manpagez: man pages & more
man ettercap(8)
Home | html | info | man
ettercap(8)                                                        ettercap(8)




NAME

       ettercap  -  multipurpose  sniffer/content filter for man in the middle
       attacks



***** IMPORTANT NOTE ******

       Since ettercap NG (formerly 0.7.0), all the options have been  changed.
       Even  the  target specification has been changed. Please read carefully
       this man page.



SYNOPSIS

       ettercap [OPTIONS] [TARGET1] [TARGET2]

       If IPv6 is enabled:
       TARGET is in the form MAC/IPs/IPv6/PORTs
       Otherwise,
       TARGET is in the form MAC/IPs/PORTs
       where IPs and PORTs can be ranges (e.g. /192.168.0.1-30,40,50/20,22,25)


DESCRIPTION

       Ettercap  was  born  as  a sniffer for switched LAN (and obviously even
       "hubbed" ones), but during the development process it has  gained  more
       and  more features that have changed it to a powerful and flexible tool
       for man-in-the-middle attacks.  It supports active and passive  dissec-
       tion  of many protocols (even ciphered ones) and includes many features
       for network and host analysis (such as OS fingerprint).

       It has two main sniffing options:

       UNIFIED, this method sniffs all the packets that pass on the cable. You
       can choose to put or not the interface in promisc mode (-p option). The
       packet not directed to the host  running  ettercap  will  be  forwarded
       automatically  using  layer  3  routing.  So  you can use a mitm attack
       launched from a different tool and let ettercap modify the packets  and
       forward them for you.
       The  kernel  ip_forwarding is always disabled by ettercap. This is done
       to prevent a forward of a packet twice (one by ettercap and one by  the
       kernel).   This  is  an invasive behaviour on gateways. So we recommend
       you to use ettercap on the gateways  ONLY  with  the  UNOFFENSIVE  MODE
       ENABLED.  Since ettercap listens only on one network interface, launch-
       ing it on the gateway in offensive mode will not allow  packets  to  be
       rerouted back from the second interface.

       BRIDGED,  it  uses  two network interfaces and forward the traffic from
       one to the other while performing sniffing and content filtering.  This
       sniffing  method is totally stealthy since there is no way to find that
       someone is in the middle on the cable.  You can look at this method  as
       a  mitm  attack  at  layer  1.  You  will be in the middle of the cable
       between two entities. Don't use it on gateways  or  it  will  transform
       your  gateway  into  a  bridge. HINT: you can use the content filtering
       engine to drop packets that should not pass.  This  way  ettercap  will
       work as an inline IPS ;)

       You  can also perform man in the middle attacks while using the unified
       sniffing. You can choose the mitm attack  that  you  prefer.  The  mitm
       attack  module  is independent from the sniffing and filtering process,
       so you can launch several attacks at the same time or use your own tool
       for the attack. The crucial point is that the packets have to arrive to
       ettercap with the correct mac address and a different ip address  (only
       these packets will be forwarded).

       The most relevant ettercap features are:

       SSH1  support  :  you  can sniff User and Pass, and even the data of an
       SSH1 connection. ettercap is the first software capable to sniff an SSH
       connection in FULL-DUPLEX

       SSL  support  : you can sniff SSL secured data... a fake certificate is
       presented to the client and the session is decrypted.

       Characters injection in an established  connection  :  you  can  inject
       characters to the server (emulating commands) or to the client (emulat-
       ing replies) maintaining the connection alive !!

       Packet filtering/dropping: You can set up a filter script that searches
       for  a  particular  string  (even  hex)  in  the TCP or UDP payload and
       replace it with yours or drop the entire packet. The  filtering  engine
       can  match  any  field of the network protocols and modify whatever you
       want (see etterfilter(8)).

       Remote traffic sniffing through tunnels and  route  mangling:  You  can
       play with linux cooked interfaces or use the integrated plugin to sniff
       tunneled or route-mangled remote connections and perform  mitm  attacks
       on them.

       Plug-ins  support : You can create your own plugin using the ettercap's
       API.

       Password collector for : TELNET, FTP,  POP,  RLOGIN,  SSH1,  ICQ,  SMB,
       MySQL,  HTTP,  NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC,
       LDAP, NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG (other protocols  coming
       soon...)

       Passive OS fingerprint: you scan passively the lan (without sending any
       packet) and gather detailed info about the hosts in the LAN:  Operating
       System,  running  services,  open  ports,  IP,  mac address and network
       adapter vendor.

       Kill a connection: from the connections list you can kill all the  con-
       nections you want




TARGET SPECIFICATION

       There is no concept of SOURCE nor DEST. The two targets are intended to
       filter traffic coming from one to the other and vice-versa  (since  the
       connection is bidirectional).

       TARGET is in the form MAC/IPs/PORTs.
       NOTE: If IPv6 is enabled, TARGET is in the form MAC/IPs/IPv6/PORTs.

       If  you  want  you can omit any of its parts and this will represent an
       ANY in that part.
       e.g.
       "//80" means ANY mac address, ANY ip and ONLY port 80
       "/10.0.0.1/" means ANY mac address, ONLY ip 10.0.0.1 and ANY port

       MAC must be unique and in the form 00:11:22:33:44:55

       IPs is a range of IP in dotted notation. You can specify range with the
       - (hyphen) and single ip with , (comma). You can also use ; (semicolon)
       to indicate different ip addresses.
       e.g.
       "10.0.0.1-5;10.0.1.33" expands  into  ip  10.0.0.1,  2,  3,  4,  5  and
       10.0.1.33

       PORTs  is  a  range of PORTS. You can specify range with the - (hyphen)
       and single port with , (comma).
       e.g.
       "20-25,80,110" expands into ports 20, 21, 22, 23, 24, 25, 80 and 110

       NOTE:
       you can reverse the matching of the TARGET by adding the -R  option  to
       the  command  line. So if you want to sniff ALL the traffic BUT the one
       coming or going to 10.0.0.1 you can specify "./ettercap -R /10.0.0.1/"

       NOTE:
       TARGETs are also responsible of the initial scan of the  lan.  You  can
       use them to restrict the scan to only a subset of the hosts in the net-
       mask. The result of  the  merging  between  the  two  targets  will  be
       scanned.  remember  that not specifying a target means "no target", but
       specifying "//" means "all the hosts in the subnet".





PRIVILEGES DROPPING

       ettercap needs root privileges to open the Link  Layer  sockets.  After
       the  initialization  phase,  the  root privs are not needed anymore, so
       ettercap drops them to UID = 65535  (nobody).  Since  ettercap  has  to
       write  (create)  log files, it must be executed in a directory with the
       right permissions (e.g. /tmp/). If you want to drop privs to a  differ-
       ent  uid, you can export the environment variable EC_UID with the value
       of the uid you want to drop the privs to (e.g.  export  EC_UID=500)  or
       set the correct parameter in the etter.conf file.




SSL MITM ATTACK

       SSL  mitm  attack  is  dependent on TCP traffic redirection to a custom
       listener port of ettercap. The redir_command_on  and  redir_command_off
       configuration variables take care of this (see "etter.conf(5)").
       However,  when ettercap starts, traffic for any source and any destina-
       tion targeted for the  redirectable  services  will  be  redirected  to
       ettercap and the SSL stream will be intercepted.
       This may not be the desired behaviour. Therefore you can adjust the re-
       direct rules after ettercap has been started using  the  selected  user
       interface.

       While performing the SSL mitm attack, ettercap substitutes the real ssl
       certificate with its own. The fake certificate is created  on  the  fly
       and  all  the fields are filled according to the real cert presented by
       the server. Only the issuer is modified and signed with the private key
       contained  in  the 'etter.ssl.crt' file. If you want to use a different
       private key you have to regenerate this file. To  regenerate  the  cert
       file use the following commands:

       openssl genrsa -out etter.ssl.crt 1024
       openssl req -new -key etter.ssl.crt -out tmp.csr
       openssl  x509  -req  -days 1825 -in tmp.csr -signkey etter.ssl.crt -out
       tmp.new
       cat tmp.new >> etter.ssl.crt
       rm -f tmp.new tmp.csr

       NOTE: SSL mitm is not available (for now) in bridged mode.

       NOTE: You can use the --certificate/--private-key long options  if  you
       want to specify a different file rather than the etter.ssl.crt file.




OPTIONS

       Options  that  make  sense together can generally be combined. ettercap
       will warn the user about unsupported option combinations.

       SNIFFING AND ATTACK OPTIONS

       ettercap NG has a  new  unified  sniffing  method.  This  implies  that
       ip_forwarding  in  the  kernel is always disabled and the forwarding is
       done by ettercap. Every packet with destination mac  address  equal  to
       the host's mac address and destination ip address different for the one
       bound to the iface will be forwarded  by  ettercap.  Before  forwarding
       them, ettercap can content filter, sniff, log or drop them. It does not
       matter how these packets are hijacked, ettercap will process them.  You
       can even use external programs to hijack packet.
       You  have full control of what ettercap should receive. You can use the
       internal mitm attacks, set the interface in promisc mode,  use  plugins
       or use every method you want.

       IMPORTANT NOTE: if you run ettercap on a gateway, remember to re-enable
       the ip_forwarding after you have killed ettercap. Since ettercap  drops
       its privileges, it cannot restore the ip_forwarding for you.

       -M, --mitm <METHOD:ARGS>
              MITM attack
              This option will activate the man in the middle attack. The mitm
              attack is totally independent from the sniffing. The aim of  the
              attack  is  to hijack packets and redirect them to ettercap. The
              sniffing engine will forward them if necessary.
              You can choose the mitm attack that you prefer and also  combine
              some of them to perform different attacks at the same time.
              If  a  mitm method requires some parameters you can specify them
              after the colon.  (e.g.  -M dhcp:ip_pool,netmask,etc )

              The following mitm attacks are available:

              arp ([remote],[oneway])
                     This method implements the ARP poisoning mitm attack. ARP
                     requests/replies  are sent to the victims to poison their
                     ARP cache. Once the cache has been poisoned  the  victims
                     will send all packets to the attacker which, in turn, can
                     modify and forward them to the real destination.

                     In silent mode (-z  option)  only  the  first  target  is
                     selected, if you want to poison multiple target in silent
                     mode use the -j option to load a list from a file.

                     You can select empty targets and they will be expanded as
                     'ANY'  (all  the  hosts  in  the LAN). The target list is
                     joined with the hosts list (created by the arp scan)  and
                     the  result  is  used  to  determine  the  victims of the
                     attack.

                     The parameter "remote" is optional and you have to  spec-
                     ify it if you want to sniff remote ip address poisoning a
                     gateway. Indeed if you specify a victim and the gw in the
                     TARGETS,  ettercap  will  sniff  only  connection between
                     them, but to enable ettercap to  sniff  connections  that
                     pass thru the gw, you have to use this parameter.

                     The parameter "oneway" will force ettercap to poison only
                     from TARGET1 to TARGET2. Useful if  you  want  to  poison
                     only  the client and not the router (where an arp watcher
                     can be in place).

                     Example:

                     the targets are: /10.0.0.1-5/ /10.0.0.15-20/
                     and  the  host  list  is:  10.0.0.1  10.0.0.3   10.0.0.16
                     10.0.0.18

                     the associations between the victims will be:
                     1 and 16, 1 and 18, 3 and 16, 3 and 18

                     if  the  targets overlap each other, the association with
                     identical ip address will be skipped.

                     NOTE: if you manage to poison a client, you have  to  set
                     correct routing table in the kernel specifying the GW. If
                     your routing table is  incorrect,  the  poisoned  clients
                     will not be able to navigate the Internet.



              icmp (MAC/IP)
                     This  attack  implements  ICMP  redirection.  It  sends a
                     spoofed icmp redirect message to the  hosts  in  the  lan
                     pretending to be a better route for internet. All connec-
                     tions to internet will  be  redirected  to  the  attacker
                     which,  in  turn,  will forward them to the real gateway.
                     The resulting attack is  a  HALF-DUPLEX  mitm.  Only  the
                     client  is  redirected, since the gateway will not accept
                     redirect messages for a directly  connected  network.  BE
                     SURE  TO  NOT USE FILTERS THAT MODIFY THE PAYLOAD LENGTH.
                     you can use a filter to modify packets,  but  the  length
                     must  be  the  same  since  the  tcp  sequences cannot be
                     updated in both ways.
                     You have to pass as argument the MAC and the  IP  address
                     of the real gateway for the lan.
                     Obviously  you  have to be able to sniff all the traffic.
                     If you are on a switch you have to use a  different  mitm
                     attack such as arp poisoning.

                     NOTE:  to  restrict  the  redirection  to a given target,
                     specify it as a TARGET

                     Example:

                     -M icmp:00:11:22:33:44:55/10.0.0.1

                     will redirect all the connections  that  pass  thru  that
                     gateway.



              dhcp (ip_pool/netmask/dns)
                     This attack implements DHCP spoofing. It pretends to be a
                     DHCP server and tries to win the race condition with  the
                     real  one  to  force  the client to accept the attacker's
                     reply. This way ettercap is able  to  manipulate  the  GW
                     parameter  and  hijack all the outgoing traffic generated
                     by the clients.
                     The resulting attack is a HALF-DUPLEX mitm. So be sure to
                     use  appropriate filters (see above in the ICMP section).

                     You have to pass the ip pool to be used, the netmask  and
                     the  ip  of  the dns server.  Since ettercap tries to win
                     the race with the real server, it DOES NOT CHECK  if  the
                     ip is already assigned. You have to specify an ip pool of
                     FREE addresses to be used. The ip pool has the same  form
                     of the target specification.

                     If  the  client  sends  a  dhcp request (suggesting an ip
                     address) ettercap will ack on that ip and modify only the
                     gw option. If the client makes a dhcp discovery, ettercap
                     will use the first unused ip address of the list you have
                     specified on command line. Every discovery consumes an ip
                     address. When the list is over, ettercap  stops  offering
                     new ip addresses and will reply only to dhcp requests.
                     If  you  don't  want  to  offer  any ip address, but only
                     change the router information of  dhcp  request/ack,  you
                     can specify an empty ip_pool.

                     BIG WARNING: if you specify a list of ip that are in use,
                     you will mess your network! In general, use  this  attack
                     carefully.  It  can really mess things up!  When you stop
                     the attack, all the victims will be still convinced  that
                     ettercap is the gateway until the lease expires...

                     Example:

                     -M dhcp:192.168.0.30,35,50-60/255.255.255.0/192.168.0.1
                     reply to DHCP offer and request.

                     -M dhcp:/255.255.255.0/192.168.0.1
                     reply only to DHCP request.


              port ([remote],[tree])
                     This  attack  implements Port Stealing. This technique is
                     useful to sniff in a switched environment when  ARP  poi-
                     soning  is not effective (for example where static mapped
                     ARPs are used).

                     It floods the LAN (based on  port_steal_delay  option  in
                     etter.conf)  with  ARP  packets. If you don't specify the
                     "tree"  option,  the  destination  MAC  address  of  each
                     "stealing"  packet  is  the  same  as  the attacker's one
                     (other NICs won't see  these  packets),  the  source  MAC
                     address  will  be  one of the MACs in the host list. This
                     process "steals" the switch port of each victim  host  in
                     the  host  list.   Using  low delays, packets destined to
                     "stolen" MAC addresses will be received by the  attacker,
                     winning  the  race  condition  with  the real port owner.
                     When the attacker receives packets for "stolen" hosts, it
                     stops  the  flooding  process and performs an ARP request
                     for the real destination of the packet.  When it receives
                     the  ARP reply it's sure that the victim has "taken back"
                     his port, so ettercap can re-send the packet to the  des-
                     tination as is.  Now we can re-start the flooding process
                     waiting for new packets.

                     If you use the "tree" option, the destination MAC address
                     of  each  stealing  packet  will be a bogus one, so these
                     packets will be propagated to other  switches  (not  only
                     the directly connected one). This way you will be able to
                     steal ports on other switches in the tree (if  any),  but
                     you  will generate a huge amount of traffic (according to
                     port_steal_delay).  The  "remote"  option  has  the  same
                     meaning as in "arp" mitm method.

                     When  you  stop  the  attack,  ettercap  will send an ARP
                     request to each stolen  host  giving  back  their  switch
                     ports.
                     You can perform either HALF or FULL DUPLEX mitm according
                     to target selection.

                     NOTE: Use this mitm method only on ethernet switches. Use
                     it  carefully, it could produce performances loss or gen-
                     eral havoc.

                     NOTE: You can NOT use this method in only-mitm  mode  (-o
                     flag),  because  it  hooks  the  sniffing engine, and you
                     can't use interactive data injection.

                     NOTE: It could be dangerous to use it in conjunction with
                     other mitm methods.

                     NOTE:  This  mitm method doesn't work on Solaris and Win-
                     dows because of the lipcap and libnet design and the lack
                     of  certain  ioctl().   (We  will  feature this method on
                     these OSes if someone will request it...)

                     Example:

                     The targets are: /10.0.0.1/ /10.0.0.15/
                     You will intercept and visualize traffic between 10.0.0.1
                     and  10.0.0.15,  but you will receive all the traffic for
                     10.0.0.1 and 10.0.0.15 too.

                     The target is: /10.0.0.1/
                     You will intercept and  visualize  all  the  traffic  for
                     10.0.0.1.





              ndp ([remote],[oneway])
                     NOTE:  This MITM method is only supported if IPv6 support
                     has been enabled.

                     This method implements the NDP poisoning attack which  is
                     used  for  MITM  of IPv6 connections. ND requests/replies
                     are sent to the victims to poison their  neighbor  cache.
                     Once  the  cache  has been poisoned the victims will send
                     all IPv6 packets to the attacker which, in turn, can mod-
                     ify and forward them to the real destination.

                     In  silent  mode  (-z  option)  only  the first target is
                     selected, if you want to poison multiple target in silent
                     mode use the -j option to load a list from a file.

                     You can select empty targets and they will be expanded as
                     'ANY' (all the hosts in the  LAN).  The  target  list  is
                     joined  with the hosts list (created by the arp scan) and
                     the result is  used  to  determine  the  victims  of  the
                     attack.

                     The  parameter "remote" is optional and you have to spec-
                     ify it if you want to sniff remote ip address poisoning a
                     gateway. Indeed if you specify a victim and the gw in the
                     TARGETS, ettercap  will  sniff  only  connection  between
                     them,  but  to  enable ettercap to sniff connections that
                     pass thru the gw, you have to use this parameter.

                     The parameter "oneway" will force ettercap to poison only
                     from  TARGET1  to  TARGET2.  Useful if you want to poison
                     only the client and not the router (where an arp  watcher
                     can be in place).

                     Example:

                     Targets         are:         //fe80::260d:afff:fe6e:f378/
                     //2001:db8::2:1/
                     Ranges of IPv6 addresses are not yet supported.

                     NOTE: if you manage to poison a client, you have  to  set
                     correct routing table in the kernel specifying the GW. If
                     your routing table is  incorrect,  the  poisoned  clients
                     will not be able to navigate the Internet.

                     NOTE:  in  IPv6  usually  the  link-local  address of the
                     router is being used as the gateway address. Therefor you
                     need  to  set the link-local address of the router as one
                     target and the global-unicast address of  the  victim  as
                     the  other  in  order  to  set up a successfull IPv6 MITM
                     attack using NDP poisoning.


       -o, --only-mitm
              This options disables the sniffing thread and enables  only  the
              mitm attack.  Useful if you want to use ettercap to perform mitm
              attacks and another sniffer (such as  wireshark)  to  sniff  the
              traffic.  Keep  in  mind  that  the packets are not forwarded by
              ettercap. The kernel will be  responsible  for  the  forwarding.
              Remember to activate the "ip forwarding" feature in your kernel.


       -f, --pcapfilter <FILTER>
              Set a capturing filter in the pcap library. The  format  is  the
              same  as  tcpdump(1). Remember that this kind of filter will not
              sniff packets out of the wire, so if you want to perform a  mitm
              attack, ettercap will not be able to forward hijacked packets.
              These  filters  are  useful  to decrease the network load impact
              into ettercap decoding module.


       -B, --bridge <IFACE>
              BRIDGED sniffing
              You need two network interfaces. ettercap will forward form  one
              to  the  other  all the traffic it sees. It is useful for man in
              the middle at the physical layer. It is totally  stealthy  since
              it  is  passive  and  there  is  no  way  for an user to see the
              attacker.
              You can content filter all the traffic as you were a transparent
              proxy for the "cable".



       OFF LINE SNIFFING

       -r, --read <FILE>
              OFF LINE sniffing
              With  this  option  enabled,  ettercap will sniff packets from a
              pcap compatible file instead of capturing from the wire.
              This is useful if you have a file dumped from tcpdump  or  wire-
              shark  and you want to make an analysis (search for passwords or
              passive fingerprint) on it.
              Obviously you cannot use "active"  sniffing  (arp  poisoning  or
              bridging) while sniffing from a file.

       -w, --write <FILE>
              WRITE packet to a pcap file
              This is useful if you have to use "active" sniffing (arp poison)
              on a switched LAN but you want to analyze the packets with  tcp-
              dump  or  wireshark. You can use this option to dump the packets
              to a file and then load it into your favourite application.

              NOTE: dump file collect ALL the packets disregarding the TARGET.
              This is done because you may want to log even protocols not sup-
              ported by ettercap, so you can analyze them with other tools.

              TIP: you can use the -w option in conjunction with the  -r  one.
              This  way  you  will be able to filter the payload of the dumped
              packets or decrypt WEP-encrypted WiFi traffic and dump  them  to
              another file.



       USER INTERFACES OPTIONS

       -T, --text
              The text only interface, only printf ;)
              It  is  quite interactive, press 'h' in every moment to get help
              on what you can do.


       -q, --quiet
              Quiet mode. It can be used only in conjunction with the  console
              interface. It does not print packet content. It is useful if you
              want to convert pcap file to ettercap log files.

              example:

              ettercap -Tq -L dumpfile -r pcapfile


       -s, --script <COMMANDS>
              With this option you can feed ettercap with command as they were
              typed on the keyboard by the user. This way you can use ettercap
              within your favourite scripts. There is a  special  command  you
              can issue thru this command: s(x). this command will sleep for x
              seconds.

              example:

              ettercap -T -s 'lq'  will print the list of the hosts and exit
              ettercap -T -s 's(300)olqq'  will collect the infos for  5  min-
              utes, print the list of the local profiles and exit



       -C, --curses
              Ncurses  based  GUI.  See ettercap_curses(8) for a full descrip-
              tion.



       -G, --gtk
              The nice GTK2 interface (thanks Daten...).



       -D, --daemonize
              Daemonize ettercap. This option will detach  ettercap  from  the
              current  controlling  terminal  and  set it as a daemon. You can
              combine this feature with the "log" option to log all the  traf-
              fic  in  the  background. If the daemon fails for any reason, it
              will create the file "./ettercap_daemonized.log"  in  which  the
              error  caught  by ettercap will be reported. Furthermore, if you
              want to have a complete debug of the  daemon  process,  you  are
              encouraged to recompile ettercap in debug mode.




       GENERAL OPTIONS

       -b, --broadcast
              Tells Ettercap to process packets coming from Broadcast address.


       -i, --iface <IFACE>
              Use this <IFACE> instead of the default one. The  interface  can
              be unconfigured (requires libnet >= 1.1.2), but in this case you
              cannot use MITM attacks and you should set the unoffensive flag.


       -I, --iflist
              This  option will print the list of all available network inter-
              faces that can be used within ettercap. The option  is  particu-
              larly  useful  under  windows where the name of the interface is
              not so obvious as under *nix.


       -Y, --secondary <interface list>
              Specify a list of (or single) secondary  interfaces  to  capture
              packets from.


       -A, --address <ADDRESS>
              Use  this <ADDRESS> instead of the one autodetected for the cur-
              rent iface. This option is useful if you have an interface  with
              multiple ip addresses.


       -n, --netmask <NETMASK>
              Use  this  <NETMASK> instead of the one associated with the cur-
              rent iface. This option is useful if you have the  NIC  with  an
              associated netmask of class B and you want to scan (with the arp
              scan) only a class C.


       -R, --reversed
              Reverse the matching in the TARGET selection. It means  not(TAR-
              GET). All but the selected TARGET.


       -t, --proto <PROTO>
              Sniff only PROTO packets (default is TCP + UDP).
              This is useful if you want to select a port via the TARGET spec-
              ification but you want to differentiate between tcp or udp.
              PROTO can be "tcp", "udp" or "all" for both.


       -6, --ip6scan
              Send ICMPv6 probes to discover active IPv6 nodes  on  the  link.
              This  options  sends  a ping request to the all-nodes address to
              motivate active IPv6 hosts to respond. You should not  use  this
              option  if  you  try  to hide yourself. Therefore this option is
              optional.

              NOTE: This option is only available if  IPv6  support  has  been
              enabled.


       -z, --silent
              Do not perform the initial ARP scan of the LAN.

              NOTE:  you  will  not  have the hosts list, so you can't use the
              multipoison feature.  you can only select two hosts for  an  ARP
              poisoning attack, specifying them through the TARGETs


       -p, --nopromisc
              Usually,  ettercap  will  put  the  interface in promisc mode to
              sniff all the traffic on the wire. If you  want  to  sniff  only
              your  connections, use this flag to NOT enable the promisc mode.


       -S, --nosslmitm
              Usually, ettercap forges SSL certificates in order to  intercept
              https traffic.  This option disables that behavior.


       -u, --unoffensive
              Every  time  ettercap  starts,  it disables ip forwarding in the
              kernel and begins to forward packets itself. This option prevent
              to  do  that,  so the responsibility of ip forwarding is left to
              the kernel.
              This options is useful if you  want  to  run  multiple  ettercap
              instances.  You  will  have one instance (the one without the -u
              option) forwarding the packets,  and  all  the  other  instances
              doing their work without forwarding them. Otherwise you will get
              packet duplicates.
              It also disables the internal creation of the sessions for  each
              connection.  It increases performances, but you will not be able
              to modify packets on the fly.
              If you want to use a mitm attack you  have  to  use  a  separate
              instance.
              You  have  to  use  this option if the interface is unconfigured
              (without an ip address.)
              This is also useful if you want to run ettercap on the  gateway.
              It  will  not  disable  the forwarding and the gateway will cor-
              rectly route the packets.


       -j, --load-hosts <FILENAME>
              It can be used to load a hosts list from a file created  by  the
              -k option. (see below)


       -k, --save-hosts <FILENAME>
              Saves  the hosts list to a file. Useful when you have many hosts
              and you don't want to do an ARP storm at startup  any  time  you
              use  ettercap.  Simply  use  this options and dump the list to a
              file, then to load the information from it use the -j <filename>
              option.


       -P, --plugin <PLUGIN>
              Run the selected PLUGIN. Many plugins need target specification,
              use TARGET as always. Use multiple occurances of this  parameter
              to select multiple plugins.
              In console mode (-C option), standalone plugins are executed and
              then the application exits. Hook plugins are activated  and  the
              normal sniffing is performed.
              To  have  a  list  of  the available external plugins use "list"
              (without quotes) as plugin name (e.g. ./ettercap -P list).

              NOTE: you can also activate plugins directly from the interfaces
              (always press "h" to get the inline help)

              More detailed info about plugins and about how to write your own
              are found in the man page ettercap_plugins(8)


       -F, --filter <FILE>
              Load the filter from the file <FILE>. The filter  must  be  com-
              piled  with  etterfilter(8). The utility will compile the filter
              script and produce an  ettercap-compliant  binary  filter  file.
              Read  the  etterfilter(8) man page for the list of functions you
              can use inside a filter script.  Any number of  filters  can  be
              loaded  by  specifying  the  option  multiple times; packets are
              passed through each filter in the order specified on the command
              line.  You can also load a script without enabling it by append-
              ing :0 to the filename.
              NOTE: these filters are different from those set with --pcapfil-
              ter.  An  ettercap filter is a content filter and can modify the
              payload of a packet before forwarding it. Pcap filter  are  used
              to capture only certain packets.
              NOTE: you can use filters on pcapfile to modify them and save to
              another file, but in this case you have to pay attention on what
              you  are  doing,  since ettercap will not recalculate checksums,
              nor split packets exceeding the mtu (snaplen) nor anything  like
              that.


       -W, --wifi-key <KEY>
              You can specify a key to decrypt WiFi packets (WEP or WPA). Only
              the  packets  decrypted  successfully  will  be  passed  to  the
              decoders stack, the others will be skipped with a message.
              The  parameter  has  the  following  syntax: type:bits:t:string.
              Where 'type' can be: wep, wpa-pws or wpa-psk, 'bits' is the  bit
              length  of  the  key  (64,  128  or 256), 't' is the type of the
              string ('s' for string and 'p' for passphrase). 'string' can  be
              a string or an escaped hex sequences.

              example:
              --wifi-key wep:128:p:secret
              --wifi-key wep:128:s:ettercapwep0
              --wifi-key 'wep:64:s:\x01\x02\x03\x04\x05'
              --wifi-key wpa:pwd:ettercapwpa:ssid
              --wifi-key wpa:psk:
              663eb260e87cf389c6bd7331b28d82f5203b0cae4e315f9cbb7602f3236708a6



       -a, --config <CONFIG>
              Loads an alternative config  file  instead  of  the  default  in
              /opt/local/etc/etter.conf.  This is useful if you have many pre-
              configured files for different situations.

       --certificate <FILE>
              Tells Ettercap to use the specified certificate file for the SSL
              MiTM attack.


       --private-key <FILE>
              Tells Ettercap to use the specified private key file for the SSL
              MiTM attack.



       VISUALIZATION OPTIONS


       -e, --regex <REGEX>
              Handle only packets that match the regex.
              This option is useful in conjunction with -L. It logs only pack-
              ets that match the posix regex REGEX.
              It  impacts even the visualization of the sniffed packets. If it
              is set only packets matching the regex will be displayed.


       -V, --visual <FORMAT>
              Use this option to set the visualization method for the  packets
              to be displayed.

              FORMAT may be one of the following:



              hex    Print the packets in hex format.

                     example:

                     the string  "HTTP/1.1 304 Not Modified"  becomes:

                     0000:  4854  5450 2f31 2e31 2033 3034 204e 6f74  HTTP/1.1
                     304 Not
                     0010: 204d 6f64 6966 6965 64                    Modified


              ascii  Print only "printable" characters, the  others  are  dis-
                     played as dots '.'


              text   Print  only  the "printable" characters and skip the oth-
                     ers.


              ebcdic Convert an EBCDIC text to ASCII.


              html   Strip all the html tags from the text.  A  tag  is  every
                     string between < and >.

                     example:

                     <title>This  is  the  title</title>,  but  the  following
                     <string> will not be displayed.

                     This is the title, but the following  will  not  be  dis-
                     played.


              utf8   Print  the  packets  in  UTF-8  format. The encoding used
                     while  performing  the  conversion  is  declared  in  the
                     etter.conf(5) file.




       -d, --dns
              Resolve ip addresses into hostnames.

              NOTE:  this  may seriously slow down ettercap while logging pas-
              sive information.  Every time a new host is found,  a  query  to
              the  dns  is  performed.  Ettercap  keeps  a  cache  for already
              resolved host to increase the speed, but new hosts  need  a  new
              query  and  the dns may take up to 2 or 3 seconds to respond for
              an unknown host.

              HINT: ettercap collects the dns replies it sniffs in the resolu-
              tion table, so even if you specify to not resolve the hostnames,
              some of them will be resolved because the reply  was  previously
              sniffed.  think about it as a passive dns resolution for free...
              ;)


       -E, --ext-headers
              Print extended headers for every  displayed  packet.  (e.g.  mac
              addresses)


       -Q, --superquiet
              Super  quiet  mode. Do not print users and passwords as they are
              collected. Only store them in the profiles. It can be useful  to
              run  ettercap in text only mode but you don't want to be flooded
              with dissectors messages. Useful when using plugins because  the
              sniffing  process  is  always active, it will print all the col-
              lected infos, with this option you can suppress these  messages.
              NOTE: this options automatically sets the -q option.

              example:

              ettercap -TzQP finger /192.168.0.1/22





       LOGGING OPTIONS

       -L, --log <LOGFILE>
              Log  all  the packets to binary files. These files can be parsed
              by etterlog(8) to extract human readable data. With this option,
              all  packets  sniffed  by ettercap will be logged, together with
              all the passive info (host info + user & pass) it  can  collect.
              Given  a LOGFILE, ettercap will create LOGFILE.ecp (for packets)
              and LOGFILE.eci (for the infos).

              NOTE: if you specify this option on command line you don't  have
              to  take  care of privileges since the log file is opened in the
              startup phase (with high privs).  But  if  you  enable  the  log
              option  while  ettercap  is already started, you have to be in a
              directory where uid = 65535 or uid = EC_UID can write.

              NOTE: the logfiles can be compressed with the deflate  algorithm
              using the -c option.


       -l, --log-info <LOGFILE>
              Very  similar to -L but it logs only passive information + users
              and passwords for each host. The file will be named LOGFILE.eci


       -m, --log-msg <LOGFILE>
              It stores in <LOGFILE> all the user messages printed  by  etter-
              cap.  This  can  be useful when you are using ettercap in daemon
              mode or if you want to track down all the messages. Indeed, some
              dissectors  print  messages  but their information is not stored
              anywhere, so this is the only way to keep track of them.


       -c, --compress
              Compress the logfile with the gzip algorithm while it is dumped.
              etterlog(8)  is  capable  of handling both compressed and uncom-
              pressed log files.


       -o, --only-local
              Stores profiles information belonging only to the LAN hosts.

              NOTE: this option is effective only against  the  profiles  col-
              lected  in  memory.   While  logging to a file ALL the hosts are
              logged. If you want to split them, use the  related  etterlog(8)
              option.


       -O, --only-remote
              Stores profiles information belonging only to remote hosts.





       STANDARD OPTIONS



       -v, --version
              Print the version and exit.


       -h, --help
              prints  the  help  screen  with a short summary of the available
              options.






EXAMPLES

       Here are some examples of using ettercap.

       ettercap -Tp

              Use the console interface  and  do  not  put  the  interface  in
              promisc mode. You will see only your traffic.


       ettercap -Tzq

              Use the console interface, do not ARP scan the net and be quiet.
              The packet content will not be displayed,  but  user  and  pass-
              words, as well as other messages, will be displayed.


       ettercap -T -j /tmp/victims -M arp /10.0.0.1-7/ /10.0.0.10-20/

              Will  load  the  hosts list from /tmp/victims and perform an ARP
              poisoning attack against the two target. The list will be joined
              with  the  target and the resulting list is used for ARP poison-
              ing.


       ettercap -T -M arp // //

              Perform the ARP poisoning attack against all the  hosts  in  the
              LAN. BE CAREFUL !!


       ettercap -T -M arp:remote /192.168.1.1/ /192.168.1.2-10/

              Perform  the  ARP  poisoning against the gateway and the host in
              the lan between 2 and 10. The 'remote' option is  needed  to  be
              able  to  sniff  the  remote  traffic the hosts make through the
              gateway.


       ettercap -Tzq //110

              Sniff only the pop3 protocol from every hosts.


       ettercap -Tzq /10.0.0.1/21,22,23

              Sniff telnet, ftp and ssh connections to 10.0.0.1.


       ettercap -P list

              Prints the list of all available plugins




FILES

       ~/.config/ettercap_gtk

              Stores persistent information (e.g., window  placement)  between
              sessions.




ORIGINAL AUTHORS

       Alberto Ornaghi (ALoR) <alor@users.sf.net>
       Marco Valleri (NaGA) <naga@antifork.org>


PROJECT STEWARDS

       Emilio Escobar (exfil)  <eescobar@gmail.com>
       Eric Milam (Brav0Hax)  <jbrav.hax@gmail.com>


OFFICIAL DEVELOPERS

       Mike Ryan (justfalter)  <falter@gmail.com>
       Gianfranco Costamagna (LocutusOfBorg)  <costamagnagianfranco@yahoo.it>
       Antonio Collarino (sniper)  <anto.collarino@gmail.com>
       Ryan Linn   <sussuro@happypacket.net>
       Jacob Baines   <baines.jacob@gmail.com>


CONTRIBUTORS

       Dhiru Kholia (kholia)  <dhiru@openwall.com>
       Alexander Koeppe (koeppea)  <format_c@online.de>
       Martin Bos (PureHate)  <purehate@backtrack.com>
       Enrique Sanchez
       Gisle Vanem  <giva@bgnett.no>
       Johannes Bauer  <JohannesBauer@gmx.de>
       Daten (Bryan Schneiders)  <daten@dnetc.org>




SEE ALSO

       etter.conf(5) ettercap_curses(8) ettercap_plugins(8) etterlog(8) etter-
       filter(8) ettercap-pkexec(8)





AVAILABILITY

       https://github.com/Ettercap/ettercap/downloads



GIT

       git clone git://github.com/Ettercap/ettercap.git
       or
       git clone https://github.com/Ettercap/ettercap.git



BUGS

       Our software never has bugs.
       It just develops random features.   ;)

       KNOWN-BUGS

       - ettercap doesn't handle fragmented packets... only the first  segment
       will  be  displayed  by the sniffer. However all the fragments are cor-
       rectly forwarded.

       + please send bug-report, patches or suggestions to <ettercap-betatest-
       ing@lists.sourceforge.net>  or visit https://github.com/Ettercap/etter-
       cap/issues.

       + to report a bug, follow the instructions in the README.BUGS file




PHILOLOGICAL HISTORY

       "Even if blessed  with  a  feeble  intelligence,  they  are  cruel  and
       smart..."   this  is  the description of Ettercap, a monster of the RPG
       Advanced Dungeons & Dragon.

       The name "ettercap" was chosen because it has an assonance with "ether-
       cap"  which  means "ethernet capture" (what ettercap actually does) and
       also because such monsters have a powerful poison... and you know,  arp
       poisoning... ;)




The Lord Of The (Token)Ring

       (the fellowship of the packet)

       "One Ring to link them all, One Ring to ping them,
        one Ring to bring them all and in the darkness sniff them."




Last words

       "Programming  today  is  a  race between software engineers striving to
       build bigger and better idiot-proof programs, and the  Universe  trying
       to  produce bigger and better idiots. So far, the Universe is winning."
       - Rich Cook



ettercap 0.8.2                                                     ettercap(8)

ettercap 0.8.3 - Generated Sun Aug 11 10:29:29 CDT 2019
© manpagez.com 2000-2024
Individual documents may contain additional copyright information.