Ettercap

From aldeid
Jump to: navigation, search
Draft.png
DRAFT
This page is still a draft. Thank you for your understanding.

Description

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Installation

This will install ettercap-ng 0.7.3:

$ sudo make install ettercap ettercap-gtk

Configuration

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Usage

CLI

Syntax

$ ettercap [OPTIONS] [TARGET1] [TARGET2]

TARGET is in the format MAC/IPs/PORTs (see the man for further detail)

Options

Sniffing and Attack options

-M, --mitm <METHOD:ARGS>
perform a mitm attack
-o, --only-mitm
don't sniff, only perform the mitm attack
-B, --bridge <IFACE>
use bridged sniff (needs 2 ifaces)
-p, --nopromisc
do not put the iface in promisc mode
-u, --unoffensive
do not forward packets
-r, --read <file>
read data from pcapfile <file>
-f, --pcapfilter <string>
set the pcap filter <string>
-R, --reversed
use reversed TARGET matching
-t, --proto <proto>
sniff only this proto (default is all)

User Interface Type

-T, --text
use text only GUI
-q, --quiet
do not display packet contents
-s, --script <CMD>
issue these commands to the GUI
-C, --curses
use curses GUI
-G, --gtk
use GTK+ GUI
-D, --daemon
daemonize ettercap (no GUI)
Info.png
Note
Notice that you will need to install ettercap-gtk and not only ettercap package to be able to use -G option.

Logging options

-w, --write <file>
write sniffed data to pcapfile <file>
-L, --log <logfile>
log all the traffic to this <logfile>
-l, --log-info <logfile>
log only passive infos to this <logfile>
-m, --log-msg <logfile>
log all the messages to this <logfile>
-c, --compress
use gzip compression on log files

Visualization options

-d, --dns
resolves ip addresses into hostnames
-V, --visual <format>
set the visualization format
-e, --regex <regex>
visualize only packets matching this regex
-E, --ext-headers
print extended header for every pck
-Q, --superquiet
do not display user and password

General options

-i, --iface <iface>
use this network interface
-I, --iflist
show all the network interfaces
-n, --netmask <netmask>
force this <netmask> on iface
-P, --plugin <plugin>
launch this <plugin>
-F, --filter <file>
load the filter <file> (content filter)
-z, --silent
do not perform the initial ARP scan
-j, --load-hosts <file>
load the hosts list from <file>
-k, --save-hosts <file>
save the hosts list to <file>
-W, --wep-key <wkey>
use this wep key to decrypt wifi packets
-a, --config <config>
use the alterative config file <config>

Standard options

-U, --update
updates the databases from ettercap website
-v, --version
prints the version and exit
-h, --help
this help screen

GUI

Level 1

  • File
    • open
    • save
    • exit
  • Sniff
    • Unified sniffing
    • Bridged sniffing
    • Set pcap filter
  • Options
    • Unoffensive
    • Promisc mode
    • Set netmask
  • Help
    • Contents

Level 2

  • Start
    • Start sniffing
    • Stop sniffing
    • Exit
  • Targets
    • Current targets
    • Select targets
    • Protocol
    • Reverse matching
    • Wipe targets
  • Hosts
    • Hosts list
    • Scan for hosts
    • Load from file
    • Save to file
  • View
    • Connections
    • Profiles
    • Statistics
    • Resolve IP addresses
    • Visualization method
    • Visualization regex
    • Set the WEP key
  • Mitm
    • Arp poisoning
    • Icmp redirect
    • Port stealing
    • Dhcp spoofing
    • Stop mitm attack(s)
  • Filters
    • Load a filter
    • Stop filtering
  • Logging
    • Log all packets and infos
    • Log only infos
    • Stop logging infos
    • Log user messages
    • Stop logging messages
    • Compressed file
  • Plugins
    • Manage the plugins
    • Load a plugin

Examples

Basic sniffing example

with the GUI

This example shows how to process a MITM attack on a LAN to sniff a FTP password. The attacker is running BackTrack5 and the victim is running Ubuntu 11.10.

{{#widget:YouTube|id=pfA8gShKG9I}}

With the command line (CLI)

The same example can be simply realized with the command line.

First create a file containing the list of hosts (one per line):

  • the router: 192.168.1.254
  • the victim: 192.168.1.21
$ cat hosts
192.168.1.254
192.168.1.21

Then start ettercap with following options:

$ sudo ettercap -T -w /tmp/ettercap.session.pcap -i en1 --load-hosts hosts
  • -T is used to use the CLI
  • -w writes the sniffed traffic in /tmp/ettercap.session.pcap
  • -i specifies the sniffing interface (en1 used here)
  • --load-hosts points to our hosts file, containing the list of hosts to ARP poison.