manpagez: man pages & more
man etter.conf(5)
Home | html | info | man
etter.conf(5)                                                    etter.conf(5)




NAME

       etter.conf - Ettercap configuration file



DESCRIPTION

       etter.conf  is  the  configuration file that determines ettercap behav-
       iour. It is always loaded at startup and it configures some  attributes
       used at runtime.

       The file contains entries of the form:

              [section]
              entry = value
              ...

       Each  entry defines a variable that can be customized. Every value MUST
       be an integer. Sections are used only to group together some variables.

       NOTE:  if  you omit a variable in the conf file, it will be initialized
       with the value 0. It is strongly discouraged to not initialize critical
       variables such as "arp_poison_delay" or "connection_timeout".

       The following is a list of available variables:



       [privs]

       ec_uid              This variable specifies the UID to which privileges
                           are dropped at startup. After the  socket  at  link
                           layer has been opened the privileges are dropped to
                           a specific uid different  from  root  for  security
                           reasons.  etter.conf  is the only file that is read
                           with root privs. Be sure that the specified uid has
                           enough privs to read other files (etter.*)  You can
                           bypass this variable  by  setting  the  environment
                           variable EC_UID.




       [mitm]

       arp_storm_delay     The  value  represents  the  milliseconds  to  wait
                           between two consecutive packets during the  initial
                           ARP  scan.  You can increment this value to be less
                           aggressive at startup. The randomized scan  plus  a
                           high  delay  can fool some types of ARP scan detec-
                           tors.


       arp_poison_smart    With this variable set, only 3 inital poisoned  ARP
                           messages  are  sent  to  the victims. This poisoned
                           status is kept up by ettercap  with  responding  to
                           ARP  requests  from  victims  that  want to refresh
                           their ARP cache. This makes the ARP poisoning  very
                           stealthy but may be unreliable on shared media such
                           as WiFi.


       arp_poison_warm_up  When the poisoning process starts, the inter-packet
                           delay  is  low  for the first 5 poisons (to be sure
                           the poisoning process has been  successful).  After
                           the  first  5 poisons, the delay is incremented (to
                           keep up the poisoning). This variable controls  the
                           delay for the first 5 poisons. The value is in sec-
                           onds.
                           The  same  delay  is  used  when  the  victims  are
                           restored  to  the original associations (RE-ARPing)
                           when ettercap is closed.


       arp_poison_delay    This variable controls the  poisoning  delay  after
                           the first 5 poisons. The value is expressed in sec-
                           onds. You can increase this value (to try  to  fool
                           the  IDS) up to the timeout of the ARP cache (which
                           depends on the poisoned operating system).


       arp_poison_icmp     Enable the sending of a  spoofed  ICMP  message  to
                           force the targets to make an arp request. This will
                           create an arp entry in the host cache, so  ettercap
                           will  be  able to win the race condition and poison
                           the target. Useful  against  targets  that  do  not
                           accept  gratuitous  arp  if the entry is not in the
                           cache.


       arp_poison_reply    Use ARP replies to poison the targets. This is  the
                           classic attack.


       arp_poison_request  Use  ARP  request  to  poison  the  targets. Useful
                           against targets that cache even arp request values.


       arp_poison_equal_mac
                           Set  this  option to 0 if you want to skip the poi-
                           soning of two hosts with the same mac address. This
                           may  happen if a NIC has one or more aliases on the
                           same network.


       dhcp_lease_time     This is the lease time  (in  seconds)  for  a  dhcp
                           assignment.  You can lower this value to permit the
                           victims to receive a correct dhcp reply  after  you
                           have stopped your attack. Using higher timeouts can
                           seriously mess up your network after the attack has
                           finished.  On the other hand some clients will pre-
                           fer a higher lease time, so you have to increase it
                           to  win the race condition against the real server.


       port_steal_delay    This is the delay time  (in  milliseconds)  between
                           stealing  packets  for the "port" mitm method. With
                           low delays you will be able to intercept more pack-
                           ets,  but  you will generate more traffic. You have
                           to tune this value in order to find a good  balance
                           between  the  number  of  intercepted  packets, re-
                           transmitted packets and lost packets.   This  value
                           depends on full/half duplex channels, network driv-
                           ers and adapters, network general configuration and
                           hardware.



       port_steal_send_delay
                           This  is  the  delay time (in microseconds) between
                           packets when the "port" mitm method has to  re-send
                           packets  queues.  As  said for port_steal_delay you
                           have to tune this option to the  lowest  acceptable
                           value.



       ndp_poison_warm_up  This   option  operates  similar  to  the  arp_poi-
                           son_warm_up option.   When  the  poisoning  process
                           starts,  this  option controls the NDP poison delay
                           for the first 5 poisons (to be sure  the  poisoning
                           process  has  been  successful).  After the first 5
                           poisons, the delay is incremented (to keep  up  the
                           poisoning).   This  variable controls the delay for
                           the first 5 poisons. The value should be lower than
                           the ndp_poison_delay. The value is in seconds.
                           The  same  delay  is  used  when  the  victims  are
                           restored to the original associations
                            when ettercap is closed.


       ndp_poison_delay    This option  is  similar  to  the  arp_poison_delay
                           option.  It controls the delay in seconds for send-
                           ing out the poisoned NDP packets to poison victim's
                           neighbor cache. This value may be increased to hide
                           from IDSs.  But increasing the value  increases  as
                           well  the  probability  for failing race conditions
                           during neighbor discovery and to miss some packets.


       ndp_poison_send_delay
                           This  option  controls  the  delay  in microseconds
                           between poisoned NDP packets are sent.  This  value
                           may  be increased to hide from IDSs. But increasing
                           the value increases as  well  the  probability  for
                           failing  race  conditions during neighbor discovery
                           and to miss some packets.


       ndp_poison_icmp     Enable the sending of a spoofed ICMPv6  message  to
                           motivate the targets to perform neighbor discovery.
                           This will create an  entry  in  the  host  neighbor
                           cache,  so  ettercap  will  be able to win the race
                           condition and poison  the  target.  Useful  against
                           targets  that do not accept neighbor advertisements
                           if the entry is not in the cache.


       ndp_poison_equal_mac
                           Set this option to 0 if you want to  skip  the  NDP
                           poisoning  of  two hosts with the same mac address.
                           This may happen if a NIC has one or more aliases on
                           the same network.


       icmp6_probe_delay   This  option  defines  the time in seconds ettercap
                           waits for active IPv6 nodes to respond to the  ICMP
                           probes.  Decreasing  this  value could lead to miss
                           replies from active IPv6 nodes, hence miss them  in
                           the  host list. Increasing the value usually has no
                           impact; normally nodes can manage to answer  during
                           the default delay.

                           NOTE:  The ndp and icmp6 options are only available
                           if ettercap has been built with IPv6 support



       [connections]

       connection_timeout  Every time a new connection is discovered, ettercap
                           allocates  the needed structures. After a customiz-
                           able timeout, you can free these structures to keep
                           the memory usage low. This variable represents this
                           timeout. The value is expressed  in  seconds.  This
                           timeout  is  applied  even  to the session tracking
                           system (the protocol state machine for dissectors).


       connection_idle     The  number  of seconds to wait before a connection
                           is marked as IDLE.


       connection_buffer   This variable  controls  the  size  of  the  buffer
                           linked to each connection.  Every sniffed packet is
                           added to the buffer and when the buffer is full the
                           older  packets  are  deleted to make room for newer
                           ones. This buffer is useful to view data that  went
                           on  the cable before you select and view a specific
                           connection. The higher this value, the  higher  the
                           ettercap memory occupation.  By the way, the buffer
                           is dynamic, so if you set a buffer of 100.000  byte
                           it  is  not  allocated  all  together  at the first
                           packet of a connection, but it is filled as packets
                           arrive.


       connect_timeout     The  timeout  in  seconds  when using the connect()
                           syscall. Increase it if you get a "Connection time-
                           out" error. This option has nothing to do with con-
                           nections sniffed by ettercap. It is a  timeout  for
                           the  connections  made  by  ettercap to other hosts
                           (for example when fingerprinting remote host).




       [stats]

       sampling_rate       Ettercap keeps some statistics  on  the  processing
                           time  of the bottom half (the sniffer) and top half
                           (the protocol decoder). These statistics  are  made
                           on  the  average  processing  time of sampling_rate
                           packets. You can decrease this value to have a more
                           accurate  real-time  picture  of processing time or
                           increase it to have a smoother picture.  The  total
                           average  will  not change, but the worst value will
                           be heavily influenced by this value.




       [misc]

       close_on_eof        When reading from a dump file and using console  or
                           daemon  UI, this variable is used to determine what
                           action has to be done  on  EOF.  It  is  a  boolean
                           value. If set to 1 ettercap will close itself (use-
                           ful in scripts). Otherwise the  session  will  con-
                           tinue waiting for user input.


       store_profiles      Ettercap collects in memory a profile for each host
                           it  detects.  Users  and  passwords  are  collected
                           there.  If  you  want to run ettercap in background
                           logging all the traffic, you may  want  to  disable
                           the collecting in memory to save system memory. Set
                           this option to 0 (zero) to disable profiles collec-
                           tion.   A value of 1 will enable collection for all
                           the hosts, 2 will collect only local  hosts  and  3
                           only  remote  hosts (a host is considered remote if
                           it does not belong to the netmask).


       aggressive_dissectors
                           Some dissectors (such as SSH  and  HTTPS)  need  to
                           modify  the payload of the packets in order to col-
                           lect passwords and perform a decryption attack.  If
                           you  want to disable the "dangerous" dissectors all
                           together, set this value to 0.


       skip_forwarded      If you set this value to  0  you  will  sniff  even
                           packets  forwarded by ettercap or by the kernel. It
                           will generate duplicate packets in conjunction with
                           the arp mitm method (for example). It could be use-
                           ful while running ettercap in unoffensive mode on a
                           host  with more than one network interface (waiting
                           for the multiple-interface feature...)


       checksum_warning    If you set the value to 0 the messages about incor-
                           rect  checksums  will  not be displayed in the user
                           messages windows (nor logged to a file with -m).
                           Note that this option will not disable the check on
                           the  packets,  but  only  prevent the message to be
                           displayed (see below).


       checksum_check      This option is used to completely disable the check
                           on  the  checksum  of  the  packets  that  ettercap
                           receives. The check on the packets is performed  to
                           avoid  ettercap  spotting  thru bad checsum packets
                           (see Phrack 60.12). If you disable the  check,  you
                           will  be able to sniff even bad checksummed packet,
                           but you will be spotted if someone is searching for
                           you...


       sniffing_at_startup If  this  option  is  set  to 1, then ettercap will
                           immediately start unified or bridged sniffing after
                           the  setup  phase  has  been completed. This option
                           helps to avoid traffic blocking when a  MITM  tech-
                           nique  has  been  started  but  forgotten  to start
                           sniffing. Therefore this options is  set  to  1  by
                           default.
                           If  this  behaviour  is  not desired set it to 0 to
                           manually control the status of unified  or  bridged
                           sniffing after ettercap startet.  However, sniffing
                           can be stopped and started at any time while etter-
                           cap runs.


       geoip_support_enable
                           This  option controls if GeoIP information shall be
                           processed for IP addresses whether or not  ettercap
                           has been built with GeoIP support.


       gtkui_prefer_dark_theme
                           This  option  tries  to enforce the dark variant of
                           the applied theme. However this does only  have  an
                           effect  if  the applied theme provides a dark vari-
                           ant.  Normally the desktop environment controls the
                           theme of applications. But some lightweight desktop
                           environments doesn't support a configuraton  option
                           for dark themes even when the theme provides a dark
                           variant.  To leave the theme variant setting to the
                           desktop  environment  this  option  is  set to 0 by
                           default.
                           NOTE: This option is only relevant in GTK mode  and
                           if  ettercap has been built with full GTK3 support.



       [dissectors]

       protocol_name       This value represents the port on which the  proto-
                           col  dissector  has  to be bound. A value of 0 will
                           disable the dissector. The name of the variable  is
                           the  same  of  the protocol name. You can specify a
                           non standard port for each  dissector  as  well  as
                           multiple  ports. The syntax for multiport selection
                           is the following: port1,port2,port3,...
                           NOTE: some dissectors are conditionally compiled  .
                           This means that depending on the libraries found in
                           your system some dissectors  will  be  enabled  and
                           some  others  will  not. By default etter.conf con-
                           tains  all  supported  dissectors.  if  you  got  a
                           "FATAL: Dissector "xxx" does not exists (etter.conf
                           line yy)" error, you have to  comment  out  the  yy
                           line in etter.conf.



       [curses]

       color               You can customize the colors of the curses GUI.
                           Simply  set  a field to one of the following values
                           and look at the GUI aspect :)
                           Here is a list of values: 0 Black, 1 Red, 2  Green,
                           3 Yellow, 4 Blue, 5 Magenta, 6 Cyan, 7 White



       [strings]

       utf8_encoding       specifies  the encoding to be used while displaying
                           the  packets  in  UTF-8  format.   Use  the  `iconv
                           --list`  command for a list of supported encodings.


       remote_browser      This command  is  executed  by  the  remote_browser
                           plugin each time it catches a good URL request into
                           an HTTP connection.  The command should be able  to
                           get 2 parameters:

                           %host  the  Host:  tag  in the HTTP header. Used to
                                  create the full request into the browser.

                           %url   The page requested inside the GET request.


       redir_command_on    You must provide a valid  command  (or  script)  to
                           enable tcp redirection at the kernel level in order
                           to be able  to  use  SSL  dissection.  Your  script
                           should be able to get 5 parameters:

                           %iface The network interface on which the rule must
                                  be set

                           %source
                                  The source IP or network matching the  pack-
                                  ets  to be redirected (default is 0.0.0.0/0,
                                  ::/0 resp. or any)

                           %destination
                                  The destination IP or network  matching  the
                                  packets   to   be   redirected  (default  is
                                  0.0.0.0/0, ::/0 resp. or any)

                           %port  The source port of the packets to  be  redi-
                                  rected  (443 for HTTPS, 993 for imaps, etc).

                           %rport The internally bound port to which  ettercap
                                  listens for connections.
       NOTE: this script is executed with an execve(), so you cannot use pipes
       or output redirection as if you were in a shell. We suggest you to make
       a script if you need those commands.

       NOTE: for this to work, you must set ec_uid to a UID what is privileged
       to execute the redir_command or provide a setuid program.


       redir_command_off   This script is used to remove  the  redirect  rules
                           applied  by  'redir_command_on'.   You  should note
                           that this script is called atexit() and thus it has
                           not  high  privileges.  You should provide a setuid
                           program or set ec_uid to 0 in order to be sure that
                           the script is executed successfully.



ORIGINAL AUTHORS

       Alberto Ornaghi (ALoR) <alor@users.sf.net>
       Marco Valleri (NaGA) <naga@antifork.org>


PROJECT STEWARDS

       Emilio Escobar (exfil)  <eescobar@gmail.com>
       Eric Milam (Brav0Hax)  <jbrav.hax@gmail.com>


OFFICIAL DEVELOPERS

       Mike Ryan (justfalter)  <falter@gmail.com>
       Gianfranco Costamagna (LocutusOfBorg)  <costamagnagianfranco@yahoo.it>
       Antonio Collarino (sniper)  <anto.collarino@gmail.com>
       Ryan Linn   <sussuro@happypacket.net>
       Jacob Baines   <baines.jacob@gmail.com>


CONTRIBUTORS

       Dhiru Kholia (kholia)  <dhiru@openwall.com>
       Alexander Koeppe (koeppea)  <format_c@online.de>
       Martin Bos (PureHate)  <purehate@backtrack.com>
       Enrique Sanchez
       Gisle Vanem  <giva@bgnett.no>
       Johannes Bauer  <JohannesBauer@gmx.de>
       Daten (Bryan Schneiders)  <daten@dnetc.org>




SEE ALSO

       ettercap(8), ettercap_curses(8), ettercap_plugins(8), etterlog(8),
       etterfilter(8), ettercap-pkexec(8)




ettercap 0.8.2                                                   etter.conf(5)

ettercap 0.8.3 - Generated Sun Aug 11 10:30:46 CDT 2019
© manpagez.com 2000-2024
Individual documents may contain additional copyright information.