|SNIFFING AND ATTACK OPTIONS|
ettercap NG has a new unified sniffing method. This implies that ip_forwarding
in the kernel is always disabled and the forwarding is done by ettercap. Every
packet with destination mac address equal to the hosts mac address and
destination ip address different for the one bound to the iface will be
forwarded by ettercap. Before forwarding them, ettercap can content filter,
sniff, log or drop them. It does not matter how these packets are hijacked,
ettercap will process them. You can even use external programs to hijack
You have full control of what ettercap should receive. You can use the internal mitm attacks, set the interface in promisc mode, use plugins or use every method you want.
IMPORTANT NOTE: if you run ettercap on a gateway, remember to re-enable the ip_forwarding after you have killed ettercap. Since ettercap drops its privileges, it cannot restore the ip_forwarding for you.
|-M, --mitm <METHOD:ARGS>|
This option will activate the man in the middle attack. The mimt attack is totally independent from the sniffing. The aim of the attack is to hijack packets and redirect them to ettercap. The sniffing engine will forward them if necessary.
You can choose the mitm attack that you prefer and also combine some of them to perform different attacks at the same time.
If a mitm method requires some parameters you can specify them after the colon. (e.g. -M dhcp:ip_pool,netmask,etc )
The following mitm attacks are available:
This options disables the sniffing thread and enables only the mitm attack.
Useful if you want to use ettercap to perform mitm attacks and another sniffer
(such as wireshark) to sniff the traffic. Keep in mind that the packets are not
forwarded by ettercap. The kernel will be responsible for the forwarding.
Remember to activate the "ip forwarding" feature in your kernel.
|-f, --pcapfilter <FILTER>|
Set a capturing filter in the pcap library. The format is the same as
tcpdump(1). Remember that this kind of filter will not sniff packets out of the
wire, so if you want to perform a mitm attack, ettercap will not be able to
forward hijacked packets.
These filters are useful to decrease the network load impact into ettercap decoding module.
|-B, --bridge <IFACE>|
You need two network interfaces. ettercap will forward form one to the other all the traffic it sees. It is useful for man in the middle at the physical layer. It is totally stealthy since it is passive and there is no way for an user to see the attacker.
You can content filter all the traffic as you were a transparent proxy for the "cable".
OFF LINE SNIFFING
-r, --read <FILE>
OFF LINE sniffing
With this option enabled, ettercap will sniff packets from a pcap compatible file instead of capturing from the wire.
This is useful if you have a file dumped from tcpdump or wireshark and you want to make an analysis (search for passwords or passive fingerprint) on it.
Obviously you cannot use "active" sniffing (arp poisoning or bridging) while sniffing from a file.
|-w, --write <FILE>|
WRITE packet to a pcap file
This is useful if you have to use "active" sniffing (arp poison) on a switched LAN but you want to analyze the packets with tcpdump or wireshark. You can use this option to dump the packets to a file and then load it into your favourite application.
NOTE: dump file collect ALL the packets disregarding the TARGET. This is done because you may want to log even protocols not supported by ettercap, so you can analyze them with other tools.
TIP: you can use the -w option in conjunction with the -r one. This way you will be able to filter the payload of the dumped packets or decrypt WEP-encrypted WiFi traffic and dump them to another file.
USER INTERFACES OPTIONS
The text only interface, only printf ;)
It is quite interactive, press h in every moment to get help on what you can do.
Quiet mode. It can be used only in conjunction with the console interface. It
does not print packet content. It is useful if you want to convert pcap file to
ettercap log files.
ettercap -Tq -L dumpfile -r pcapfile
|-s, --script <COMMANDS>|
With this option you can feed ettercap with command as they were typed on the
keyboard by the user. This way you can use ettercap within your favourite
scripts. There is a special command you can issue thru this command: s(x). this
command will sleep for x seconds.
ettercap -T -s lq will print the list of the hosts and exit
Ncurses based GUI. See ettercap_curses(8) for a full description.
The nice GTK2 interface (thanks Daten...).
Daemonize ettercap. This option will detach ettercap from the current
controlling terminal and set it as a daemon. You can combine this feature with
the "log" option to log all the traffic in the background. If the daemon fails
for any reason, it will create the file "./ettercap_daemonized.log" in
which the error caught by ettercap will be reported. Furthermore, if you want to have
a complete debug of the daemon process, you are encouraged to recompile
ettercap in debug mode.
Tells Ettercap to process packets coming from Broadcast address.
|-i, --iface <IFACE>|
Use this <IFACE> instead of the default one. The interface can be unconfigured
(requires libnet >= 1.1.2), but in this case you cannot use MITM attacks and
you should set the unoffensive flag.
This option will print the list of all available network interfaces that can be
used within ettercap. The option is particularly useful under windows where the
name of the interface is not so obvious as under *nix.
|-Y, --secondary <interface list>|
Specify a list of (or single) secondary interfaces to capture packets from.
|-A, --address <ADDRESS>|
Use this <ADDRESS> instead of the one autodetected for the current iface. This
option is useful if you have an interface with multiple ip addresses.
|-n, --netmask <NETMASK>|
Use this <NETMASK> instead of the one associated with the current iface. This
option is useful if you have the NIC with an associated netmask of class B and
you want to scan (with the arp scan) only a class C.
Reverse the matching in the TARGET selection. It means not(TARGET). All but the
|-t, --proto <PROTO>|
Sniff only PROTO packets (default is TCP + UDP).
This is useful if you want to select a port via the TARGET specification but you want to differentiate between tcp or udp.
PROTO can be "tcp", "udp" or "all" for both.
Send ICMPv6 probes to discover active IPv6 nodes on the link.
This options sends a ping request to the all-nodes address to motivate active IPv6
hosts to respond. You should not use this option if you try to hide yourself. Therefore
this option is optional.
NOTE: This option is only available if IPv6 support has been enabled.
Do not perform the initial ARP scan of the LAN.
NOTE: you will not have the hosts list, so you cant use the multipoison feature. you can only select two hosts for an ARP poisoning attack, specifying them through the TARGETs
Usually, ettercap will put the interface in promisc mode to sniff all the
traffic on the wire. If you want to sniff only your connections, use this flag
to NOT enable the promisc mode.
Usually, ettercap forges SSL certificates in order to intercept https
traffic. This option disables that behavior.
Every time ettercap starts, it disables ip forwarding in the kernel and begins to
forward packets itself. This option prevent to do that, so the responsibility
of ip forwarding is left to the kernel.
This options is useful if you want to run multiple ettercap instances. You will have one instance (the one without the -u option) forwarding the packets, and all the other instances doing their work without forwarding them. Otherwise you will get packet duplicates.
It also disables the internal creation of the sessions for each connection. It increases performances, but you will not be able to modify packets on the fly.
If you want to use a mitm attack you have to use a separate instance.
You have to use this option if the interface is unconfigured (without an ip address.)
This is also useful if you want to run ettercap on the gateway. It will not disable the forwarding and the gateway will correctly route the packets.
|-j, --load-hosts <FILENAME>|
It can be used to load a hosts list from a file created by the -k option. (see below)
|-k, --save-hosts <FILENAME>|
Saves the hosts list to a file. Useful when you have many hosts and you dont want to
do an ARP storm at startup any time you use ettercap. Simply use this options and dump
the list to a file, then to load the information from it use the -j <filename> option.
|-P, --plugin <PLUGIN>|
Run the selected PLUGIN. Many plugins need target specification, use TARGET as
always. Use multiple occurances of this parameter to select multiple plugins.
In console mode (-C option), standalone plugins are executed and then the application exits. Hook plugins are activated and the normal sniffing is performed.
To have a list of the available external plugins use "list" (without quotes) as plugin name (e.g. ./ettercap -P list).
NOTE: you can also activate plugins directly from the interfaces (always press "h" to get the inline help)
More detailed info about plugins and about how to write your own are found in the man page ettercap_plugin(8)
|-F, --filter <FILE>|
Load the filter from the file <FILE>. The filter must be compiled with
etterfilter(8). The utility will compile the filter script and produce an
ettercap-compliant binary filter file. Read the etterfilter(8) man page for the
list of functions you can use inside a filter script.
Any number of filters can be loaded by specifying the option multiple times;
packets are passed through each filter in the order specified on the command line.
You can also load a script without enabling it by appending :0 to the filename.
NOTE: these filters are different from those set with --pcapfilter. An ettercap filter is a content filter and can modify the payload of a packet before forwarding it. Pcap filter are used to capture only certain packets.
NOTE: you can use filters on pcapfile to modify them and save to another file, but in this case you have to pay attention on what you are doing, since ettercap will not recalculate checksums, nor split packets exceeding the mtu (snaplen) nor anything like that.
|-W, --wifi-key <KEY>|
You can specify a key to decrypt WiFi packets (WEP or WPA). Only the packets decrypted
successfully will be passed to the decoders stack, the others will be skipped
with a message.
The parameter has the following syntax: type:bits:t:string. Where type can be: wep, wpa-pws or wpa-psk, bits is the bit length of the key (64, 128 or 256), t is the type of the string (s for string and p for passphrase). string can be a string or an escaped hex sequences.
|-a, --config <CONFIG>|
|Loads an alternative config file instead of the default in /etc/etter.conf. This is useful if you have many preconfigured files for different situations.|
Tells Ettercap to use the specified certificate file for the SSL MiTM attack.
Tells Ettercap to use the specified private key file for the SSL MiTM attack.
|-e, --regex <REGEX>|
Handle only packets that match the regex.
This option is useful in conjunction with -L. It logs only packets that match the posix regex REGEX.
It impacts even the visualization of the sniffed packets. If it is set only packets matching the regex will be displayed.
|-V, --visual <FORMAT>|
Use this option to set the visualization method for the packets to be
FORMAT may be one of the following:
Resolve ip addresses into hostnames.
NOTE: this may seriously slow down ettercap while logging passive information. Every time a new host is found, a query to the dns is performed. Ettercap keeps a cache for already resolved host to increase the speed, but new hosts need a new query and the dns may take up to 2 or 3 seconds to respond for an unknown host.
HINT: ettercap collects the dns replies it sniffs in the resolution table, so even if you specify to not resolve the hostnames, some of them will be resolved because the reply was previously sniffed. think about it as a passive dns resolution for free... ;)
Print extended headers for every displayed packet. (e.g. mac addresses)
Super quiet mode. Do not print users and passwords as they are collected. Only
store them in the profiles. It can be useful to run ettercap in text only mode
but you dont want to be flooded with dissectors messages. Useful when using
plugins because the sniffing process is always active, it will print all the
collected infos, with this option you can suppress these messages.
NOTE: this options automatically sets the -q option.
ettercap -TzQP finger /192.168.0.1/22
-L, --log <LOGFILE>
Log all the packets to binary files. These files can be parsed by etterlog(8) to
extract human readable data. With this option, all packets sniffed by ettercap
will be logged, together with all the passive info (host info + user & pass) it can
collect. Given a LOGFILE, ettercap will create LOGFILE.ecp (for packets) and
LOGFILE.eci (for the infos).
NOTE: if you specify this option on command line you dont have to take care of privileges since the log file is opened in the startup phase (with high privs). But if you enable the log option while ettercap is already started, you have to be in a directory where uid = 65535 or uid = EC_UID can write.
NOTE: the logfiles can be compressed with the deflate algorithm using the -c option.
|-l, --log-info <LOGFILE>|
Very similar to -L but it logs only passive information + users and passwords
for each host. The file will be named LOGFILE.eci
|-m, --log-msg <LOGFILE>|
It stores in <LOGFILE> all the user messages printed by ettercap. This can be
useful when you are using ettercap in daemon mode or if you want to track down
all the messages. Indeed, some dissectors print messages but their
information is not stored anywhere, so this is the only way to keep track of
Compress the logfile with the gzip algorithm while it is dumped. etterlog(8) is
capable of handling both compressed and uncompressed log files.
Stores profiles information belonging only to the LAN hosts.
NOTE: this option is effective only against the profiles collected in memory. While logging to a file ALL the hosts are logged. If you want to split them, use the related etterlog(8) option.
Stores profiles information belonging only to remote hosts.
Print the version and exit.
prints the help screen with a short summary of the available options.
Here are some examples of using ettercap.
Use the console interface and do not put the interface in promisc mode. You will see only your traffic.
Use the console interface, do not ARP scan the net and be quiet. The packet content will not be displayed, but user and passwords, as well as other messages, will be displayed.
ettercap -T -j /tmp/victims -M arp /10.0.0.1-7/ /10.0.0.10-20/
Will load the hosts list from /tmp/victims and perform an ARP poisoning attack against the two target. The list will be joined with the target and the resulting list is used for ARP poisoning.
ettercap -T -M arp // //
Perform the ARP poisoning attack against all the hosts in the LAN. BE CAREFUL !!
ettercap -T -M arp:remote /192.168.1.1/ /192.168.1.2-10/
Perform the ARP poisoning against the gateway and the host in the lan between 2 and 10. The remote option is needed to be able to sniff the remote traffic the hosts make through the gateway.
ettercap -Tzq //110
Sniff only the pop3 protocol from every hosts.
ettercap -Tzq /10.0.0.1/21,22,23
Sniff telnet, ftp and ssh connections to 10.0.0.1.
ettercap -P list
Prints the list of all available plugins
Stores persistent information (e.g., window placement) between sessions.
Alberto Ornaghi (ALoR) <firstname.lastname@example.org>
Marco Valleri (NaGA) <email@example.com>
Emilio Escobar (exfil) <firstname.lastname@example.org>
Eric Milam (Brav0Hax) <email@example.com>
Mike Ryan (justfalter) <firstname.lastname@example.org>
Gianfranco Costamagna (LocutusOfBorg) <email@example.com>
Antonio Collarino (sniper) <firstname.lastname@example.org>
Ryan Linn <email@example.com>
Jacob Baines <firstname.lastname@example.org>
Dhiru Kholia (kholia) <email@example.com>
Alexander Koeppe (koeppea) <firstname.lastname@example.org>
Martin Bos (PureHate) <email@example.com>
Gisle Vanem <firstname.lastname@example.org>
Johannes Bauer <JohannesBauer@gmx.de>
Daten (Bryan Schneiders) <email@example.com>
etter.conf(5) ettercap_curses(8) ettercap_plugins(8) etterlog(8) etterfilter(8) ettercap-pkexec(8)
git clone git://github.com/Ettercap/ettercap.git
git clone https://github.com/Ettercap/ettercap.git
Our software never has bugs.
It just develops random features. ;)
- ettercap doesnt handle fragmented packets... only the first segment will be displayed by the sniffer. However all the fragments are correctly forwarded.
+ please send bug-report, patches or suggestions to <firstname.lastname@example.org> or visit https://github.com/Ettercap/ettercap/issues.
+ to report a bug, follow the instructions in the README.BUGS file
"Even if blessed with a feeble intelligence, they are cruel and smart..." this is the description of Ettercap, a monster of the RPG Advanced Dungeons & Dragon.
The name "ettercap" was chosen because it has an assonance with "ethercap" which means "ethernet capture" (what ettercap actually does) and also because such monsters have a powerful poison... and you know, arp poisoning... ;)
(the fellowship of the packet)
"One Ring to link them all, One Ring to ping them,
one Ring to bring them all and in the darkness sniff them."
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning." - Rich Cook
|ettercap 0.8.2||ETTERCAP (8)|