Thursday, 27 August 2009


Ettercap is an interception tool. This is, it can be used to sniff traffic and inject packets into the stream. This is activity that is generally associated with MiTM (Man in the middle) attacks. On the right side of the fence, this can be useful in pen tests and other audits. Many of the uses are not so noble. Much of this comes down to intent.

You can download ettercap from this link.

Ettercap is used primarily for arp poisioning and sniffing. It can also re-route traffic and filter it. This is, it can sit in the middle of a transaction stream and change the data.

There is a good tutorial on the creation of ettercap filters available here and another one here.

Ettercap has the ability to actively or passively find other poisoners on the LAN. This is a feature that is truly useful. This is not just as an attack tool, but in defending networks. There are other options for this such as ArpWatch that do not have the negative features that ettercap can pose to a production network.
More on arpwatch another time.

Ettercap is also a password collector, so finding unauthorised and monitored version sof this software on a network is rarely a good thing.

The ettercap man file has a number of examples on its use. This is the first place to read.

For this post, I will cover the use of the console (see the links above for details on writing ettercap filters).

Fro the console exercise, we will use the command;

  • 'ettercap -Tzq -i eth0'
This command places ettercap into console mode without arp scanning the network (which can result in a DoS in some production networks). This also runs in quiet mode so that ettercap does not display all of the packets that it captures and it is listening on the eth0 interface.

In this mode, selected passwords will be displayed and the hosts will be logged.
Having run for a couple minutes, you can see the output of my system as the password (obscured) have been captured from the Pop3 email sessions that I started for this. Also not the DNS requests:
In console mode, there are a number of options to display the captured data (typer 'h' for the help screen for details). For instance, enter 'c' on the main screen for a list of connections:
Use the console interface, do not ARP scan the net and be quiet.
The packet content will not be displayed, but user and pass-
words, as well as other messages, will be displayed.

The program can also read a pcap forat capture file as input:
  • ettercap -r (additional options here)
In the example in the image above, we see the username and password from the Spyking software installer as it authenticates to its site. In analysing the Spyking software, I captured a network trace. We see in this where the software authenicates to the server to register my account.

One final use of the tool is monitoring pairings and finding out where an attacker has come into a system (including password scans etc).

1 comment:

ALLALI said...

Very good TOPIC, May be, I should add a link to my website .