              sniff  packets out of the wire, so if you want to perform a mitm
486              attack, ettercap will not be able to forward hijacked packets.
487              These filters are useful to decrease  the  network  load  impact
488              into ettercap decoding module.
489
490
491       -B, --bridge <IFACE>
492              BRIDGED sniffing
493              You  need two network interfaces. ettercap will forward form one
494              to the other all the traffic it sees. It is useful  for  man  in
495              the  middle  at the physical layer. It is totally stealthy since
496              it is passive and there is  no  way  for  an  user  to  see  the
497              attacker.
498              You can content filter all the traffic as you were a transparent
499              proxy for the "cable".
500
501
502
503       OFF LINE SNIFFING
504
505       -r, --read <FILE>
506              OFF LINE sniffing
507              With this option enabled, ettercap will  sniff  packets  from  a
508              pcap compatible file instead of capturing from the wire.
509              This  is  useful if you have a file dumped from tcpdump or wire‐
510              shark and you want to make an analysis (search for passwords  or
511              passive fingerprint) on it.
512              Obviously  you  cannot  use  "active" sniffing (arp poisoning or
513              bridging) while sniffing from a file.
514
515       -w, --write <FILE>
516              WRITE packet to a pcap file
517              This is useful if you have to use "active" sniffing (arp poison)
518              on  a switched LAN but you want to analyze the packets with tcp‐
519              dump or wireshark. You can use this option to dump  the  packets
520              to a file and then load it into your favourite application.
521
522              NOTE: dump file collect ALL the packets disregarding the TARGET.
523              This is done because you may want to log even protocols not sup‐
524              ported by ettercap, so you can analyze them with other tools.
525
526              TIP:  you  can use the -w option in conjunction with the -r one.
527              This way you will be able to filter the payload  of  the  dumped
528              packets  or  decrypt WEP-encrypted WiFi traffic and dump them to
529              another file.
530
531
532
533       USER INTERFACES OPTIONS
534
535       -T, --text
536              The text only interface, only printf ;)
537              It is quite interactive, press 'h' in every moment to  get  help
538              on what you can do.
539
540
541       -q, --quiet
542              Quiet  mode. It can be used only in conjunction with the console
543              interface. It does not print packet content. It is useful if you
544              want to convert pcap file to ettercap log files.
545
546              example:
547
548              ettercap -Tq -L dumpfile -r pcapfile
549
550
551       -s, --script <COMMANDS>
552              With this option you can feed ettercap with command as they were
553              typed on the keyboard by the user. This way you can use ettercap
554              within  your  favourite  scripts. There is a special command you
555              can issue thru this command: s(x). this command will sleep for x
556              seconds.
557
558              example:
559
560              ettercap -T -s 'lq'  will print the list of the hosts and exit
561              ettercap  -T  -s 's(300)olqq'  will collect the infos for 5 min‐
562              utes, print the list of the local profiles and exit
563
564
565
566       -C, --curses
567              Ncurses based GUI. See ettercap_curses(8) for  a  full  descrip‐
568              tion.
569
570
571
572       -G, --gtk
573              The nice GTK2 interface (thanks Daten...).
574
575
576
577       -D, --daemonize
578              Daemonize  ettercap.  This  option will detach ettercap from the
579              current controlling terminal and set it as  a  daemon.  You  can
580              combine  this feature with the "log" option to log all the traf‐
581              fic in the background. If the daemon fails for  any  reason,  it
582              will  create  the  file "./ettercap_daemonized.log" in which the
583              error caught by ettercap will be reported. Furthermore,  if  you
584              want  to  have  a  complete debug of the daemon process, you are
585              encouraged to recompile ettercap in debug mode.
586
587
588
589
590       GENERAL OPTIONS
591
592       -b, --broadcast
593              Tells Ettercap to process packets coming from Broadcast address.
594
595
596       -i, --iface <IFACE>
597              Use this <IFACE> instead of the default one. The  interface  can
598              be unconfigured (requires libnet >= 1.1.2), but in this case you
599              cannot use MITM attacks and you should set the unoffensive flag.
600
601
602       -I, --iflist
603              This option will print the list of all available network  inter‐
604              faces  that  can be used within ettercap. The option is particu‐
605              larly useful under windows where the name of  the  interface  is
606              not so obvious as under *nix.
607
608
609       -Y, --secondary <interface list>
610              Specify  a  list  of (or single) secondary interfaces to capture
611              packets from.
612
613
614       -A, --address <ADDRESS>
615              Use this <ADDRESS> instead of the one autodetected for the  cur‐
616              rent  iface. This option is useful if you have an interface with
617              multiple ip addresses.
618
619
620       -n, --netmask <NETMASK>
621              Use this <NETMASK> instead of the one associated with  the  cur‐
622              rent  iface.  This  option is useful if you have the NIC with an
623              associated netmask of class B and you want to scan (with the arp
624              scan) only a class C.
625
626
627       -R, --reversed
628              Reverse  the matching in the TARGET selection. It means not(TAR‐
629              GET). All but the selected TARGET.
630
631
632       -t, --proto <PROTO>
633              Sniff only PROTO packets (default is TCP + UDP).
634              This is useful if you want to select a port via the TARGET spec‐
635              ification but you want to differentiate between tcp or udp.
636              PROTO can be "tcp", "udp" or "all" for both.
637
638
639       -6, --ip6scan
640              Send  ICMPv6  probes  to discover active IPv6 nodes on the link.
641              This options sends a ping request to the  all-nodes  address  to
642              motivate  active  IPv6 hosts to respond. You should not use this
643              option if you try to hide yourself.  Therefore  this  option  is
644              optional.
645
646              NOTE:  This  option  is  only available if IPv6 support has been
647              enabled.
648
649
650       -z, --silent
651              Do not perform the initial ARP scan of the LAN.
652
653              NOTE: you will not have the hosts list, so  you  can't  use  the
654              multipoison  feature.   you can only select two hosts for an ARP
655              poisoning attack, specifying them through the TARGETs
656
657
658       -p, --nopromisc
659              Usually, ettercap will put the  interface  in  promisc  mode  to
660              sniff  all  the  traffic  on the wire. If you want to sniff only
661              your connections, use this flag to NOT enable the promisc mode.
662
663
664       -S, --nosslmitm
665              Usually, ettercap forges SSL certificates in order to  intercept
666              https traffic.  This option disables that behavior.
667
668
669       -u, --unoffensive
670              Every  time  ettercap  starts,  it disables ip forwarding in the
671              kernel and begins to forward packets itself. This option prevent
672              to  do  that,  so the responsibility of ip forwarding is left to
673              the kernel.
674              This options is useful if you  want  to  run  multiple  ettercap
675              instances.  You  will  have one instance (the one without the -u
676              option) forwarding the packets,  and  all  the  other  instances
677              doing their work without forwarding them. Otherwise you will get
678              packet duplicates.
679              It also disables the internal creation of the sessions for  each
680              connection.  It increases performances, but you will not be able
681              to modify packets on the fly.
682              If you want to use a mitm attack you  have  to  use  a  separate
683              instance.
684              You  have  to  use  this option if the interface is unconfigured
685              (without an ip address.)
686              This is also useful if you want to run ettercap on the  gateway.
687              It  will  not  disable  the forwarding and the gateway will cor‐
688              rectly route the packets.
689
690
691       -j, --load-hosts <FILENAME>
692              It can be used to load a hosts list from a file created  by  the
693              -k option. (see below)
694
695
696       -k, --save-hosts <FILENAME>
697              Saves  the hosts list to a file. Useful when you have many hosts
698              and you don't want to do an ARP storm at startup  any  time  you
699              use  ettercap.  Simply  use  this options and dump the list to a
700              file, then to load the information from it use the -j <filename>
701              option.
702
703
704       -P, --plugin <PLUGIN>
705              Run the selected PLUGIN. Many plugins need target specification,
706              use TARGET as always. Use multiple occurrences of this parameter
707              to select multiple plugins.
708              In console mode (-C option), standalone plugins are executed and
709              then the application exits. Hook plugins are activated  and  the
710              normal sniffing is performed.
711              To  have  a  list  of  the available external plugins use "list"
712              (without quotes) as plugin name (e.g. ./ettercap -P list).
713
714              NOTE: you can also activate plugins directly from the interfaces
715              (always press "h" to get the inline help)
716
717              More detailed info about plugins and about how to write your own
718              are found in the man page ettercap_plugins(8)
719
720
721       --plugin-list <PLUGIN1>[,<PLUGIN2>,...]
722              Instead of providing multiple occurances of -P plugin, --plugin-
723              list  can  be  used followed by a comma sepaparated list without
724              any spaces.  (e.g. ./ettercap --plugin-list plugin1,plugin2).
725
726
727       -F, --filter <FILE>
728              Load the filter from the file <FILE>. The filter  must  be  com‐
729              piled  with  etterfilter(8). The utility will compile the filter
730              script and produce an  ettercap-compliant  binary  filter  file.
731              Read  the  etterfilter(8) man page for the list of functions you
732              can use inside a filter script.  Any number of  filters  can  be
733              loaded  by  specifying  the  option  multiple times; packets are
734              passed through each filter in the order specified on the command
735              line.  You can also load a script without enabling it by append‐
736              ing :0 to the filename.
737              NOTE: these filters are different from those set with --pcapfil‐
738              ter.  An  ettercap filter is a content filter and can modify the
739              payload of a packet before forwarding it. Pcap filter  are  used
740              to capture only certain packets.
741              NOTE: you can use filters on pcapfile to modify them and save to
742              another file, but in this case you have to pay attention on what
743              you  are  doing,  since ettercap will not recalculate checksums,
744              nor split packets exceeding the mtu (snaplen) nor anything  like
745              that.
746
747
748       -W, --wifi-key <KEY>
749              You can specify a key to decrypt WiFi packets (WEP or WPA). Only
750              the  packets  decrypted  successfully  will  be  passed  to  the
751              decoders stack, the others will be skipped with a message.
752              The  parameter  has  the  following  syntax: type:bits:t:string.
753              Where 'type' can be: wep, wpa-pws or wpa-psk, 'bits' is the  bit
754              length  of  the  key  (64,  128  or 256), 't' is the type of the
755              string ('s' for string and 'p' for passphrase). 'string' can  be
756              a string or an escaped hex sequences.
757
758              example:
759              --wifi-key wep:128:p:secret
760              --wifi-key wep:128:s:ettercapwep0
761              --wifi-key 'wep:64:s:\x01\x02\x03\x04\x05'
762              --wifi-key wpa:pwd:ettercapwpa:ssid
763              --wifi-key wpa:psk:
764              663eb260e87cf389c6bd7331b28d82f5203b0cae4e315f9cbb7602f3236708a6
765
766
767
768       -a, --config <CONFIG>
769              Loads  an  alternative  config  file  instead  of the default in
770              /etc/etter.conf.  This is useful if you have many  preconfigured
771              files for different situations.
772
773       --certificate <FILE>
774              Tells Ettercap to use the specified certificate file for the SSL
775              MiTM attack.
776
777
778       --private-key <FILE>
779              Tells Ettercap to use the specified private key file for the SSL
780              MiTM attack.
781
782
783
784       VISUALIZATION OPTIONS
785
786
787       -e, --regex <REGEX>
788              Handle only packets that match the regex.
789              This option is useful in conjunction with -L. It logs only pack‐
790              ets that match the posix regex REGEX.
791              It impacts even the visualization of the sniffed packets. If  it
792              is set only packets matching the regex will be displayed.
793
794
795       -V, --visual <FORMAT>
796              Use  this option to set the visualization method for the packets
797              to be displayed.
798
799              FORMAT may be one of the following:
800
801
802
803              hex    Print the packets in hex format.
804
805                     example:
806
807                     the string  "HTTP/1.1 304 Not Modified"  becomes:
808
809                     0000: 4854 5450 2f31 2e31 2033 3034 204e  6f74   HTTP/1.1
810                     304 Not
811                     0010: 204d 6f64 6966 6965 64                    Modified
812
813
814              ascii  Print  only  "printable"  characters, the others are dis‐
815                     played as dots '.'
816
817
818              text   Print only the "printable" characters and skip  the  oth‐
819                     ers.
820
821
822              ebcdic Convert an EBCDIC text to ASCII.
823
824
825              html   Strip  all  the  html  tags from the text. A tag is every
826                     string between < and >.
827
828                     example:
829
830                     <title>This  is  the  title</title>,  but  the  following
831                     <string> will not be displayed.
832
833                     This  is  the  title,  but the following will not be dis‐
834                     played.
835
836
837              utf8   Print the packets in  UTF-8  format.  The  encoding  used
838                     while  performing  the  conversion  is  declared  in  the
839                     etter.conf(5) file.
840
841
842
843
844       -d, --dns
845              Resolve ip addresses into hostnames.
846
847              NOTE: this may seriously slow down ettercap while  logging  pas‐
848              sive  information.   Every  time a new host is found, a query to
849              the dns  is  performed.  Ettercap  keeps  a  cache  for  already
850              resolved  host  to  increase the speed, but new hosts need a new
851              query and the dns may take up to 2 or 3 seconds to  respond  for
852              an unknown host.
853
854              HINT: ettercap collects the dns replies it sniffs in the resolu‐
855              tion table, so even if you specify to not resolve the hostnames,
856              some  of  them will be resolved because the reply was previously
857              sniffed. think about it as a passive dns resolution for  free...
858              ;)
859
860
861       -E, --ext-headers
862              Print  extended  headers  for  every displayed packet. (e.g. mac
863              addresses)
864
865
866       -Q, --superquiet
867              Super quiet mode. Do not print users and passwords as  they  are
868              collected.  Only store them in the profiles. It can be useful to
869              run ettercap in text only mode but you don't want to be  flooded
870              with  dissectors messages. Useful when using plugins because the
871              sniffing process is always active, it will print  all  the  col‐
872              lected infos, with this option you can suppress these messages.
873              NOTE: this options automatically sets the -q option.
874
875              example:
876
877              ettercap -TzQP finger /192.168.0.1/22
878
879
880
881
882
883       LOGGING OPTIONS
884
885       -L, --log <LOGFILE>
886              Log  all  the packets to binary files. These files can be parsed
887              by etterlog(8) to extract human readable data. With this option,
888              all  packets  sniffed  by ettercap will be logged, together with
889              all the passive info (host info + user & pass) it  can  collect.
890              Given  a LOGFILE, ettercap will create LOGFILE.ecp (for packets)
891              and LOGFILE.eci (for the infos).
892
893              NOTE: if you specify this option on command line you don't  have
894              to  take  care of privileges since the log file is opened in the
895              startup phase (with high privs).  But  if  you  enable  the  log
896              option  while  ettercap  is already started, you have to be in a
897              directory where uid = 65535 or uid = EC_UID can write.
898
899              NOTE: the logfiles can be compressed with the deflate  algorithm
900              using the -c option.
901
902
903       -l, --log-info <LOGFILE>
904              Very  similar to -L but it logs only passive information + users
905              and passwords for each host. The file will be named LOGFILE.eci
906
907
908       -m, --log-msg <LOGFILE>
909              It stores in <LOGFILE> all the user messages printed  by  etter‐
910              cap.  This  can  be useful when you are using ettercap in daemon
911              mode or if you want to track down all the messages. Indeed, some
912              dissectors  print  messages  but their information is not stored
913              anywhere, so this is the only way to keep track of them.
914
915
916       -c, --compress
917              Compress the logfile with the gzip algorithm while it is dumped.
918              etterlog(8)  is  capable  of handling both compressed and uncom‐
919              pressed log files.
920
921
922       -o, --only-local
923              Stores profiles information belonging only to the LAN hosts.
924
925              NOTE: this option is effective only against  the  profiles  col‐
926              lected  in  memory.   While  logging to a file ALL the hosts are
927              logged. If you want to split them, use the  related  etterlog(8)
928              option.
929
930
931       -O, --only-remote
932              Stores profiles information belonging only to remote hosts.
933
934
935
936
937
938       STANDARD OPTIONS
939
940
941
942       -v, --version
943              Print the version and exit.
944
945
946       -h, --help
947              prints  the  help  screen  with a short summary of the available
948              options.
949
950
951
952
953

EXAMPLES

955       Here are some examples of using ettercap.
956
957       ettercap -Tp
958
959              Use the console interface  and  do  not  put  the  interface  in
960              promisc mode. You will see only your traffic.
961
962
963       ettercap -Tzq
964
965              Use the console interface, do not ARP scan the net and be quiet.
966              The packet content will not be displayed,  but  user  and  pass‐
967              words, as well as other messages, will be displayed.
968
969
970       ettercap -T -j /tmp/victims -M arp /10.0.0.1-7/ /10.0.0.10-20/
971
972              Will  load  the  hosts list from /tmp/victims and perform an ARP
973              poisoning attack against the two target. The list will be joined
974              with  the  target and the resulting list is used for ARP poison‐
975              ing.
976
977
978       ettercap -T -M arp // //
979
980              Perform the ARP poisoning attack against all the  hosts  in  the
981              LAN. BE CAREFUL !!
982
983
984       ettercap -T -M arp:remote /192.168.1.1/ /192.168.1.2-10/
985
986              Perform  the  ARP  poisoning against the gateway and the host in
987              the lan between 2 and 10. The 'remote' option is  needed  to  be
988              able  to  sniff  the  remote  traffic the hosts make through the
989              gateway.
990
991
992       ettercap -Tzq //110
993
994              Sniff only the pop3 protocol from every hosts.
995
996
997       ettercap -Tzq /10.0.0.1/21,22,23
998
999              Sniff telnet, ftp and ssh connections to 10.0.0.1.
1000
1001
1002       ettercap -P list
1003
1004              Prints the list of all available plugins
1005
1006
1007

FILES

1009       ~/.config/ettercap_gtk
1010
1011              Stores persistent information (e.g., window  placement)  between
1012              sessions.
1013
1014
1015

ORIGINAL AUTHORS

1017       Alberto Ornaghi (ALoR) <alor@users.sf.net>
1018       Marco Valleri (NaGA) <naga@antifork.org>
1019

PROJECT STEWARDS

1021       Emilio Escobar (exfil)  <eescobar@gmail.com>
1022       Eric Milam (Brav0Hax)  <jbrav.hax@gmail.com>
1023

OFFICIAL DEVELOPERS

1025       Mike Ryan (justfalter)  <falter@gmail.com>
1026       Gianfranco Costamagna (LocutusOfBorg)  <costamagnagianfranco@yahoo.it>
1027       Antonio Collarino (sniper)  <anto.collarino@gmail.com>
1028       Ryan Linn   <sussuro@happypacket.net>
1029       Jacob Baines   <baines.jacob@gmail.com>
1030

CONTRIBUTORS

1032       Dhiru Kholia (kholia)  <dhiru@openwall.com>
1033       Alexander Koeppe (koeppea)  <format_c@online.de>
1034       Martin Bos (PureHate)  <purehate@backtrack.com>
1035       Enrique Sanchez
1036       Gisle Vanem  <giva@bgnett.no>
1037       Johannes Bauer  <JohannesBauer@gmx.de>
1038       Daten (Bryan Schneiders)  <daten@dnetc.org>
1039
1040
1041

SEE ALSO

1043       etter.conf(5) ettercap_curses(8) ettercap_plugins(8) etterlog(8) etter‐
1044       filter(8) ettercap-pkexec(8)
1045

AVAILABILITY

1047       https://github.com/Ettercap/ettercap/downloads
1048
1049

GIT

1051       git clone git://github.com/Ettercap/ettercap.git
1052       or
1053       git clone https://github.com/Ettercap/ettercap.git
1054
1055

BUGS

1057       Our software never has bugs.
1058       It just develops random features.   ;)
1059
1060       KNOWN-BUGS
1061
1062       - ettercap doesn't handle fragmented packets... only the first  segment
1063       will  be  displayed  by the sniffer. However all the fragments are cor‐
1064       rectly forwarded.
1065
1066       + please send bug-report, patches or suggestions to <ettercap-betatest‐
1067       ing@lists.sourceforge.net>  or visit https://github.com/Ettercap/etter
1068       cap/issues.
1069
1070       + to report a bug, follow the instructions in the README.BUGS file
1071
1072
1073

PHILOLOGICAL HISTORY

1075       "Even if blessed  with  a  feeble  intelligence,  they  are  cruel  and
1076       smart..."   this  is  the description of Ettercap, a monster of the RPG
1077       Advanced Dungeons & Dragon.
1078
1079       The name "ettercap" was chosen because it has an assonance with "ether‐
1080       cap"  which  means "ethernet capture" (what ettercap actually does) and
1081       also because such monsters have a powerful poison... and you know,  arp
1082       poisoning... ;)
1083
1084
1085

The Lord Of The (Token)Ring

1087       (the fellowship of the packet)
1088
1089       "One Ring to link them all, One Ring to ping them,
1090        one Ring to bring them all and in the darkness sniff them."
1091
1092
1093

Last words

1095       "Programming  today  is  a  race between software engineers striving to
1096       build bigger and better idiot-proof programs, and the  Universe  trying
1097       to  produce bigger and better idiots. So far, the Universe is winning."
1098       - Rich Cook
1099
1100
1101
1102ettercap 0.8.3.1                                                   ETTERCAP(8)
Impressum