manpagez: man pages & more
man ettercap_plugins(8)
Home | html | info | man
ETTERCAP-PLUGINS(8)                                        ETTERCAP-PLUGINS(8)




NAME

       ettercap-plugins - A collection of plugins for ettercap



DESCRIPTION

       Ettercap(8) supports loadable modules at runtime. They are called plug-
       ins and they come within the source  tarball.  They  are  automatically
       compiled  if  your  system  supports  them  or  until you specify -DEN-
       ABLE_PLUGINS=OFF option to the cmake configure script.
       Some of older ettercap plugins (roper, banshee, and  so  on)  have  not
       been  ported  in the new version.  By the way, you can achieve the same
       results by using new filtering engine.
       If you use interactive mode, most plugins need to "Start Sniff"  before
       using them.


       To have a list of plugins installed in your system do that command:

              ettercap -P list



       The following is a list of available plugins:


       arp_cop

              It  reports  suspicious ARP activity by passively monitoring ARP
              requests/replies.  It can report ARP posioning attempts, or sim-
              ple  IP-conflicts  or IP-changes.  If you build the initial host
              list the plugin will run more accurately.

              example :

              ettercap -TQP arp_cop //



       autoadd

              It will automatically add new victims to the ARP poisoning  mitm
              attack  when  they come up. It looks for ARP requests on the lan
              and when detected it will add the host to the victims list if it
              was  specified  in  the  TARGET.  The  host is added when an arp
              request is seen form it, since communicating hosts are alive :)



       chk_poison

              It performs a check to see if the arp poisoning module of etter-
              cap  was  successful.  It sends spoofed ICMP echo packets to all
              the victims of the poisoning pretending to be each of the  other
              targets.  If  we can catch an ICMP reply with our MAC address as
              destination it means that the poisoning between those  two  tar-
              gets  is  successful. It checks both ways of each communication.
              This plugin makes sense only where poisoning makes  sense.   The
              test  fails  if you specify only one target in silent mode.  You
              can't run this plugin from command line  because  the  poisoning
              process  is  not  started  yet.  You  have to launch it from the
              proper menu.



       dns_spoof

              This plugin intercepts  DNS  query  and  reply  with  a  spoofed
              answer.  You  can  choose  to  which addresses the plugin has to
              reply, and the expiry time in seconds  (TTL)  by  modifying  the
              etter.dns  file.  The  plugin intercepts A, AAAA, PTR, MX, WINS,
              SRV and TXT request. If  it  was  an  A  request,  the  name  is
              searched in the file and the IP address is returned (you can use
              wildcards in the name).
              The same applies if it was a AAAA request.

              TTL is an optional field which is specified as the  last  option
              in  an  entry  in  the etter.dns file. The TTL is specified in a
              number of seconds from 0 to 2^31-1 (see RFC 2181). TTL is speci-
              fied on a per-host basis. If the TTL is not specified for a par-
              ticular host, the default value is 3600 seconds (1 hour).

              If it was a PTR request, the IP address is searched in the  file
              and  the  name  is  returned (except for those name containing a
              wildcard). For PTR requests, IPv4 or  IPv6  addresses  are  sup-
              ported.

              In  case  of  MX request a special reply is crafted. The host is
              resolved with a fake host 'mail.host' and the additional  record
              contains  the  IP address of 'mail.host'. The first address that
              matches is returned, so  be  careful  with  the  order.  The  IP
              address for MX requests can be a IPv4 or a IPv6 address.

              If  the  request was a WINS request, the name is searched in the
              file and the IP address is returned.

              In case of SRV request, a special reply is crafted. The host  is
              resolved  with  a fake host 'srv.host' and the additional record
              contains the IP address of 'srv.host'. The IP  address  for  SRV
              requests can be a IPv4 or a IPv6 address.

              In  case of a TXT request, the string defined is being returned.
              The string has to be wrapped in double quotes. Wildcards for the
              requested name can also be used.

              A  special  reply  can be spoofed for A or AAAA requests, if the
              'undefined address' is specified as the IP address in the  file.
              Then  the client gets a response which stops resolution process-
              ing imediately. This way one can control which address family is
              being used to access a dual-stacked host.

              In  the  case of an ANY request, all matching results of type A,
              AAAA, MX and TXT are returned in the reply.  If  the  'undefined
              address'  for  A or AAAA records is defined, nothing is returned
              for these types whether or not the name matches.



       mdns_spoof

              This plugin does the same  as  the  dns_spoof  plugin  described
              above,  despite that it listens for mDNS (Multicast DNS) queries
              on UDP port 5353.  To choose to which address the  plugin  shall
              reply,  you have to modify a diffent file called etter.mdns. Due
              to the nature of mDNS, the plugin intercepts only A,  AAAA,  PTR
              and SRV requests.

              The way the mdns_spoof plugin interprets the etter.mdns file and
              the rules that apply are the same as with the dns_spoof  plugin,
              although  currently the mdns_spoof plugin lacks support for cus-
              tom TTL. The TTL for all spoofed mDNS replies is 3600 seconds (1
              hour).



       dos_attack

              This plugin runs a d.o.s. attack against a victim IP address. It
              first "scans" the victim to find  open  ports,  then  starts  to
              flood these ports with SYN packets, using a "phantom" address as
              source IP. Then it uses fake ARP replies  to  intercept  packets
              for  the phantom host. When it receives SYN-ACK from the victim,
              it replies with an ACK packet creating  an  ESTABLISHED  connec-
              tion.   You have to use a free IP address in your subnet to cre-
              ate the "phantom" host (you can use find_ip for  this  purpose).
              You can't run this plugin in unoffensive mode.
              This   plugin  is  based  on  the  original  Naptha  DoS  attack
              (http://razor.bindview.com/publish/advisories/adv_NAPTHA.html)

              example :

              ettercap -TQP dos_attack


       dummy

              Only a template to demonstrate how to write a plugin.



       find_conn

              Very simple plugin that listens for ARP requests to show you all
              the targets an host wants to talk to. It can also help you find-
              ing addresses in an unknown LAN.

              example :

              ettercap -TQzP find_conn

              ettercap -TQu -i eth0 -P find_conn



       find_ettercap

              Try to identify ettercap packets sent on the LAN.  It  could  be
              useful to detect if someone is using ettercap. Do not rely on it
              100% since the tests are only on particular sequence/identifica-
              tion numbers.



       find_ip

              Find  the  first unused IP address in the range specified by the
              user in the target list. Some other plugins (such as  gre_relay)
              need  an  unused  IP address of the LAN to create a "fake" host.
              It can also be useful to obtain an IP address in an unknown  LAN
              where  there  is no dhcp server. You can use find_conn to deter-
              mine the IP addressing of the LAN, and then find_ip.   You  have
              to  build  host  list  to use this plugin so you can't use it in
              unoffensive mode. If you don't  have  an  IP  address  for  your
              interface,   give   it   a   bogus  one  (e.g.  if  the  LAN  is
              192.168.0.0/24, use 10.0.0.1  to  avoid  conflicting  IP),  then
              launch  this plugin specifying the subnet range.  You can run it
              either from the command line or from the proper menu.

              example :

              ettercap -TQP find_ip //

              ettercap -TQP find_ip /192.168.0.1-254/



       finger

              Uses the  passive  fingerprint  capabilities  to  fingerprint  a
              remote host. It does a connect() to the remote host to force the
              kernel to reply to the SYN with a SYN+ACK packet. The reply will
              be  collected  and  the  fingerprint is displayed. The connect()
              obey to the connect_timeout parameter in etter.conf(5). You  can
              specify  a target on command-line or let the plugin ask the tar-
              get host to be fingerprinted. You can also specify multiple tar-
              get with the usual multi-target specification (see ettercap(8)).
              if you specify multiple ports, all the ports will be  tested  on
              all the IPs.

              example :

              ettercap -TzP finger /192.168.0.1/22
              ettercap -TzP finger /192.168.0.1-50/22,23,25



       finger_submit

              Use this plugin to submit a fingerprint to the ettercap website.
              If you found an unknown fingerprint, but you know for  sure  the
              operating  system of the target, you can submit it so it will be
              inserted in the database in the next ettercap release.  We  need
              your  help  to  increase the passive fingerprint database. Thank
              you very much.

              example :

              ettercap -TzP finger_submit


       fraggle_attack

              This plugin performs a DoS  attack  because  it  sends  a  large
              amount  of  UDP echo and chargen traffic to all hosts in target2
              with a fake source ip address (victim).

              example (192.168.0.5 is the victim):

              ettercap -i eth1 -Tq /192.168.0.5/ // -P fraggle_attack


       gre_relay

              This plugin can be used to sniff GRE-redirected remote  traffic.
              The  basic  idea  is  to  create a GRE tunnel that sends all the
              traffic on a router interface to the ettercap machine. The plug-
              in  will send back the GRE packets to the router, after ettercap
              "manipulation" (you can use "active" plugins such  as  smb_down,
              ssh  decryption, filters, etc... on redirected traffic) It needs
              a "fake" host where the traffic has  to  be  redirected  to  (to
              avoid kernel's responses). The "fake" IP will be the tunnel end-
              point.  Gre_relay plugin will impersonate the "fake"  host.   To
              find  an  unused  IP  address  for  the  "fake" host you can use
              find_ip plugin.  Based on  the  original  Tunnelx  technique  by
              Anthony       C.       Zboralski      (http://www.phrack.org/ar-
              chives/issues/56/10.txt).


       gw_discover

              This plugin try to discover the gateway of the  lan  by  sending
              TCP SYN packets to a remote host. The packet has the destination
              IP of a remote host and the destination mac address of  a  local
              host.  If  ettercap  receives the SYN+ACK packet, the host which
              own the source mac address of the reply  is  the  gatway.   This
              operation  is  repeated for each host in the 'host list', so you
              need to have a valid host list before launching this plugin.

              example :

              ettercap -TP gw_discover /192.168.0.1-50/


       isolate

              The isolate plugin will isolate an host form the  LAN.  It  will
              poison  the  victim's arp cache with its own mac address associ-
              ated with all the host it tries to contact. This  way  the  host
              will  not be able to contact other hosts because the packet will
              never reach the wire.
              You can specify all the host or only a group. the targets speci-
              fication  work this way: the target1 is the victim and must be a
              single host, the target2 can be a range of addresses and  repre-
              sent the hosts that will be blocked to the victim.

              examples :

              ettercap -TzqP isolate /192.168.0.1/ //
              ettercap -TP isolate /192.168.0.1/ /192.168.0.2-30/



       krb5_downgrade

              It downgrades Kerberos V5 security by modifying the etype values
              in client AS-REQ packets. This way, obtained hashes can be  eas-
              ily  cracked  by  John  the  Ripper (JtR). You have to be in the
              "middle" of the connection to successfully use it. It hooks  the
              kerberos dissector, so you have to keep it active.


       link_type

              It  performs a check of the link type (hub or switch) by sending
              a spoofed ARP request and listening for  replies.  It  needs  at
              least  one entry in the host list to perform the check. With two
              or more hosts the test will be more accurate.

              example :

              ettercap -TQP link_type /192.168.0.1/
              ettercap -TQP link_type //


       pptp_chapms1

              It forces the pptp tunnel to negotiate MS-CHAPv1  authentication
              instead of MS-CHAPv2, that is usually easier to crack (for exam-
              ple with LC4).  You have to be in the "middle" of the connection
              to use it successfully.  It hooks the ppp dissector, so you have
              to keep them active.


       pptp_clear

              Forces no compression/encryption for pptp tunnels during negoti-
              ation.  It could fail if client (or the server) is configured to
              hang off the tunnel if no encryption is negotiated.  You have to
              be in the "middle" of the connection to use it successfully.  It
              hooks the ppp dissector, so you have to keep them active.


       pptp_pap

              It forces the pptp tunnel to negotiate PAP (cleartext) authenti-
              cation.   It  could  fail if PAP is not supported, if pap_secret
              file  is  missing,  or  in  case  windows  is  configured   with
              "authomatic  use  of  domain  account".  (It could fail for many
              other reasons too).  You have to be in the "middle" of the  con-
              nection  to use it successfully.  It hooks the ppp dissector, so
              you have to keep them active.


       pptp_reneg

              Forces re-negotiation on an existing pptp tunnel.  You can force
              re-negotiation for grabbing passwords already sent.  Furthermore
              you can launch it to use pptp_pap, pptp_chapms1 or pptp_clear on
              existing  tunnels  (those  plugins  work only during negotiation
              phase).  You have to be in the "middle" of the connection to use
              it  successfully.   It  hooks  the ppp dissector, so you have to
              keep them active.


       rand_flood

              Floods the LAN with random MAC  addresses.  Some  switches  will
              fail  open  in  repeating mode, facilitating sniffing. The delay
              between each packet is based on the port_steal_send_delay  value
              in etter.conf.
              It is useful only on ethernet switches.

              example :

              ettercap -TP rand_flood



       remote_browser

              It  sends to the browser the URLs sniffed thru HTTP sessions. So
              you are able to see the webpages in real time. The command  exe-
              cuted is configurable in the etter.conf(5) file. It sends to the
              browser only the GET requests and only  for  webpages,  ignoring
              single  request  to  images or other amenities.  Don't use it to
              view your own connection :)



       reply_arp

              Simple arp responder. When it intercepts an arp  request  for  a
              host  in  the  targets'  lists,  it  replies with attacker's MAC
              address.

              example :

              ettercap -TQzP reply_arp /192.168.0.1/
              ettercap -TQzP reply_arp //


       repoison_arp

              It solicits poisoning packets after broadcast ARP  requests  (or
              replies)  from  a  posioned host.  For example: we are poisoning
              Group1 impersonating Host2.  If  Host2  makes  a  broadcast  ARP
              request  for  Host3, it is possible that Group1 caches the right
              MAC address for Host2 contained in the ARP packet.  This  plugin
              re-poisons  Group1 cache immediately after a legal broadcast ARP
              request (or reply).
              This plugin is effective only during an arp-posioning session.
              In conjunction with the reply_arp plugin, repoison_arp is a good
              support for the standard arp-poisoning mitm method.

              example :

              ettercap  -T  -M  arp:remote  -P  repoison_arp /192.168.0.10-20/
              /192.168.0.1/


       scan_poisoner

              Check if someone is poisoning between some host in the list  and
              us.   First  of  all it checks if two hosts in the list have the
              same mac address.  It could mean that one of those is  poisoning
              us  pretending  to  be the other.  It could generate many false-
              positives in a proxy-arp environment.  You have to  build  hosts
              list  to  perform  this  check.   After that, it sends icmp echo
              packets to each host in the list and checks if  the  source  mac
              address  of the reply differs from the address we have stored in
              the list for that ip.  It could mean that someone  is  poisoning
              that  host pretending to have our ip address and forwards inter-
              cepted packets to us.  You can't perform  this  active  test  in
              unoffensive mode.

              example :

              ettercap -TQP scan_poisoner //


       search_promisc

              It tries to find if anyone is sniffing in promisc mode. It sends
              two different kinds of malformed arp request to each  target  in
              the host list and waits for replies. If a reply arrives from the
              target host, it's more or less probable that this target has the
              NIC in promisc mode. It could generate false-positives.  You can
              launch it either from the command line or from the plugin  menu.
              Since it listens for arp replies it is better that you don't use
              it while sending arp request.

              example :

              ettercap -TQP search_promisc /192.168.0.1/
              ettercap -TQP search_promisc //



       smb_clear

              It forces the client to send smb password in clear-text by  man-
              gling  protocol  negotiation.  You have to be in the "middle" of
              the connection to successfully use it. It hooks the smb  dissec-
              tor,  so  you  have  to keep it active.  If you use it against a
              windows client it will probably result in  a  failure.   Try  it
              against a *nix smbclient :)



       smb_down

              It  forces the client to not to use NTLM2 password exchange dur-
              ing smb authentication. This way, obtained hashes can be  easily
              cracked  by  LC4.  You have to be in the "middle" of the connec-
              tion to successfully use it.  It hooks the smb dissector, so you
              have to keep it active.


       smurf_attack

              The  Smurf  Attack is a DoS attack in which huge numbers of ICMP
              packets with the intended victim(s) IP(s) in target1 are sent to
              the  hosts  in  target2. This causes all hosts on the target2 to
              reply to the ICMP request, causing significant  traffic  to  the
              victim's computer(s).

              example (192.168.0.5 is the victim):

              ettercap -i eth1 -Tq /192.168.0.5/ // -P fraggle_attack


       sslstrip

              While  performing  the SSL mitm attack, ettercap substitutes the
              real ssl certificate with its own.  The fake certificate is cre-
              ated  on  the fly and all the fields are filled according to the
              real cert presented by the  server. Only the  issuer is modified
              and signed with the private key contained in the 'etter.ssl.crt'
              file.  If you want to use a different private key  you  have  to
              regenerate  this  file. To regenerate the cert file use the fol-
              lowing commands:

              openssl genrsa -out etter.ssl.crt 1024
              openssl req -new -key etter.ssl.crt -out tmp.csr
              openssl x509 -req -days 1825 -in tmp.csr -signkey  etter.ssl.crt
              -out tmp.new
              cat tmp.new >> etter.ssl.crt
              rm -f tmp.new tmp.csr

              NOTE: SSL mitm is not available (for now) in bridged mode.

              NOTE:  You  can use the --certificate/--private-key long options
              if you want  to  specify  a  different  file  rather   than  the
              etter.ssl.crt file.



       stp_mangler

              It  sends spanning tree BPDUs pretending to be a switch with the
              highest priority. Once in  the  "root"  of  the  spanning  tree,
              ettercap can receive all the "unmanaged" network traffic.
              It is useful only against a group of switches running STP.
              If  there  is  another  switch with the highest priority, try to
              manually decrease your MAC address before running it.

              example :

              ettercap -TP stp_mangler




ORIGINAL AUTHORS

       Alberto Ornaghi (ALoR) <alor@users.sf.net>
       Marco Valleri (NaGA) <naga@antifork.org>


PROJECT STEWARDS

       Emilio Escobar (exfil)  <eescobar@gmail.com>
       Eric Milam (Brav0Hax)  <jbrav.hax@gmail.com>


OFFICIAL DEVELOPERS

       Mike Ryan (justfalter)  <falter@gmail.com>
       Gianfranco Costamagna (LocutusOfBorg)  <costamagnagianfranco@yahoo.it>
       Antonio Collarino (sniper)  <anto.collarino@gmail.com>
       Ryan Linn   <sussuro@happypacket.net>
       Jacob Baines   <baines.jacob@gmail.com>


CONTRIBUTORS

       Dhiru Kholia (kholia)  <dhiru@openwall.com>
       Alexander Koeppe (koeppea)  <format_c@online.de>
       Martin Bos (PureHate)  <purehate@backtrack.com>
       Enrique Sanchez
       Gisle Vanem  <giva@bgnett.no>
       Johannes Bauer  <JohannesBauer@gmx.de>
       Daten (Bryan Schneiders)  <daten@dnetc.org>




SEE ALSO

       ettercap(8), ettercap_curses(8), etterlog(8), etterfilter(8),
       etter.conf(5), ettercap-pkexec(8)




ettercap 0.8.2                                             ETTERCAP-PLUGINS(8)

ettercap 0.8.3 - Generated Sun Aug 11 10:26:27 CDT 2019
© manpagez.com 2000-2024
Individual documents may contain additional copyright information.