Note: also see Bettercap

What Ettercap Is

Ettercap is a tool for executing Man in the Middle attacks.

Ettercap can be used in unified mode, or in bridge mode.

Unified mode means Ettercap uses a single network interface for sending/receiving to the client as well as to the server, and sniffs all relevant traffic at the single interface.

Bridge mode means Ettercap is using two bridged network interfaces, one connecting to the client and one connecting to the server, and is sniffing traffic crossing that bridge.

What Ettercap Actually Does

Ettercap is basically a tool for automating different steps in a man-in-the-middle attack. While you could perform the attack yourself, it would require a lot of windows, switching between scripts, and some really deep technical knowledge of the ARP protocol, packet-forging tools, and how to craft and send ARP packets in the right proportions.

Ettercap saves you from having to manually mount the man-in-the-middle attack. Be aware of the tradeoffs that Ettercap presents - while it gives you a simple interface for conducting man in the middle attacks, it may also do things you don't understand or want, things that can draw the attention of network administrators onto you.

Installing/Building

To install Ettercap from source you'll need a few things first:

$ apt-get install cmake libncurses5 libncurses-dev libidn11 libidn11-dev librtmp-dev bison flex

Now download Ettercap from Github (v 0.8.2) and make it with Cmake:

$ unzip ettercap*.zip
$ cd ettercap*
$ mkdir build/
$ cd build/
$ cmake ../
$ make clean-all
$ cmake /path/to/ettercap

Unified Sniffing in Ettercap Text

Performing a man-in-the-middle attack using its text-based interface:

$ ettercap -Tq -i eth0 -M arp /10.0.0.1/ /10.0.0.75/

Unified Sniffing in Ettercap GUI

If you are trying to perform a MITM attack by sniffing/sending traffic from a single network device, you can use the unified sniffing mode in Ettercap to perform your man-in-the-middle attack.

The physical arrangement required for this type of attack is that you are on the same subnet as the target - typically connected to the same router.

Ettercap ARP Poisoning

Now we'll actually perform the ARP poisoning with Ettercap. Start the Ettercap GUI with the command

$ ettercap -G

Sniffing Type in Ettercap

Now we'll specify the type of sniffing we want Ettercap to do. As mentioned above, we'll use Unified mode.

Ettercap can either sniff in Bridged mode or Unified mode. Bridged mode means the attacker has multiple networking devices, and is sniffing as traffic crosses a bridge from one device to another. Unified uses a single network device, where the sniffing and forwarding all happens on the same network port.

Select Sniff > Unified Sniffing from the menu.

Finding Hosts in Ettercap

Once we've picked our sniffing method, we need to pick a target and then start our attack.

We can run a quick scan of different hosts acting as parties in network traffic. Click Hosts > Scan for Hosts to run a quick scan and get a list of host targets. You should see Ettercap populate a list of host IP and MAC addresses.

If you don't see the list of hosts, click View > Connections.

Select Ettercap Poison Target

Now that you have a list of hosts, find your target in the list and click on it. (Or, if you want to attack every computer on the network, don't select any list item.)

Start MITM Attack

Click Mitm > Arp Poisoning to select the Arp Poisoning attack.

This will print a message letting you know that the ARP Poisoning attack is beginning. As interesting/juicy information shows up on the wire, Ettercap will extract it and display it, just in case you don't capture it or find it with Wireshark.

Make sure and check "sniff remote connections" before you start the attack.

Your man in the middle attack is now running on the local network. By monitoring traffic on your device eth0, you can see all of the traffic passing through the device and on to the sheep.

Watching in Wireshark

If you watch in Wireshark, you'll notice, among other things, a bunch of black packets. This is because your computer is duplicating every packet that reaches it, by forwarding it:

This is something that is symptomatic of every Man in the Middle attack that involves ARP spoofing, and is the reason why a physical network tap (a Layer 1 bridge) is much preferred to ARP spoofing (a Layer 2/Layer 3 bridge).

Bridge Sniffing in Ettercap

A bridge is a way of hooking up two network interfaces such that all packets sent to one are forwarded to another.

Before you can sniff a bridge, you have to build it. In this example, I'll build a bridge between two ethernet devices.

monkey in the middle attacks in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker. MITM Wireless Attacks: MITM/Wireless Wired Attacks: MITM/Wired Layer 1 and 2 MITM Attacks: MITM/Layer 1 and 2 Network Tap: MITM/Wired/Network Tap Evil Twin Attack: Evil Twin  · MITM/Evil Twin Layer 3 and 4 MITM Attacks: MITM/Layer 3 and 4 Traffic Sniffing: MITM/Sniffing ARP Poisoning: MITM/ARP Poisoning Traffic Injection/Modification: MITM/Traffic Injection DNS Attacks: MITM/DNS  · Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2 DHCP Attacks: MITM/DHCP WPAD MITM Attack: MITM/WPAD Port Stealing: MITM/Port Stealing Rushing Attack: MITM/Rushing Attack Attacking HTTPS: MITM/HTTPS Layer 5 MITM Attacks: Session Hijacking: MITM/Session Hijacking Toolz: Ettercap  · Bettercap  · MITMf  · EvilFOCA Wireshark  · Aircrack Dsniff  · Arpspoof  · Dnsspoof SSLSniff  · SSLStrip  · Frankencert Driftnet  · Karma MITM Labs: {{MITMLabs}} Category:MITM  · Category:Attacks  · Category:Kali Attack Layers Template:MITMLabs  · Template:MITMFlag Flags  · Template:MITMFlag  · e