1ETTERCAP(8) System Manager's Manual ETTERCAP(8)
2
6 ettercap NG-0.7.3 - A multipurpose sniffer/content filter for man in
7 the middle attacks
8
11 Since ettercap NG (formerly 0.7.0), all the options have been changed.
12 Even the target specification has been changed. Please read carefully
13 this man page.
14
17 ettercap [OPTIONS] [TARGET1] [TARGET2]
18 TARGET is in the form MAC/IPs/PORTs
20 where IPs and PORTs can be ranges (e.g. /192.168.0.1-30,40,50/20,22,25)
21
23 Ettercap was born as a sniffer for switched LAN (and obviously even
24 "hubbed" ones), but during the development process it has gained more
25 and more features that have changed it to a powerful and flexible tool
26 for man-in-the-middle attacks. It supports active and passive dissec‐
27 tion of many protocols (even ciphered ones) and includes many features
28 for network and host analysis (such as OS fingerprint).
29 It has two main sniffing options:
31 UNIFIED, this method sniffs all the packets that pass on the cable. You
33 can choose to put or not the interface in promisc mode (-p option). The
34 packet not directed to the host running ettercap will be forwarded
35 automatically using layer 3 routing. So you can use a mitm attack
36 launched from a different tool and let ettercap modify the packets and
37 forward them for you.
38 The kernel ip_forwarding is always disabled by ettercap. This is done
39 to prevent to forward a packet twice (one by ettercap and one by the
40 kernel). This is an invasive behaviour on gateways. So we recommend
41 you to use ettercap on the gateways ONLY with the UNOFFENSIVE MODE
42 ENABLED. Since ettercap listens only on one network interface, launch‐
43 ing it on the gateway in offensive mode will not allow packets to be
44 rerouted back from the second interface.
45 BRIDGED, it uses two network interfaces and forward the traffic from
47 one to the other while performing sniffing and content filtering. This
48 sniffing method is totally stealthy since there is no way to find that
49 someone is in the middle on the cable. You can look at this method as
50 a mitm attack at layer 1. You will be in the middle of the cable
51 between two entities. Don't use it on gateways or it will transform
52 your gateway into a bridge. HINT: you can use the content filtering
53 engine to drop packets that should not pass. This way ettercap will
54 work as an inline IPS ;)
55 You can also perform man in the middle attacks while using the unified
57 sniffing. You can choose the mitm attack that you prefer. The mitm
58 attack module is independent from the sniffing and filtering process,
59 so you can launch several attacks at the same time or use your own tool
60 for the attack. The crucial point is that the packets have to arrive to
61 ettercap with the correct mac address and a different ip address (only
62 these packets will be forwarded).
63 The most relevant ettercap features are:
65 SSH1 support : you can sniff User and Pass, and even the data of an
67 SSH1 connection. ettercap is the first software capable to sniff an SSH
68 connection in FULL-DUPLEX
69 SSL support : you can sniff SSL secured data... a fake certificate is
71 presented to the client and the session is decrypted.
72 Characters injection in an established connection : you can inject
74 characters to the server (emulating commands) or to the client (emulat‐
75 ing replies) maintaining the connection alive !!
76 Packet filtering/dropping: You can set up a filter script that searches
78 for a particular string (even hex) in the TCP or UDP payload and
79 replace it with yours or drop the entire packet. The filtering engine
80 can match any field of the network protocols and modify whatever you
81 want (see etterfilter(8)).
82 Remote traffic sniffing through tunnels and route mangling: You can
84 play with linux cooked interfaces or use the integrated plugin to sniff
85 tunneled or route-mangled remote connections and perform mitm attacks
86 on them.
87 Plug-ins support : You can create your own plugin using the ettercap's
89 API.
90 Password collector for : TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB,
92 MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC,
93 LDAP, NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG (other protocols coming
94 soon...)
95 Passive OS fingerprint: you scan passively the lan (without sending any
97 packet) and gather detailed info about the hosts in the LAN: Operating
98 System, running services, open ports, IP, mac address and network
99 adapter vendor.
100 Kill a connection: from the connections list you can kill all the con‐
102 nections you want
103
107 There is no concept of SOURCE nor DEST. The two targets are intended to
108 filter traffic coming from one to the other and vice-versa (since the
109 connection is bidirectional).
110 TARGET is in the form MAC/IPs/PORTs. If you want you can omit any of
112 its parts and this will represent an ANY in that part.
113 e.g.
114 "//80" means ANY mac address, ANY ip and ONLY port 80
115 "/10.0.0.1/" means ANY mac address, ONLY ip 10.0.0.1 and ANY port
116 MAC must be unique and in the form 00:11:22:33:44:55
118 IPs is a range of IP in dotted notation. You can specify range with the
120 - (hyphen) and single ip with , (comma). You can also use ; (semicolon)
121 to indicate different ip addresses.
122 e.g.
123 "10.0.0.1-5;10.0.1.33" expands into ip 10.0.0.1, 2, 3, 4, 5 and
124 10.0.1.33
125 PORTs is a range of PORTS. You can specify range with the - (hyphen)
127 and single port with , (comma).
128 e.g.
129 "20-25,80,110" expands into ports 20, 21, 22, 23, 24, 25, 80 and 110
130 NOTE:
132 you can reverse the matching of the TARGET by adding the -R option to
133 the command line. So if you want to sniff ALL the traffic BUT the one
134 coming or going to 10.0.0.1 you can specify "./ettercap -R /10.0.0.1/"
135 NOTE:
137 TARGETs are also responsible of the initial scan of the lan. You can
138 use them to restrict the scan to only a subset of the hosts in the net‐
139 mask. The result of the merging between the two targets will be
140 scanned. remember that not specifying a target means "no target", but
141 specifying "//" means "all the hosts in the subnet.
142
144 ettercap needs root privileges to open the Link Layer sockets. After
145 the initialization phase, the root privs are not needed anymore, so
146 ettercap drops them to UID = 65535 (nobody). Since ettercap has to
147 write (create) log files, it must be executed in a directory with the
148 right permissions (e.g. /tmp/). If you want to drop privs to a differ‐
149 ent uid, you can export the environment variable EC_UID with the value
150 of the uid you want to drop the privs to (e.g. export EC_UID=500) or
151 set the correct parameter in the etter.conf file.
152
156 While performing the SSL mitm attack, ettercap substitutes the real ssl
157 certificate with its own. The fake certificate is created on the fly
158 and all the fields are filled according to the real cert presented by
159 the server. Only the issuer is modified and signed with the private key
160 contained in the 'etter.sll.crt' file. If you want to use a different
161 private key you have to regenerate this file. To regenerate the cert
162 file use the following commands:
163 openssl genrsa -out etter.ssl.crt 1024
165 openssl req -new -key etter.ssl.crt -out tmp.csr
166 openssl x509 -req -days 1825 -in tmp.csr -signkey etter.ssl.crt -out
167 tmp.new
168 cat tmp.new >> etter.ssl.crt
169 rm -f tmp.new tmp.csr NOTE: SSL mitm is not available (for now) in
170 bridged mode.
171
175 Options that make sense together can generally be combined. ettercap
176 will warn the user about unsupported option combinations.
177 SNIFFING AND ATTACK OPTIONS
179 ettercap NG has a new unified sniffing method. This implies that
181 ip_forwarding in the kernel is always disabled and the forwarding is
182 done by ettercap. Every packet with destination mac address equal to
183 the host's mac address and destination ip address different for the one
184 bound to the iface will be forwarded by ettercap. Before forwarding
185 them, ettercap can content filter, sniff, log or drop them. It does not
186 matter how these packets are hijacked, ettercap will process them. You
187 can even use external programs to hijack packet.
188 You have full control of what ettercap should receive. You can use the
189 internal mitm attacks, set the interface in promisc mode, use plugins
190 or use every method you want.
191 IMPORTANT NOTE: if you run ettercap on a gateway, remember to re-enable
193 the ip_forwarding after you have killed ettercap. Since ettercap drops
194 its privileges, it cannot restore the ip_forwarding for you.
195 -M, --mitm <METHOD:ARGS>
197 MITM attack
198 This option will activate the man in the middle attack. The mimt
199 attack is totally independent from the sniffing. The aim of the
200 attack is to hijack packets and redirect them to ettercap. The
201 sniffing engine will forward them if necessary.
202 You can choose the mitm attack that you prefer and also combine
203 some of them to perform different attacks at the same time.
204 If a mitm method requires some parameters you can specify them
205 after the colon. (e.g. -M dhcp:ip_pool,netmask,etc )
206 The following mitm attacks are available:
208 arp ([remote],[oneway])
210 This method implements the ARP poisoning mitm attack. ARP
211 requests/replies are sent to the victims to poison their
212 ARP cache. Once the cache has been poisoned the victims
213 will send all packets to the attacker which, in turn, can
214 modify and forward them to the real destination.
215 In silent mode (-z option) only the first target is
217 selected, if you want to poison multiple target in silent
218 mode use the -j option to load a list from a file.
219 You can select empty targets and they will be expanded as
221 'ANY' (all the hosts in the LAN). The target list is
222 joined with the hosts list (created by the arp scan) and
223 the result is used to determine the victims of the
224 attack.
225 The parameter "remote" is optional and you have to spec‐
227 ify it if you want to sniff remote ip address poisoning a
228 gateway. Indeed if you specify a victim and the gw in the
229 TARGETS, ettercap will sniff only connection between
230 them, but to enable ettercap to sniff connections that
231 pass thru the gw, you have to use this parameter.
232 The parameter "oneway" will force ettercap to poison only
234 from TARGET1 to TARGET2. Useful if you want to poison
235 only the client and not the router (where an arp watcher
236 can be in place).
237 Example:
239 the targets are: /10.0.0.1-5/ /10.0.0.15-20/
241 and the host list is: 10.0.0.1 10.0.0.3 10.0.0.16
242 10.0.0.18
243 the associations between the victims will be:
245 1 and 16, 1 and 18, 3 and 16, 3 and 18
246 if the targets overlap each other, the association with
248 identical ip address will be skipped.
249 NOTE: if you manage to poison a client, you have to set
251 correct routing table in the kernel specifying the GW. If
252 your routing table is incorrect, the poisoned clients
253 will not be able to navigate the Internet.
254 icmp (MAC/IP)
258 This attack implements ICMP redirection. It sends a
259 spoofed icmp redirect message to the hosts in the lan
260 pretending to be a better route for internet. All connec‐
261 tions to internet will be redirected to the attacker
262 which, in turn, will forward them to the real gateway.
263 The resulting attack is a HALF-DUPLEX mitm. Only the
264 client is redirected, since the gateway will not accept
265 redirect messages for a directly connected network. BE
266 SURE TO NOT USE FILTERS THAT MODIFY THE PAYLOAD LENGTH.
267 you can use a filter to modify packets, but the length
268 must be the same since the tcp sequences cannot be
269 updated in both ways.
270 You have to pass as argument the MAC and the IP address
271 of the real gateway for the lan.
272 Obviously you have to be able to sniff all the traffic.
273 If you are on a switch you have to use a different mitm
274 attack such as arp poisoning.
275 NOTE: to restrict the redirection to a given target,
277 specify it as a TARGET
278 Example:
280 -M icmp:00:11:22:33:44:55/10.0.0.1
282 will redirect all the connections that pass thru that
284 gateway.
285 dhcp (ip_pool/netmask/dns)
289 This attack implements DHCP spoofing. It pretends to be a
290 DHCP server and tries to win the race condition with the
291 real one to force the client to accept the attacker's
292 reply. This way ettercap is able to manipulate the GW
293 parameter and hijack all the outgoing traffic generated
294 by the clients.
295 The resulting attack is a HALF-DUPLEX mitm. So be sure to
296 use appropriate filters (see above in the ICMP section).
297 You have to pass the ip pool to be used, the netmask and
299 the ip of the dns server. Since ettercap tries to win
300 the race with the real server, it DOES NOT CHECK if the
301 ip is already assigned. You have to specify an ip pool of
302 FREE addresses to be used. The ip pool has the same form
303 of the target specification.
304 If the client sends a dhcp request (suggesting an ip
306 address) ettercap will ack on that ip and modify only the
307 gw option. If the client makes a dhcp discovery, ettercap
308 will use the first unused ip address of the list you have
309 specified on command line. Every discovery consumes an ip
310 address. When the list is over, ettercap stops offering
311 new ip addresses and will reply only to dhcp requests.
312 If you don't want to offer any ip address, but only
313 change the router information of dhcp request/ack, you
314 can specify an empty ip_pool.
315 BIG WARNING: if you specify a list of ip that are in use,
317 you will mess your network! In general, use this attack
318 carefully. It can really mess things up! When you stop
319 the attack, all the victims will be still convinced that
320 ettercap is the gateway until the lease expires...
321 Example:
323 -M dhcp:192.168.0.30,35,50-60/255.255.255.0/192.168.0.1
325 reply to DHCP offer and request.
326 -M dhcp:/255.255.255.0/192.168.0.1
328 reply only to DHCP request.
329 port ([remote],[tree])
332 This attack implements Port Stealing. This technique is
333 useful to sniff in a switched environment when ARP poi‐
334 soning is not effective (for example where static mapped
335 ARPs are used).
336 It floods the LAN (based on port_steal_delay option in
338 etter.conf) with ARP packets. If you don't specify the
339 "tree" option, the destination MAC address of each
340 "stealing" packet is the same as the attacker's one
341 (other NICs won't see these packets), the source MAC
342 address will be one of the MACs in the host list. This
343 process "steals" the switch port of each victim host in
344 the host list. Using low delays, packets destined to
345 "stolen" MAC addresses will be received by the attacker,
346 winning the race condition with the real port owner.
347 When the attacker receives packets for "stolen" hosts, it
348 stops the flooding process and performs an ARP request
349 for the real destination of the packet. When it receives
350 the ARP reply it's sure that the victim has "taken back"
351 his port, so ettercap can re-send the packet to the des‐
352 tination as is. Now we can re-start the flooding process
353 waiting for new packets.
354 If you use the "tree" option, the destination MAC address
356 of each stealing packet will be a bogus one, so these
357 packets will be propagated to other switches (not only
358 the directly connected one). This way you will be able to
359 steal ports on other switches in the tree (if any), but
360 you will generate a huge amount of traffic (according to
361 port_steal_delay). The "remote" option has the same
362 meaning as in "arp" mitm method.
363 When you stop the attack, ettercap will send an ARP
365 request to each stolen host giving back their switch
366 ports.
367 You can perform either HALF or FULL DUPLEX mitm according
368 to target selection.
369 NOTE: Use this mitm method only on ethernet switches. Use
371 it carefully, it could produce performances loss or gen‐
372 eral havoc.
373 NOTE: You can NOT use this method in only-mitm mode (-o
375 flag), because it hooks the sniffing engine, and you
376 can't use interactive data injection.
377 NOTE: It could be dangerous to use it in conjunction with
379 other mitm methods.
380 NOTE: This mitm method doesn't work on Solaris and Win‐
382 dows because of the lipcap and libnet design and the lack
383 of certain ioctl(). (We will feature this method on
384 these OSes if someone will request it...)
385 Example:
387 The targets are: /10.0.0.1/ /10.0.0.15/
389 You will intercept and visualize traffic between 10.0.0.1
390 and 10.0.0.15, but you will receive all the traffic for
391 10.0.0.1 and 10.0.0.15 too.
392 The target is: /10.0.0.1/
394 You will intercept and visualize all the traffic for
395 10.0.0.1.
396 -o, --only-mitm
403 This options disables the sniffing thread and enables only the
404 mitm attack. Useful if you want to use ettercap to perform mitm
405 attacks and another sniffer (such as ethereal) to sniff the
406 traffic. Keep in mind that the packets are not forwarded by
407 ettercap. The kernel will be responsible for the forwarding.
408 Remember to activate the "ip forwarding" feature in your kernel.
409 -f, --pcapfilter <FILTER>
412 Set a capturing filter in the pcap library. The format is the
413 same as tcpdump(1). Remember that this kind of filter will not
414 sniff packets out of the wire, so if you want to perform a mitm
415 attack, ettercap will not be able to forward hijacked packets.
416 These filters are useful to decrease the network load impact
417 into ettercap decoding module.
418 -B, --bridge <IFACE>
421 BRIDGED sniffing
422 You need two network interfaces. ettercap will forward form one
423 to the other all the traffic it sees. It is useful for man in
424 the middle at the physical layer. It is totally stealthy since
425 it is passive and there is no way for an user to see the
426 attacker.
427 You can content filter all the traffic as you were a transparent
428 proxy for the "cable".
429 OFF LINE SNIFFING
433 -r, --read <FILE>
435 OFF LINE sniffing
436 With this option enabled, ettercap will sniff packets from a
437 pcap compatible file instead of capturing from the wire.
438 This is useful if you have a file dumped from tcpdump or ethe‐
439 real and you want to make an analysis (search for passwords or
440 passive fingerprint) on it.
441 Obviously you cannot use "active" sniffing (arp poisoning or
442 bridging) while sniffing from a file.
443 -w, --write <FILE>
445 WRITE packet to a pcap file
446 This is useful if you have to use "active" sniffing (arp poison)
447 on a switched LAN but you want to analyze the packets with tcp‐
448 dump or ethereal. You can use this option to dump the packets to
449 a file and then load it into your favourite application.
450 NOTE: dump file collect ALL the packets disregarding the TARGET.
452 This is done because you may want to log even protocols not sup‐
453 ported by ettercap, so you can analyze them with other tools.
454 TIP: you can use the -w option in conjunction with the -r one.
456 This way you will be able to filter the payload of the dumped
457 packets or decrypt WEP-encrypted WiFi traffic and dump them to
458 another file.
459 USER INTERFACES OPTIONS
463 -T, --text
465 The text only interface, only printf ;)
466 It is quite interactive, press 'h' in every moment to get help
467 on what you can do.
468 -q, --quiet
471 Quiet mode. It can be used only in conjunction with the console
472 interface. It does not print packet content. It is useful if you
473 want to convert pcap file to ettercap log files.
474 example:
476 ettercap -Tq -L dumpfile -r pcapfile
478 -s, --script <COMMANDS>
481 With this option you can feed ettercap with command as they were
482 typed on the keyboard by the user. This way you can use ettercap
483 within your favourite scripts. There is a special command you
484 can issue thru this command: s(x). this command will sleep for x
485 seconds.
486 example:
488 ettercap -T -s 'lq' will print the list of the hosts and exit
490 ettercap -T -s 's(300)olqq' will collect the infos for 5 min‐
491 utes, print the list of the local profiles and exit
492 -C, --curses
496 Ncurses based GUI. See ettercap_curses(8) for a full descrip‐
497 tion.
498 -G, --gtk
502 The nice GTK2 interface (thanks Daten...).
503 -D, --daemonize
507 Daemonize ettercap. This option will detach ettercap from the
508 current controlling terminal and set it as a daemon. You can
509 combine this feature with the "log" option to log all the traf‐
510 fic in the background. If the daemon fails for any reason, it
511 will create the file "./ettercap_daemonized.log" in which the
512 error caught by ettercap will be reported. Furthermore, if you
513 want to have a complete debug of the daemon process, you are
514 encouraged to recompile ettercap in debug mode.
515 GENERAL OPTIONS
520 -i, --iface <IFACE>
522 Use this <IFACE> instead of the default one. The interface can
523 be unconfigured (requires libnet >= 1.1.2), but in this case you
524 cannot use MITM attacks and you should set the unoffensive flag.
525 -I, --iflist
528 This option will print the list of all available network inter‐
529 faces that can be used within ettercap. The option is particu‐
530 lary usefull under windows where the name of the interface is
531 not so obvious as under *nix.
532 -n, --netmask <NETMASK>
535 Use this <NETMASK> instead of the one associated with the cur‐
536 rent iface. This option is useful if you have the NIC with an
537 associated netmask of class B and you want to scan (with the arp
538 scan) only a class C.
539 -R, --reversed
542 Reverse the matching in the TARGET selection. It means not(TAR‐
543 GET). All but the selected TARGET.
544 -t, --proto <PROTO>
547 Sniff only PROTO packets (default is TCP + UDP).
548 This is useful if you want to select a port via the TARGET spec‐
549 ification but you want to differentiate between tcp or udp.
550 PROTO can be "tcp", "udp" or "all" for both.
551 -z, --silent
554 Do not perform the initial ARP scan of the LAN.
555 NOTE: you will not have the hosts list, so you can't use the
557 multipoison feature. you can only select two hosts for an ARP
558 poisoning attack, specifying them through the TARGETs
559 -p, --nopromisc
562 Usually, ettercap will put the interface in promisc mode to
563 sniff all the traffic on the wire. If you want to sniff only
564 your connections, use this flag to NOT enable the promisc mode.
565 -u, --unoffensive
568 Every time ettercap starts, it disables ip forwarding in the
569 kernel and begins to forward packets itself. This option prevent
570 to do that, so the responsibility of ip forwarding is left to
571 the kernel.
572 This options is useful if you want to run multiple ettercap
573 instances. You will have one instance (the one without the -u
574 option) forwarding the packets, and all the other instances
575 doing their work without forwarding them. Otherwise you will get
576 packet duplicates.
577 It also disables the internal creation of the sessions for each
578 connection. It increases performances, but you will not be able
579 to modify packets on the fly.
580 If you want to use a mitm attack you have to use a separate
581 instance.
582 You have to use this option if the interface is unconfigured
583 (without an ip address.)
584 This is also useful if you want to run ettercap on the gateway.
585 It will not disable the forwarding and the gateway will cor‐
586 rectly route the packets.
587 -j, --load-hosts <FILENAME>
590 It can be used to load a hosts list from a file created by the
591 -k option. (see below)
592 -k, --save-hosts <FILENAME>
595 Saves the hosts list to a file. Useful when you have many hosts
596 and you don't want to do an ARP storm at startup any time you
597 use ettercap. Simply use this options and dump the list to a
598 file, then to load the information from it use the -j <filename>
599 option.
600 -P, --plugin <PLUGIN>
603 Run the selected PLUGIN. Many plugins need target specification,
604 use TARGET as always.
605 In console mode (-C option), standalone plugins are executed and
606 then the application exits. Hook plugins are activated and the
607 normal sniffing is performed.
608 To have a list of the available external plugins use "list"
609 (without quotes) as plugin name (e.g. ./ettercap -P list).
610 NOTE: you can also activate plugins directly from the interfaces
612 (always press "h" to get the inline help)
613 More detailed info about plugins and about how to write your own
615 are found in the man page ettercap_plugin(8)
616 -F, --filter <FILE>
619 Load the filter from the file <FILE>. The filter must be com‐
620 piled with etterfilter(8). The utility will compile the filter
621 script and produce an ettercap-compliant binary filter file.
622 Read the etterfilter(8) man page for the list of functions you
623 can use inside a filter script.
624 NOTE: these filters are different from those set with --pcapfil‐
625 ter. An ettercap filter is a content filter and can modify the
626 payload of a packet before forwarding it. Pcap filter are used
627 to capture only certain packets.
628 NOTE: you can use filters on pcapfile to modify them and save to
629 another file, but in this case you have to pay attention on what
630 you are doing, since ettercap will not recalculate checksums,
631 nor split packets exceeding the mtu (snaplen) nor anything like
632 that.
633 -W, --wep-key <KEY>
636 You can specify a WEP key to decrypt WiFi packets. Only the
637 packets decrypted successfully will be passed to the decoders
638 stack, the others will be skipped with a message.
639 The parameter has the following syntax: N:T:KEY. Where N is the
640 bit length of the wep key (64, 128 or 256), T is the type of the
641 string ('s' for string and 'p' for passphrase). KEY can be a
642 string or an escaped hex sequences.
643 example:
645 --wep-key 128:p:secret
646 --wep-key 128:s:ettercapwep0
647 --wep-key '64:s:\x01\x02\x03\x04\x05'
648 -a, --config <CONFIG>
651 Loads an alternative config file instead of the default in
652 /etc/etter.conf. This is useful if you have many preconfigured
653 files for different situations.
654 VISUALIZATION OPTIONS
659 -e, --regex <REGEX>
662 Handle only packets that match the regex.
663 This option is useful in conjunction with -L. It logs only pack‐
664 ets that match the posix regex REGEX.
665 It impacts even the visualization of the sniffed packets. If it
666 is set only packets matching the regex will be displayed.
667 -V, --visual <FORMAT>
670 Use this option to set the visualization method for the packets
671 to be displayed.
672 FORMAT may be one of the following:
674 hex Print the packets in hex format.
678 example:
680 the string "HTTP/1.1 304 Not Modified" becomes:
682 0000: 4854 5450 2f31 2e31 2033 3034 204e 6f74 HTTP/1.1
684 304 Not
685 0010: 204d 6f64 6966 6965 64 Modified
686 ascii Print only "printable" characters, the others are dis‐
689 played as dots '.'
690 text Print only the "printable" characters and skip the oth‐
693 ers.
694 ebcdic Convert an EBCDIC text to ASCII.
697 html Strip all the html tags from the text. A tag is every
700 string between < and >.
701 example:
703 <title>This is the title</title>, but the following
705 <string> will not be displayed.
706 This is the title, but the following will not be dis‐
708 played.
709 utf8 Print the packets in UTF-8 format. The encoding used
712 while performing the conversion is declared in the
713 etter.conf(5) file.
714 -d, --dns
719 Resolve ip addresses into hostnames.
720 NOTE: this may seriously slow down ettercap while logging pas‐
722 sive information. Every time a new host is found, a query to
723 the dns is performed. Ettercap keeps a cache for already
724 resolved host to increase the speed, but new hosts need a new
725 query and the dns may take up to 2 or 3 seconds to respond for
726 an unknown host.
727 HINT: ettercap collects the dns replies it sniffs in the resolu‐
729 tion table, so even if you specify to not resolve the hostnames,
730 some of them will be resolved because the reply was previously
731 sniffed. think about it as a passive dns resolution for free...
732 ;)
733 -E, --ext-headers
736 Print extended headers for every displayed packet. (e.g. mac
737 addresses)
738 -Q, --superquiet
741 Super quiet mode. Do not print users and passwords as they are
742 collected. Only store them in the profiles. It can be useful to
743 run ettercap in text only mode but you don't want to be flooded
744 with dissectors messages. Useful when using plugins because the
745 sniffing process is always active, it will print all the col‐
746 lected infos, with this option you can suppress these messages.
747 NOTE: this options automatically sets the -q option.
748 example:
750 ettercap -TzQP finger /192.168.0.1/22
752 LOGGING OPTIONS
758 -L, --log <LOGFILE>
760 Log all the packets to binary files. These files can be parsed
761 by etterlog(8) to extract human readable data. With this option,
762 all packets sniffed by ettercap will be logged, together with
763 all the passive info (host info + user & pass) it can collect.
764 Given a LOGFILE, ettercap will create LOGFILE.ecp (for packets)
765 and LOGFILE.eci (for the infos).
766 NOTE: if you specify this option on command line you don't have
768 to take care of privileges since the log file is opened in the
769 startup phase (with high privs). But if you enable the log
770 option while ettercap is already started, you have to be in a
771 directory where uid = 65535 or uid = EC_UID can write.
772 NOTE: the logfiles can be compressed with the deflate algorithm
774 using the -c option.
775 -l, --log-info <LOGFILE>
778 Very similar to -L but it logs only passive information + users
779 and passwords for each host. The file will be named LOGFILE.eci
780 -m, --log-msg <LOGFILE>
783 It stores in <LOGFILE> all the user messages printed by etter‐
784 cap. This can be useful when you are using ettercap in daemon
785 mode or if you want to track down all the messages. Indeed, some
786 dissectors print messages but their information is not stored
787 anywhere, so this is the only way to keep track of them.
788 -c, --compress
791 Compress the logfile with the gzip algorithm while it is dumped.
792 etterlog(8) is capable of handling both compressed and uncom‐
793 pressed log files.
794 -o, --only-local
797 Stores profiles information belonging only to the LAN hosts.
798 NOTE: this option is effective only against the profiles col‐
800 lected in memory. While logging to a file ALL the hosts are
801 logged. If you want to split them, use the related etterlog(8)
802 option.
803 -O, --only-remote
806 Stores profiles information belonging only to remote hosts.
807 STANDARD OPTIONS
813 -U, --update
815 Connects to the ettercap website (ettercap.sf.net) and retrieve
816 the latest databases used by ettercap.
817 If you want only to check if an update is available, prepend the
818 -z option. The order does matter: ettercap -zU
819 SECURITY NOTE: The updates are not signed so an attacker may
821 poison your DNS server and force the updateNG.php to feed etter‐
822 cap with fake databases. This can harm to your system since it
823 can overwrite any file containing the string "Revision: ".
824 -v, --version
828 Print the version and exit.
829 -h, --help
832 prints the help screen with a short summary of the available
833 options.
834
840 Here are some examples of using ettercap.
841 ettercap -Tp
843 Use the console interface and do not put the interface in
845 promisc mode. You will see only your traffic.
846 ettercap -Tzq
849 Use the console interface, do not ARP scan the net and be quiet.
851 The packet content will not be displayed, but user and pass‐
852 words, as well as other messages, will be displayed.
853 ettercap -T -j /tmp/victims -M arp /10.0.0.1-7/ /10.0.0.10-20/
856 Will load the hosts list from /tmp/victims and perform an ARP
858 poisoning attack against the two target. The list will be joined
859 with the target and the resulting list is used for ARP poison‐
860 ing.
861 ettercap -T -M arp // //
864 Perform the ARP poisoning attack against all the hosts in the
866 LAN. BE CAREFUL !!
867 ettercap -T -M arp:remote /192.168.1.1/ /192.168.1.2-10/
870 Perform the ARP poisoning against the gateway and the host in
872 the lan between 2 and 10. The 'remote' option is needed to be
873 able to sniff the remote traffic the hosts make through the
874 gateway.
875 ettercap -Tzq //110
878 Sniff only the pop3 protocol from every hosts.
879 ettercap -Tzq /10.0.0.1/21,22,23
882 Sniff telnet, ftp and ssh connections to 10.0.0.1.
884 ettercap -P list
887 Prints the list of all available plugins
889
893 Alberto Ornaghi (ALoR) <alor@users.sf.net>
894 Marco Valleri (NaGA) <naga@antifork.org>
895
900 etter.conf(5) ettercap_curses(8) ettercap_plugins(8) etterlog(8) etter‐
901 filter(8)
902
904 http://ettercap.sourceforge.net/download/
905
909 cvs -d:pserver:anonymous@cvs.ettercap.sf.net:/cvsroot/ettercap login
910 cvs -d:pserver:anonymous@cvs.ettercap.sf.net:/cvsroot/ettercap co
911 ettercap_ng
912
916 Our software never has bugs.
917 It just develops random features. ;)
918 KNOWN-BUGS
920 - ettercap doesn't handle fragmented packets... only the first segment
922 will be displayed by the sniffer. However all the fragments are cor‐
923 rectly forwarded.
924 + please send bug-report, patches or suggestions to <alor@users.source‐
926 forge.net> or visit http://ettercap.sourceforge.net/forum/ and post it
927 in the BUGS section.
928 + to report a bug, follow the instructions in the README.BUGS file
930
934 "Even if blessed with a feeble intelligence, they are cruel and
935 smart..." this is the description of Ettercap, a monster of the RPG
936 Advanced Dungeons & Dragon.
937 The name "ettercap" was chosen because it has an assonance with "ether‐
939 cap" which means "ethernet capture" (what ettercap actually does) and
940 also because such monsters have a powerful poison... and you know, arp
941 poisoning... ;)
942
946 (the fellowship of the packet)
947 "One Ring to link them all, One Ring to ping them,
949 one Ring to bring them all and in the darkness sniff them."
950
954 "Programming today is a race between software engineers striving to
955 build bigger and better idiot-proof programs, and the Universe trying
956 to produce bigger and better idiots. So far, the Universe is winning."
957 - Rich Cook
958ettercap NG-0.7.3 ETTERCAP(8)