Ettercap Software

[Giuliana]

Theywere not particularly intelligent. They were cowardly and vicious, preferring to set traps to ensnare their enemies.[6] Ettercaps tended to be solitary creatures and their only purpose was to eat and to breed.[4]

It was suggested that ettercaps were the descendants of a group of mad druids, tainted and transmogrified by their association with a powerful demon into a form resembling the predatory arachnids their cult once revered. While the vast majority had completely reverted to pure animal instinct, a rare few claimed to demonstrate the intellect and capacities of an insane human.[6]

Ettercaps were very fond of spiders and other arachnids and often kept them as others kept bees. From time to time, however, an ettercap had a number of monstrous spiders as pets, which were as loyal to it as a dog to a human master.[6][4]

Ettercaps possessed a fairly simple, spider-derived language of their own. It was focused around basic and real-world concepts, not equipped for the discussion of abstract ideas. They were capable of understanding other languages, such as elven, but could not speak them due to lacking the right vocal cords.[8]

Disclaimer: The views expressed in the following links do not necessarily represent the views of the editors of this wiki, nor does any lore presented necessarily adhere to established canon.

Ettercap is a "man in the middle attack tool". It could be used maliciously, of course, but it is also massively useful as a debugging tool and to make sure my networks are secured. My most common use case is to let me sniff traffic at work and home in combination with wireshark from my laptop. To be able to do this I simply do this:# ettercap -Q -T -i wlan0 -M arp /10.0.0.1/ /10.0.0.9/That tells ettercap

Ettercap's remote_browser plugin lets you watch what another user is looking at in your own browser. In my case that is iceweasel rather than mozilla, so I made a change in my /etc/etter.conf where the remote_browser variable now reads thus. remote_browser = "iceweasel -remote openurl( )"I spent an aeon trying to watch my eeepc from my main laptop before finally discovering that changing the argument order fixed things. Of course it is entirely possible that I am misattributing the fix, but the ordering below is now working reliably for me.# iceweasel &# ettercap -i wlan0 -P remote_browser -T -q -M arp:remote /192.168.0.1/ /192.168.0.14/Let's break that down again.

Now, I can watch myself browsing on another machine to my heart's content. Which is actually a little troubling if you think about it. Best to use HTTPS everywhere and ideally a secure VPN, tor or an SSH socks proxy. Network administrators, you should check out the section on defenses in the SANS Ettercap primer if you want to mitigate ARP attacks on your users.

sudo ettercap -F /tmp/filter.ef -T -M arp -i wlan1 /192.168.1.6/ // the msg is not printed. With the packet visualization I do see TCP packets, but the filter seem to just not working even though ettercap says "Content filters loaded from /tmp/filter.ef".

So why it inly happned to me?That is beacuse I'm using version 0.7.4.2, which is the version downloaded when I apt-get install ettercap on my Ubuntu. That is opposed to the ettercap website, stating that "The latest Ettercap release is: 0.7.4.1"

Ettercap[1] is sort of the Swiss army knife of ARP poisoning[2] and network sniffing. Ettercap can be extended by using filters and plug-ins, making it able to do all sorts of neat network tasks. Using filters is what I plan to show in this tutorial. The easiest way to run Ettercap is from the Auditor[3] or Knoppix boot CDs. The version I will be running in this tutorial is Ettercap NG-0.7.3.

What first inspired me to play with Ettercap filters was the use of Airpwn at Defcon 12[4] . The creators of Airpwn used their ingenious little tool to replace images in web pages that conference attendees surfed to with the Goatse image. If you don't know what Goatse is, you probably don't want to ask. Airpwn can be a bit difficult to configure, compile and run, but I figured I could do much the same thing with an Ettercap filter. Since Ettercap can be compiled on Linux, BSD, Mac OS X and Windows 200/XP/2003 and can work on wireless (802.11) and wired LANs its target audience is much larger than Airpwn's. Ettercap has the ability to route traffic though itself using "Man in the Middle" attacks and then use filters to modify the data before sending it on to the victim. Initially I wanted to do the same thing as the Airpwn guys, but with the Tubgirl image instead (once again, don't ask, I'm a sick bastard). For this tutorial I decided to compromise and just have the images in web pages replaced by the Jolly Rogers:

Yes, this tutorial is a bit deviant, but you can use the skills learned from it to do many other useful tasks. The first thing we need to do is create an Ettercap filter. Below is the source code for mine:

The code should be pretty self explanatory to anyone who has done much coding before (it's very much like C and other languages). The # symbols are comments. The "if" statement tells the filter to only work on TCP packet from source port 80, in other words coming from a web server. This test may still miss some images, but should get most of them. I'm also not sure about Ettercap's order of operation with AND (&&) and OR () statements but this filter largely seems to work (I tried using parentheses to explicitly specify the order of operation with the Boolean operators but this gave me compile errors). The "replace" function replaces the first parameter string with the second. Because of the way this string replacement works it will try to mangled image tags and insert the picture we desire into the web page's HTML before it returns it to the victim. The tags may end up looking something like the following:

The original image location will still be in the tag, but most web browsers should see it as a useless parameter. The "msg" function just prints to the screen letting us know that the filter has fired off.

Now that we sort of understand the basics of the filter lets compile it. Take the ig.filter source code listed above and paste it into a text file, then compile the filter into a .ef file using the following command:

Cool huh? Keep in mind that this filter does not seem to fire off for all images, it's a little hit and miss. For more information on things you can do Ettercap filters look at the sample code in the file "etter.filter.examples" that comes along with Ettercap. On my box this file is located in /usr/share/ettercap/etter.filter.examples. Also check out Kev's tutorial on Ettercap filters[5]. Want to keep other folks from doing this kind of shenanigans on your network? Here are a few options:

1. Use static ARP tables between important hosts (not very practical in most cases).

2. Use ARPWatch or an IDS to spot when someone is pulling off an ARP poisoning attack.

3. Encrypted traffic using a VPN or SSL should make it though safely, unless of course the attacker uses some of Ettercap's proxing capabilities.

For this attack I want the adversary to take over traffic completely. The attacker wants to respond using his own server for e.g. phishing purposes.For this ettercap was the wrong tool it seems, instead I went for arpspoof. The following commands were executed in different terminals. I had to trick both the router andthe victim host. Alternatively I could have made it a global broadcast.

Checking the arp table in Windows 8 (cmd: arp -a) I see that the MAC is successfully injected, but the browser still goes to the raspberry pi. I figure this is because my adversary and victim computerare on a wireless network while the raspberry is on wired. Changing to my ethernet interface on the adversary machin was enough to trick the router to forwarding to my computer. Then I also set theclient ip using ifconfig to the same as the raspberry pi on that interface.

One feat of interest would be to do phishing popular/outside domains. E.g. Facebook or maybe a corporate controlled domain.For this we need to somehow spoof the DNS address to our own local ip instead of the remote. There is apparently an ettercapmodule dns_spoof which does this for us.

I browse couple of website with the target computer (192.168.0.4) then stop the capture. I run Wireshark and open the dump file generated by ettercap and I got want I wanted for 2 days: the dump of the communication between the computer 192.168.0.4 and the default gateway.

First, get the RPM for ettercap, I used RPM Search but any good RPM library site should work. I like this one as you can search easily by distro and version. I searched and found an ettercap RPM for Suse 10. Find a similar RPM and wget it:

Install the yum package manager as this will allow you to install local RPMs and handle the dependencies, something zypper (unfortunately) does not do. In addition to yum, you will also need to install yum-utils which adds the local installation feature to yum. Install both at once with:

This package contains the Common support files, configuration files,plugins, and documentation. You must also install eitherettercap-graphical or ettercap-text-only for the actual GUI-enabledor text-only ettercap executable, respectively.

I am using Ettercap on Kali Linux version 2017.3 on vmware. I am unable to find the etter.dns file in the directory where it should be present, which is /usr/share/ettercap/. Instead of etter.dns, etter.dns.save file is present.

Hi I need some help performing a MITM attack using ettercap, i can access non https websites on the target machine but when i try access https websites i either get web page cannot be displayed or something about a security certificate not being trusted am i doing anything wrong ? please help me out it would be greatly appreciated, the steps below are the route I've followed and I've also tried the graphical interface of ettercap with no luck

Browsers have been updated and now use HSTS which blocks Mitm attacks & sslstrip. You should try mitmf it can override HSTS but its still a bit difficult if the target still has cookies from the previous session

3a8082e126