1ETTERCAP(8) System Manager's Manual ETTERCAP(8)
2
6 ettercap - multipurpose sniffer/content filter for man in the middle
7 attacks
8
11 Since ettercap NG (formerly 0.7.0), all the options have been changed.
12 Even the target specification has been changed. Please read carefully
13 this man page.
14
17 ettercap [OPTIONS] [TARGET1] [TARGET2]
18 If IPv6 is enabled:
20 TARGET is in the form MAC/IPs/IPv6/PORTs
21 Otherwise,
22 TARGET is in the form MAC/IPs/PORTs
23 where IPs and PORTs can be ranges (e.g. /192.168.0.1-30,40,50/20,22,25)
24
26 Ettercap was born as a sniffer for switched LAN (and obviously even
27 "hubbed" ones), but during the development process it has gained more
28 and more features that have changed it to a powerful and flexible tool
29 for man-in-the-middle attacks. It supports active and passive dissec‐
30 tion of many protocols (even ciphered ones) and includes many features
31 for network and host analysis (such as OS fingerprint).
32 It has two main sniffing options:
34 UNIFIED, this method sniffs all the packets that pass on the cable. You
36 can choose to put or not the interface in promisc mode (-p option). The
37 packet not directed to the host running ettercap will be forwarded
38 automatically using layer 3 routing. So you can use a mitm attack
39 launched from a different tool and let ettercap modify the packets and
40 forward them for you.
41 The kernel ip_forwarding is always disabled by ettercap. This is done
42 to prevent a forward of a packet twice (one by ettercap and one by the
43 kernel). This is an invasive behaviour on gateways. So we recommend
44 you to use ettercap on the gateways ONLY with the UNOFFENSIVE MODE
45 ENABLED. Since ettercap listens only on one network interface, launch‐
46 ing it on the gateway in offensive mode will not allow packets to be
47 rerouted back from the second interface.
48 BRIDGED, it uses two network interfaces and forward the traffic from
50 one to the other while performing sniffing and content filtering. This
51 sniffing method is totally stealthy since there is no way to find that
52 someone is in the middle on the cable. You can look at this method as
53 a mitm attack at layer 1. You will be in the middle of the cable
54 between two entities. Don't use it on gateways or it will transform
55 your gateway into a bridge. HINT: you can use the content filtering
56 engine to drop packets that should not pass. This way ettercap will
57 work as an inline IPS ;)
58 You can also perform man in the middle attacks while using the unified
60 sniffing. You can choose the mitm attack that you prefer. The mitm
61 attack module is independent from the sniffing and filtering process,
62 so you can launch several attacks at the same time or use your own tool
63 for the attack. The crucial point is that the packets have to arrive to
64 ettercap with the correct mac address and a different ip address (only
65 these packets will be forwarded).
66 The most relevant ettercap features are:
68 SSH1 support : you can sniff User and Pass, and even the data of an
70 SSH1 connection. ettercap is the first software capable to sniff an SSH
71 connection in FULL-DUPLEX
72 SSL support : you can sniff SSL secured data... a fake certificate is
74 presented to the client and the session is decrypted.
75 Characters injection in an established connection : you can inject
77 characters to the server (emulating commands) or to the client (emulat‐
78 ing replies) maintaining the connection alive !!
79 Packet filtering/dropping: You can set up a filter script that searches
81 for a particular string (even hex) in the TCP or UDP payload and
82 replace it with yours or drop the entire packet. The filtering engine
83 can match any field of the network protocols and modify whatever you
84 want (see etterfilter(8)).
85 Remote traffic sniffing through tunnels and route mangling: You can
87 play with linux cooked interfaces or use the integrated plugin to sniff
88 tunneled or route-mangled remote connections and perform mitm attacks
89 on them.
90 Plug-ins support : You can create your own plugin using the ettercap's
92 API.
93 Password collector for : TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB,
95 MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC,
96 LDAP, NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG (other protocols coming
97 soon...)
98 Passive OS fingerprint: you scan passively the lan (without sending any
100 packet) and gather detailed info about the hosts in the LAN: Operating
101 System, running services, open ports, IP, mac address and network
102 adapter vendor.
103 Kill a connection: from the connections list you can kill all the con‐
105 nections you want
106
110 There is no concept of SOURCE nor DEST. The two targets are intended to
111 filter traffic coming from one to the other and vice-versa (since the
112 connection is bidirectional).
113 TARGET is in the form MAC/IPs/PORTs.
115 NOTE: If IPv6 is enabled, TARGET is in the form MAC/IPs/IPv6/PORTs.
116 If you want you can omit any of its parts and this will represent an
118 ANY in that part.
119 e.g.
120 "//80" means ANY mac address, ANY ip and ONLY port 80
121 "/10.0.0.1/" means ANY mac address, ONLY ip 10.0.0.1 and ANY port
122 MAC must be unique and in the form 00:11:22:33:44:55
124 IPs is a range of IP in dotted notation. You can specify range with the
126 - (hyphen) and single ip with , (comma). You can also use ; (semicolon)
127 to indicate different ip addresses.
128 e.g.
129 "10.0.0.1-5;10.0.1.33" expands into ip 10.0.0.1, 2, 3, 4, 5 and
130 10.0.1.33
131 PORTs is a range of PORTS. You can specify range with the - (hyphen)
133 and single port with , (comma).
134 e.g.
135 "20-25,80,110" expands into ports 20, 21, 22, 23, 24, 25, 80 and 110
136 NOTE:
138 you can reverse the matching of the TARGET by adding the -R option to
139 the command line. So if you want to sniff ALL the traffic BUT the one
140 coming or going to 10.0.0.1 you can specify "./ettercap -R /10.0.0.1/"
141 NOTE:
143 TARGETs are also responsible of the initial scan of the lan. You can
144 use them to restrict the scan to only a subset of the hosts in the net‐
145 mask. The result of the merging between the two targets will be
146 scanned. remember that not specifying a target means "no target", but
147 specifying "//" means "all the hosts in the subnet".
148
150 ettercap needs root privileges to open the Link Layer sockets. After
151 the initialization phase, the root privs are not needed anymore, so
152 ettercap drops them to UID = 65535 (nobody). Since ettercap has to
153 write (create) log files, it must be executed in a directory with the
154 right permissions (e.g. /tmp/). If you want to drop privs to a differ‐
155 ent uid, you can export the environment variable EC_UID with the value
156 of the uid you want to drop the privs to (e.g. export EC_UID=500) or
157 set the correct parameter in the etter.conf file.
158
162 SSL mitm attack is dependent on TCP traffic redirection to a custom
163 listener port of ettercap. The redir_command_on and redir_command_off
164 configuration variables take care of this (see "etter.conf(5)").
165 However, when ettercap starts, traffic for any source and any destina‐
166 tion targeted for the redirectable services will be redirected to
167 ettercap and the SSL stream will be intercepted.
168 This may not be the desired behaviour. Therefore you can adjust the re‐
169 direct rules after ettercap has been started using the selected user
170 interface.
171 While performing the SSL mitm attack, ettercap substitutes the real ssl
173 certificate with its own. The fake certificate is created on the fly
174 and all the fields are filled according to the real cert presented by
175 the server. Only the issuer is modified and signed with the private key
176 contained in the 'etter.ssl.crt' file. If you want to use a different
177 private key you have to regenerate this file. To regenerate the cert
178 file use the following commands:
179 openssl genrsa -out etter.ssl.crt 1024
181 openssl req -new -key etter.ssl.crt -out tmp.csr
182 openssl x509 -req -days 1825 -in tmp.csr -signkey etter.ssl.crt -out
183 tmp.new
184 cat tmp.new >> etter.ssl.crt
185 rm -f tmp.new tmp.csr
186 NOTE: SSL mitm is not available (for now) in bridged mode.
188 NOTE: You can use the --certificate/--private-key long options if you
190 want to specify a different file rather than the etter.ssl.crt file.
191
195 Options that make sense together can generally be combined. ettercap
196 will warn the user about unsupported option combinations.
197 SNIFFING AND ATTACK OPTIONS
199 ettercap NG has a new unified sniffing method. This implies that
201 ip_forwarding in the kernel is always disabled and the forwarding is
202 done by ettercap. Every packet with destination mac address equal to
203 the host's mac address and destination ip address different for the one
204 bound to the iface will be forwarded by ettercap. Before forwarding
205 them, ettercap can content filter, sniff, log or drop them. It does not
206 matter how these packets are hijacked, ettercap will process them. You
207 can even use external programs to hijack packet.
208 You have full control of what ettercap should receive. You can use the
209 internal mitm attacks, set the interface in promisc mode, use plugins
210 or use every method you want.
211 IMPORTANT NOTE: if you run ettercap on a gateway, remember to re-enable
213 the ip_forwarding after you have killed ettercap. Since ettercap drops
214 its privileges, it cannot restore the ip_forwarding for you.
215 -M, --mitm <METHOD:ARGS>
217 MITM attack
218 This option will activate the man in the middle attack. The mitm
219 attack is totally independent from the sniffing. The aim of the
220 attack is to hijack packets and redirect them to ettercap. The
221 sniffing engine will forward them if necessary.
222 You can choose the mitm attack that you prefer and also combine
223 some of them to perform different attacks at the same time.
224 If a mitm method requires some parameters you can specify them
225 after the colon. (e.g. -M dhcp:ip_pool,netmask,etc )
226 The following mitm attacks are available:
228 arp ([remote],[oneway])
230 This method implements the ARP poisoning mitm attack. ARP
231 requests/replies are sent to the victims to poison their
232 ARP cache. Once the cache has been poisoned the victims
233 will send all packets to the attacker which, in turn, can
234 modify and forward them to the real destination.
235 In silent mode (-z option) only the first target is
237 selected, if you want to poison multiple target in silent
238 mode use the -j option to load a list from a file.
239 You can select empty targets and they will be expanded as
241 'ANY' (all the hosts in the LAN). The target list is
242 joined with the hosts list (created by the arp scan) and
243 the result is used to determine the victims of the
244 attack.
245 The parameter "remote" is optional and you have to spec‐
247 ify it if you want to sniff remote ip address poisoning a
248 gateway. Indeed if you specify a victim and the gw in the
249 TARGETS, ettercap will sniff only connection between
250 them, but to enable ettercap to sniff connections that
251 pass thru the gw, you have to use this parameter.
252 The parameter "oneway" will force ettercap to poison only
254 from TARGET1 to TARGET2. Useful if you want to poison
255 only the client and not the router (where an arp watcher
256 can be in place).
257 Example:
259 the targets are: /10.0.0.1-5/ /10.0.0.15-20/
261 and the host list is: 10.0.0.1 10.0.0.3 10.0.0.16
262 10.0.0.18
263 the associations between the victims will be:
265 1 and 16, 1 and 18, 3 and 16, 3 and 18
266 if the targets overlap each other, the association with
268 identical ip address will be skipped.
269 NOTE: if you manage to poison a client, you have to set
271 correct routing table in the kernel specifying the GW. If
272 your routing table is incorrect, the poisoned clients
273 will not be able to navigate the Internet.
274 icmp (MAC/IP)
278 This attack implements ICMP redirection. It sends a
279 spoofed icmp redirect message to the hosts in the lan
280 pretending to be a better route for internet. All connec‐
281 tions to internet will be redirected to the attacker
282 which, in turn, will forward them to the real gateway.
283 The resulting attack is a HALF-DUPLEX mitm. Only the
284 client is redirected, since the gateway will not accept
285 redirect messages for a directly connected network. BE
286 SURE TO NOT USE FILTERS THAT MODIFY THE PAYLOAD LENGTH.
287 you can use a filter to modify packets, but the length
288 must be the same since the tcp sequences cannot be
289 updated in both ways.
290 You have to pass as argument the MAC and the IP address
291 of the real gateway for the lan.
292 Obviously you have to be able to sniff all the traffic.
293 If you are on a switch you have to use a different mitm
294 attack such as arp poisoning.
295 NOTE: to restrict the redirection to a given target,
297 specify it as a TARGET
298 Example:
300 -M icmp:00:11:22:33:44:55/10.0.0.1
302 will redirect all the connections that pass thru that
304 gateway.
305 dhcp (ip_pool/netmask/dns)
309 This attack implements DHCP spoofing. It pretends to be a
310 DHCP server and tries to win the race condition with the
311 real one to force the client to accept the attacker's
312 reply. This way ettercap is able to manipulate the GW
313 parameter and hijack all the outgoing traffic generated
314 by the clients.
315 The resulting attack is a HALF-DUPLEX mitm. So be sure to
316 use appropriate filters (see above in the ICMP section).
317 You have to pass the ip pool to be used, the netmask and
319 the ip of the dns server. Since ettercap tries to win
320 the race with the real server, it DOES NOT CHECK if the
321 ip is already assigned. You have to specify an ip pool of
322 FREE addresses to be used. The ip pool has the same form
323 of the target specification.
324 If the client sends a dhcp request (suggesting an ip
326 address) ettercap will ack on that ip and modify only the
327 gw option. If the client makes a dhcp discovery, ettercap
328 will use the first unused ip address of the list you have
329 specified on command line. Every discovery consumes an ip
330 address. When the list is over, ettercap stops offering
331 new ip addresses and will reply only to dhcp requests.
332 If you don't want to offer any ip address, but only
333 change the router information of dhcp request/ack, you
334 can specify an empty ip_pool.
335 BIG WARNING: if you specify a list of ip that are in use,
337 you will mess your network! In general, use this attack
338 carefully. It can really mess things up! When you stop
339 the attack, all the victims will be still convinced that
340 ettercap is the gateway until the lease expires...
341 Example:
343 -M dhcp:192.168.0.30,35,50-60/255.255.255.0/192.168.0.1
345 reply to DHCP offer and request.
346 -M dhcp:/255.255.255.0/192.168.0.1
348 reply only to DHCP request.
349 port ([remote],[tree])
352 This attack implements Port Stealing. This technique is
353 useful to sniff in a switched environment when ARP poi‐
354 soning is not effective (for example where static mapped
355 ARPs are used).
356 It floods the LAN (based on port_steal_delay option in
358 etter.conf) with ARP packets. If you don't specify the
359 "tree" option, the destination MAC address of each
360 "stealing" packet is the same as the attacker's one
361 (other NICs won't see these packets), the source MAC
362 address will be one of the MACs in the host list. This
363 process "steals" the switch port of each victim host in
364 the host list. Using low delays, packets destined to
365 "stolen" MAC addresses will be received by the attacker,
366 winning the race condition with the real port owner.
367 When the attacker receives packets for "stolen" hosts, it
368 stops the flooding process and performs an ARP request
369 for the real destination of the packet. When it receives
370 the ARP reply it's sure that the victim has "taken back"
371 his port, so ettercap can re-send the packet to the des‐
372 tination as is. Now we can re-start the flooding process
373 waiting for new packets.
374 If you use the "tree" option, the destination MAC address
376 of each stealing packet will be a bogus one, so these
377 packets will be propagated to other switches (not only
378 the directly connected one). This way you will be able to
379 steal ports on other switches in the tree (if any), but
380 you will generate a huge amount of traffic (according to
381 port_steal_delay). The "remote" option has the same
382 meaning as in "arp" mitm method.
383 When you stop the attack, ettercap will send an ARP
385 request to each stolen host giving back their switch
386 ports.
387 You can perform either HALF or FULL DUPLEX mitm according
388 to target selection.
389 NOTE: Use this mitm method only on ethernet switches. Use
391 it carefully, it could produce performances loss or gen‐
392 eral havoc.
393 NOTE: You can NOT use this method in only-mitm mode (-o
395 flag), because it hooks the sniffing engine, and you
396 can't use interactive data injection.
397 NOTE: It could be dangerous to use it in conjunction with
399 other mitm methods.
400 NOTE: This mitm method doesn't work on Solaris and Win‐
402 dows because of the lipcap and libnet design and the lack
403 of certain ioctl(). (We will feature this method on
404 these OSes if someone will request it...)
405 Example:
407 The targets are: /10.0.0.1/ /10.0.0.15/
409 You will intercept and visualize traffic between 10.0.0.1
410 and 10.0.0.15, but you will receive all the traffic for
411 10.0.0.1 and 10.0.0.15 too.
412 The target is: /10.0.0.1/
414 You will intercept and visualize all the traffic for
415 10.0.0.1.
416 ndp ([remote],[oneway])
422 NOTE: This MITM method is only supported if IPv6 support
423 has been enabled.
424 This method implements the NDP poisoning attack which is
426 used for MITM of IPv6 connections. ND requests/replies
427 are sent to the victims to poison their neighbor cache.
428 Once the cache has been poisoned the victims will send
429 all IPv6 packets to the attacker which, in turn, can mod‐
430 ify and forward them to the real destination.
431 In silent mode (-z option) only the first target is
433 selected, if you want to poison multiple target in silent
434 mode use the -j option to load a list from a file.
435 You can select empty targets and they will be expanded as
437 'ANY' (all the hosts in the LAN). The target list is
438 joined with the hosts list (created by the arp scan) and
439 the result is used to determine the victims of the
440 attack.
441 The parameter "remote" is optional and you have to spec‐
443 ify it if you want to sniff remote ip address poisoning a
444 gateway. Indeed if you specify a victim and the gw in the
445 TARGETS, ettercap will sniff only connection between
446 them, but to enable ettercap to sniff connections that
447 pass thru the gw, you have to use this parameter.
448 The parameter "oneway" will force ettercap to poison only
450 from TARGET1 to TARGET2. Useful if you want to poison
451 only the client and not the router (where an arp watcher
452 can be in place).
453 Example:
455 Targets are: //fe80::260d:afff:fe6e:f378/
457 //2001:db8::2:1/
458 Ranges of IPv6 addresses are not yet supported.
459 NOTE: if you manage to poison a client, you have to set
461 correct routing table in the kernel specifying the GW. If
462 your routing table is incorrect, the poisoned clients
463 will not be able to navigate the Internet.
464 NOTE: in IPv6 usually the link-local address of the
466 router is being used as the gateway address. Therefore
467 you need to set the link-local address of the router as
468 one target and the global-unicast address of the victim
469 as the other in order to set up a successful IPv6 MITM
470 attack using NDP poisoning.
471 -o, --only-mitm
474 This options disables the sniffing thread and enables only the
475 mitm attack. Useful if you want to use ettercap to perform mitm
476 attacks and another sniffer (such as wireshark) to sniff the
477 traffic. Keep in mind that the packets are not forwarded by
478 ettercap. The kernel will be responsible for the forwarding.
479 Remember to activate the "ip forwarding" feature in your kernel.
480 -f, --pcapfilter <FILTER>
483 Set a capturing filter in the pcap library. The format is the
484 same as tcpdump(1). Remember that this kind of filter will not
485 sniff packets out of the wire, so if you want to perform a mitm
486 attack, ettercap will not be able to forward hijacked packets.
487 These filters are useful to decrease the network load impact
488 into ettercap decoding module.
489 -B, --bridge <IFACE>
492 BRIDGED sniffing
493 You need two network interfaces. ettercap will forward form one
494 to the other all the traffic it sees. It is useful for man in
495 the middle at the physical layer. It is totally stealthy since
496 it is passive and there is no way for an user to see the
497 attacker.
498 You can content filter all the traffic as you were a transparent
499 proxy for the "cable".
500 OFF LINE SNIFFING
504 -r, --read <FILE>
506 OFF LINE sniffing
507 With this option enabled, ettercap will sniff packets from a
508 pcap compatible file instead of capturing from the wire.
509 This is useful if you have a file dumped from tcpdump or wire‐
510 shark and you want to make an analysis (search for passwords or
511 passive fingerprint) on it.
512 Obviously you cannot use "active" sniffing (arp poisoning or
513 bridging) while sniffing from a file.
514 -w, --write <FILE>
516 WRITE packet to a pcap file
517 This is useful if you have to use "active" sniffing (arp poison)
518 on a switched LAN but you want to analyze the packets with tcp‐
519 dump or wireshark. You can use this option to dump the packets
520 to a file and then load it into your favourite application.
521 NOTE: dump file collect ALL the packets disregarding the TARGET.
523 This is done because you may want to log even protocols not sup‐
524 ported by ettercap, so you can analyze them with other tools.
525 TIP: you can use the -w option in conjunction with the -r one.
527 This way you will be able to filter the payload of the dumped
528 packets or decrypt WEP-encrypted WiFi traffic and dump them to
529 another file.
530 USER INTERFACES OPTIONS
534 -T, --text
536 The text only interface, only printf ;)
537 It is quite interactive, press 'h' in every moment to get help
538 on what you can do.
539 -q, --quiet
542 Quiet mode. It can be used only in conjunction with the console
543 interface. It does not print packet content. It is useful if you
544 want to convert pcap file to ettercap log files.
545 example:
547 ettercap -Tq -L dumpfile -r pcapfile
549 -s, --script <COMMANDS>
552 With this option you can feed ettercap with command as they were
553 typed on the keyboard by the user. This way you can use ettercap
554 within your favourite scripts. There is a special command you
555 can issue thru this command: s(x). this command will sleep for x
556 seconds.
557 example:
559 ettercap -T -s 'lq' will print the list of the hosts and exit
561 ettercap -T -s 's(300)olqq' will collect the infos for 5 min‐
562 utes, print the list of the local profiles and exit
563 -C, --curses
567 Ncurses based GUI. See ettercap_curses(8) for a full descrip‐
568 tion.
569 -G, --gtk
573 The nice GTK2 interface (thanks Daten...).
574 -D, --daemonize
578 Daemonize ettercap. This option will detach ettercap from the
579 current controlling terminal and set it as a daemon. You can
580 combine this feature with the "log" option to log all the traf‐
581 fic in the background. If the daemon fails for any reason, it
582 will create the file "./ettercap_daemonized.log" in which the
583 error caught by ettercap will be reported. Furthermore, if you
584 want to have a complete debug of the daemon process, you are
585 encouraged to recompile ettercap in debug mode.
586 GENERAL OPTIONS
591 -b, --broadcast
593 Tells Ettercap to process packets coming from Broadcast address.
594 -i, --iface <IFACE>
597 Use this <IFACE> instead of the default one. The interface can
598 be unconfigured (requires libnet >= 1.1.2), but in this case you
599 cannot use MITM attacks and you should set the unoffensive flag.
600 -I, --iflist
603 This option will print the list of all available network inter‐
604 faces that can be used within ettercap. The option is particu‐
605 larly useful under windows where the name of the interface is
606 not so obvious as under *nix.
607 -Y, --secondary <interface list>
610 Specify a list of (or single) secondary interfaces to capture
611 packets from.
612 -A, --address <ADDRESS>
615 Use this <ADDRESS> instead of the one autodetected for the cur‐
616 rent iface. This option is useful if you have an interface with
617 multiple ip addresses.
618 -n, --netmask <NETMASK>
621 Use this <NETMASK> instead of the one associated with the cur‐
622 rent iface. This option is useful if you have the NIC with an
623 associated netmask of class B and you want to scan (with the arp
624 scan) only a class C.
625 -R, --reversed
628 Reverse the matching in the TARGET selection. It means not(TAR‐
629 GET). All but the selected TARGET.
630 -t, --proto <PROTO>
633 Sniff only PROTO packets (default is TCP + UDP).
634 This is useful if you want to select a port via the TARGET spec‐
635 ification but you want to differentiate between tcp or udp.
636 PROTO can be "tcp", "udp" or "all" for both.
637 -6, --ip6scan
640 Send ICMPv6 probes to discover active IPv6 nodes on the link.
641 This options sends a ping request to the all-nodes address to
642 motivate active IPv6 hosts to respond. You should not use this
643 option if you try to hide yourself. Therefore this option is
644 optional.
645 NOTE: This option is only available if IPv6 support has been
647 enabled.
648 -z, --silent
651 Do not perform the initial ARP scan of the LAN.
652 NOTE: you will not have the hosts list, so you can't use the
654 multipoison feature. you can only select two hosts for an ARP
655 poisoning attack, specifying them through the TARGETs
656 -p, --nopromisc
659 Usually, ettercap will put the interface in promisc mode to
660 sniff all the traffic on the wire. If you want to sniff only
661 your connections, use this flag to NOT enable the promisc mode.
662 -S, --nosslmitm
665 Usually, ettercap forges SSL certificates in order to intercept
666 https traffic. This option disables that behavior.
667 -u, --unoffensive
670 Every time ettercap starts, it disables ip forwarding in the
671 kernel and begins to forward packets itself. This option prevent
672 to do that, so the responsibility of ip forwarding is left to
673 the kernel.
674 This options is useful if you want to run multiple ettercap
675 instances. You will have one instance (the one without the -u
676 option) forwarding the packets, and all the other instances
677 doing their work without forwarding them. Otherwise you will get
678 packet duplicates.
679 It also disables the internal creation of the sessions for each
680 connection. It increases performances, but you will not be able
681 to modify packets on the fly.
682 If you want to use a mitm attack you have to use a separate
683 instance.
684 You have to use this option if the interface is unconfigured
685 (without an ip address.)
686 This is also useful if you want to run ettercap on the gateway.
687 It will not disable the forwarding and the gateway will cor‐
688 rectly route the packets.
689 -j, --load-hosts <FILENAME>
692 It can be used to load a hosts list from a file created by the
693 -k option. (see below)
694 -k, --save-hosts <FILENAME>
697 Saves the hosts list to a file. Useful when you have many hosts
698 and you don't want to do an ARP storm at startup any time you
699 use ettercap. Simply use this options and dump the list to a
700 file, then to load the information from it use the -j <filename>
701 option.
702 -P, --plugin <PLUGIN>
705 Run the selected PLUGIN. Many plugins need target specification,
706 use TARGET as always. Use multiple occurrences of this parameter
707 to select multiple plugins.
708 In console mode (-C option), standalone plugins are executed and
709 then the application exits. Hook plugins are activated and the
710 normal sniffing is performed.
711 To have a list of the available external plugins use "list"
712 (without quotes) as plugin name (e.g. ./ettercap -P list).
713 NOTE: you can also activate plugins directly from the interfaces
715 (always press "h" to get the inline help)
716 More detailed info about plugins and about how to write your own
718 are found in the man page ettercap_plugins(8)
719 --plugin-list <PLUGIN1>[,<PLUGIN2>,...]
722 Instead of providing multiple occurances of -P plugin, --plugin-
723 list can be used followed by a comma sepaparated list without
724 any spaces. (e.g. ./ettercap --plugin-list plugin1,plugin2).
725 -F, --filter <FILE>
728 Load the filter from the file <FILE>. The filter must be com‐
729 piled with etterfilter(8). The utility will compile the filter
730 script and produce an ettercap-compliant binary filter file.
731 Read the etterfilter(8) man page for the list of functions you
732 can use inside a filter script. Any number of filters can be
733 loaded by specifying the option multiple times; packets are
734 passed through each filter in the order specified on the command
735 line. You can also load a script without enabling it by append‐
736 ing :0 to the filename.
737 NOTE: these filters are different from those set with --pcapfil‐
738 ter. An ettercap filter is a content filter and can modify the
739 payload of a packet before forwarding it. Pcap filter are used
740 to capture only certain packets.
741 NOTE: you can use filters on pcapfile to modify them and save to
742 another file, but in this case you have to pay attention on what
743 you are doing, since ettercap will not recalculate checksums,
744 nor split packets exceeding the mtu (snaplen) nor anything like
745 that.
746 -W, --wifi-key <KEY>
749 You can specify a key to decrypt WiFi packets (WEP or WPA). Only
750 the packets decrypted successfully will be passed to the
751 decoders stack, the others will be skipped with a message.
752 The parameter has the following syntax: type:bits:t:string.
753 Where 'type' can be: wep, wpa-pws or wpa-psk, 'bits' is the bit
754 length of the key (64, 128 or 256), 't' is the type of the
755 string ('s' for string and 'p' for passphrase). 'string' can be
756 a string or an escaped hex sequences.
757 example:
759 --wifi-key wep:128:p:secret
760 --wifi-key wep:128:s:ettercapwep0
761 --wifi-key 'wep:64:s:\x01\x02\x03\x04\x05'
762 --wifi-key wpa:pwd:ettercapwpa:ssid
763 --wifi-key wpa:psk:
764 663eb260e87cf389c6bd7331b28d82f5203b0cae4e315f9cbb7602f3236708a6
765 -a, --config <CONFIG>
769 Loads an alternative config file instead of the default in
770 /etc/etter.conf. This is useful if you have many preconfigured
771 files for different situations.
772 --certificate <FILE>
774 Tells Ettercap to use the specified certificate file for the SSL
775 MiTM attack.
776 --private-key <FILE>
779 Tells Ettercap to use the specified private key file for the SSL
780 MiTM attack.
781 VISUALIZATION OPTIONS
785 -e, --regex <REGEX>
788 Handle only packets that match the regex.
789 This option is useful in conjunction with -L. It logs only pack‐
790 ets that match the posix regex REGEX.
791 It impacts even the visualization of the sniffed packets. If it
792 is set only packets matching the regex will be displayed.
793 -V, --visual <FORMAT>
796 Use this option to set the visualization method for the packets
797 to be displayed.
798 FORMAT may be one of the following:
800 hex Print the packets in hex format.
804 example:
806 the string "HTTP/1.1 304 Not Modified" becomes:
808 0000: 4854 5450 2f31 2e31 2033 3034 204e 6f74 HTTP/1.1
810 304 Not
811 0010: 204d 6f64 6966 6965 64 Modified
812 ascii Print only "printable" characters, the others are dis‐
815 played as dots '.'
816 text Print only the "printable" characters and skip the oth‐
819 ers.
820 ebcdic Convert an EBCDIC text to ASCII.
823 html Strip all the html tags from the text. A tag is every
826 string between < and >.
827 example:
829 <title>This is the title</title>, but the following
831 <string> will not be displayed.
832 This is the title, but the following will not be dis‐
834 played.
835 utf8 Print the packets in UTF-8 format. The encoding used
838 while performing the conversion is declared in the
839 etter.conf(5) file.
840 -d, --dns
845 Resolve ip addresses into hostnames.
846 NOTE: this may seriously slow down ettercap while logging pas‐
848 sive information. Every time a new host is found, a query to
849 the dns is performed. Ettercap keeps a cache for already
850 resolved host to increase the speed, but new hosts need a new
851 query and the dns may take up to 2 or 3 seconds to respond for
852 an unknown host.
853 HINT: ettercap collects the dns replies it sniffs in the resolu‐
855 tion table, so even if you specify to not resolve the hostnames,
856 some of them will be resolved because the reply was previously
857 sniffed. think about it as a passive dns resolution for free...
858 ;)
859 -E, --ext-headers
862 Print extended headers for every displayed packet. (e.g. mac
863 addresses)
864 -Q, --superquiet
867 Super quiet mode. Do not print users and passwords as they are
868 collected. Only store them in the profiles. It can be useful to
869 run ettercap in text only mode but you don't want to be flooded
870 with dissectors messages. Useful when using plugins because the
871 sniffing process is always active, it will print all the col‐
872 lected infos, with this option you can suppress these messages.
873 NOTE: this options automatically sets the -q option.
874 example:
876 ettercap -TzQP finger /192.168.0.1/22
878 LOGGING OPTIONS
884 -L, --log <LOGFILE>
886 Log all the packets to binary files. These files can be parsed
887 by etterlog(8) to extract human readable data. With this option,
888 all packets sniffed by ettercap will be logged, together with
889 all the passive info (host info + user & pass) it can collect.
890 Given a LOGFILE, ettercap will create LOGFILE.ecp (for packets)
891 and LOGFILE.eci (for the infos).
892 NOTE: if you specify this option on command line you don't have
894 to take care of privileges since the log file is opened in the
895 startup phase (with high privs). But if you enable the log
896 option while ettercap is already started, you have to be in a
897 directory where uid = 65535 or uid = EC_UID can write.
898 NOTE: the logfiles can be compressed with the deflate algorithm
900 using the -c option.
901 -l, --log-info <LOGFILE>
904 Very similar to -L but it logs only passive information + users
905 and passwords for each host. The file will be named LOGFILE.eci
906 -m, --log-msg <LOGFILE>
909 It stores in <LOGFILE> all the user messages printed by etter‐
910 cap. This can be useful when you are using ettercap in daemon
911 mode or if you want to track down all the messages. Indeed, some
912 dissectors print messages but their information is not stored
913 anywhere, so this is the only way to keep track of them.
914 -c, --compress
917 Compress the logfile with the gzip algorithm while it is dumped.
918 etterlog(8) is capable of handling both compressed and uncom‐
919 pressed log files.
920 -o, --only-local
923 Stores profiles information belonging only to the LAN hosts.
924 NOTE: this option is effective only against the profiles col‐
926 lected in memory. While logging to a file ALL the hosts are
927 logged. If you want to split them, use the related etterlog(8)
928 option.
929 -O, --only-remote
932 Stores profiles information belonging only to remote hosts.
933 STANDARD OPTIONS
939 -v, --version
943 Print the version and exit.
944 -h, --help
947 prints the help screen with a short summary of the available
948 options.
949
955 Here are some examples of using ettercap.
956 ettercap -Tp
958 Use the console interface and do not put the interface in
960 promisc mode. You will see only your traffic.
961 ettercap -Tzq
964 Use the console interface, do not ARP scan the net and be quiet.
966 The packet content will not be displayed, but user and pass‐
967 words, as well as other messages, will be displayed.
968 ettercap -T -j /tmp/victims -M arp /10.0.0.1-7/ /10.0.0.10-20/
971 Will load the hosts list from /tmp/victims and perform an ARP
973 poisoning attack against the two target. The list will be joined
974 with the target and the resulting list is used for ARP poison‐
975 ing.
976 ettercap -T -M arp // //
979 Perform the ARP poisoning attack against all the hosts in the
981 LAN. BE CAREFUL !!
982 ettercap -T -M arp:remote /192.168.1.1/ /192.168.1.2-10/
985 Perform the ARP poisoning against the gateway and the host in
987 the lan between 2 and 10. The 'remote' option is needed to be
988 able to sniff the remote traffic the hosts make through the
989 gateway.
990 ettercap -Tzq //110
993 Sniff only the pop3 protocol from every hosts.
995 ettercap -Tzq /10.0.0.1/21,22,23
998 Sniff telnet, ftp and ssh connections to 10.0.0.1.
1000 ettercap -P list
1003 Prints the list of all available plugins
1005
1009 ~/.config/ettercap_gtk
1010 Stores persistent information (e.g., window placement) between
1012 sessions.
1013
1017 Alberto Ornaghi (ALoR) <alor@users.sf.net>
1018 Marco Valleri (NaGA) <naga@antifork.org>
1019
1021 Emilio Escobar (exfil) <eescobar@gmail.com>
1022 Eric Milam (Brav0Hax) <jbrav.hax@gmail.com>
1023
1025 Mike Ryan (justfalter) <falter@gmail.com>
1026 Gianfranco Costamagna (LocutusOfBorg) <costamagnagianfranco@yahoo.it>
1027 Antonio Collarino (sniper) <anto.collarino@gmail.com>
1028 Ryan Linn <sussuro@happypacket.net>
1029 Jacob Baines <baines.jacob@gmail.com>
1030
1032 Dhiru Kholia (kholia) <dhiru@openwall.com>
1033 Alexander Koeppe (koeppea) <format_c@online.de>
1034 Martin Bos (PureHate) <purehate@backtrack.com>
1035 Enrique Sanchez
1036 Gisle Vanem <giva@bgnett.no>
1037 Johannes Bauer <JohannesBauer@gmx.de>
1038 Daten (Bryan Schneiders) <daten@dnetc.org>
1039
1043 etter.conf(5) ettercap_curses(8) ettercap_plugins(8) etterlog(8) etter‐
1044 filter(8) ettercap-pkexec(8)
1045
1047 https://github.com/Ettercap/ettercap/downloads
1048
1051 git clone git://github.com/Ettercap/ettercap.git
1052 or
1053 git clone https://github.com/Ettercap/ettercap.git
1054
1057 Our software never has bugs.
1058 It just develops random features. ;)
1059 KNOWN-BUGS
1061 - ettercap doesn't handle fragmented packets... only the first segment
1063 will be displayed by the sniffer. However all the fragments are cor‐
1064 rectly forwarded.
1065 + please send bug-report, patches or suggestions to <ettercap-betatest‐
1067 ing@lists.sourceforge.net> or visit https://github.com/Ettercap/etter‐
1068 cap/issues.
1069 + to report a bug, follow the instructions in the README.BUGS file
1071
1075 "Even if blessed with a feeble intelligence, they are cruel and
1076 smart..." this is the description of Ettercap, a monster of the RPG
1077 Advanced Dungeons & Dragon.
1078 The name "ettercap" was chosen because it has an assonance with "ether‐
1080 cap" which means "ethernet capture" (what ettercap actually does) and
1081 also because such monsters have a powerful poison... and you know, arp
1082 poisoning... ;)
1083
1087 (the fellowship of the packet)
1088 "One Ring to link them all, One Ring to ping them,
1090 one Ring to bring them all and in the darkness sniff them."
1091
1095 "Programming today is a race between software engineers striving to
1096 build bigger and better idiot-proof programs, and the Universe trying
1097 to produce bigger and better idiots. So far, the Universe is winning."
1098 - Rich Cook
1099ettercap 0.8.3.1 ETTERCAP(8)