What Ettercap Is

Ettercap is a tool for executing Man in the Middle attacks.

Ettercap can be used in unified mode, or in bridge mode.

Unified mode means Ettercap uses a single network interface for sending/receiving to the client as well as to the server, and sniffs all relevant traffic at the single interface.

Bridge mode means Ettercap is using two bridged network interfaces, one connecting to the client and one connecting to the server, and is sniffing traffic crossing that bridge.

What Ettercap Actually Does

Ettercap is basically a tool for automating different steps in a man-in-the-middle attack. While you could perform the attack yourself, it would require a lot of windows, switching between scripts, and some really deep technical knowledge of the ARP protocol, packet-forging tools, and how to craft and send ARP packets in the right proportions.

Ettercap saves you from having to manually mount the man-in-the-middle attack. Be aware of the tradeoffs that Ettercap presents - while it gives you a simple interface for conducting man in the middle attacks, it may also do things you don't understand or want, things that can draw the attention of network administrators onto you.

Unified Sniffing in Ettercap

If you are trying to perform a MITM attack by sniffing/sending traffic from a single network device, you can use the unified sniffing mode in Ettercap to perform your man-in-the-middle attack.

The physical arrangement required for this type of attack is that you are on the same subnet as the target - typically connected to the same router.

Ettercap ARP Poisoning

Now we'll actually perform the ARP poisoning with Ettercap. Start the Ettercap GUI with the command

$ ettercap -G

Sniffing Type in Ettercap

Now we'll specify the type of sniffing we want Ettercap to do. As mentioned above, we'll use Unified mode.

Ettercap can either sniff in Bridged mode or Unified mode. Bridged mode means the attacker has multiple networking devices, and is sniffing as traffic crosses a bridge from one device to another. Unified uses a single network device, where the sniffing and forwarding all happens on the same network port.

Select Sniff > Unified Sniffing from the menu.

Finding Hosts in Ettercap

Once we've picked our sniffing method, we need to pick a target and then start our attack.

We can run a quick scan of different hosts acting as parties in network traffic. Click Hosts > Scan for Hosts to run a quick scan and get a list of host targets. You should see Ettercap populate a list of host IP and MAC addresses.

If you don't see the list of hosts, click View > Connections.

Select Ettercap Poison Target

Now that you have a list of hosts, find your target in the list and click on it. (Or, if you want to attack every computer on the network, don't select any list item.)

Start MITM Attack

Click Mitm > Arp Poisoning to select the Arp Poisoning attack.

This will print a message letting you know that the ARP Poisoning attack is beginning. As interesting/juicy information shows up on the wire, Ettercap will extract it and display it, just in case you don't capture it or find it with Wireshark.

Make sure and check "sniff remote connections" before you start the attack.

Your man in the middle attack is now running on the local network. By monitoring traffic on your device eth0, you can see all of the traffic passing through the device and on to the sheep.

Bridge Sniffing in Ettercap

A bridge is a way of hooking up two network interfaces such that all packets sent to one are forwarded to another.

Before you can sniff a bridge, you have to build it. In this example, I'll build a bridge between two ethernet devices.