From charlesreid1

Note: Ettercap is the old method. Check out Bettercap.

What Ettercap Is

Ettercap is a set of tools that do lots of different things. In essence, it is used to reroute network traffic through its host computer, and sniff the traffic as it passes through. It has the software stack required to do both.

As a sniffing tool, Ettercap is similar to Dsniff in that it can sniff traffic and search for specific kinds of credentials for specific kinds of protocols (e.g., email passwords). It also has functionality to filter traffic (drop packets based on certain filter criteria) or modify traffic.

Before you can sniff traffic, you have to be able to hear it - which is why a man in the middle attack tool is important when doing sniffing.

As a man in the middle attack tool, Ettercap has the capability to run ARP, ICMP, DNP spoofing attacks. It can also work in conjunction with other attack tools - e.g., it can sniff and let another program do MITM, or it can do MITM and let other programs sniff. It can be used to strip SSL and issue fake certificates to clients.

Man in the middle? what?

See Man in the Middle

Why Ettercap

Do you really need ettercap, or can you perform the entire attack yourself, using artisan, hand-crafted Python scripts?

Ettercap is basically a tool for automating different steps in a man in the middle attack. You can use different sets of tools, perhaps launch an attack with 3 or 4 tools doing separate things, but that requires multiple windows, switching between scripts, and depending on how deep you actually go, learning about ARP protocol and packet forging software.

We simply don't have the luxury of time to spend on that kind of wizardry.

Ettercap prevents you from having to manually mount a complex, multi-step attack. However, there are tradeoffs, namely, Ettercap gives you a simple interface, which takes away much of your control. If you don't like how Ettercap does it - tough. If you don't understand what it's doing - tough. If you don't like the documentation - tough.

What Hardware

Ettercap can use a single network interface (unified mode) or two network interfaces (bridged mode).

Unified mode means Ettercap uses a single network interface for sending/receiving to the client as well as to the server, and sniffs all relevant traffic at the single interface.

Bridge mode means Ettercap is using two bridged network interfaces, one connecting to the client and one connecting to the server, and is sniffing traffic crossing that bridge.


To install Ettercap from source you'll need a few things first:

$ apt-get install cmake libncurses5 libncurses-dev libidn11 libidn11-dev librtmp-dev bison flex

Now download Ettercap from Github (v 0.8.2):

Make it with Cmake:

$ unzip ettercap*.zip
$ cd ettercap*
$ mkdir build/
$ cd build/
$ cmake ../
$ make clean-all
$ cmake /path/to/ettercap

Unified Sniffing in Ettercap Text

You can check the man page for the many options available with ettercap:

$ man ettercap

Ettercap has two independent functions: one is a traffic sniffer and filter, and the other is a man in the middle attack tool. These two purposes are independent, so several attacks can be launched simultaneously.

The key flag for running in text mode is -T, with the -q flag helping to keep things quiet.

Sniffing vs Man in the Middle

It's important to distinguish between Ettercap's sniffing functionality, and its man in the middle attack functionality. These two functionalities are independent.

The sniffing functionality is Ettercap's default behavior. Sniffing assumes packets are getting to Ettercap, somehow, someway, the sniffing process does not care how, it only cares about sniffing the packets.

The man in the middle attack functionality is additional Ettercap functionality intended to hijack streams of packets intended for non-attacker destinations and redirect them to Ettercap.

Short version: The man in the middle grabs packets. The sniffer reads them.

Basic Sniffing Attack

To run a basic sniffing attack in text only mode, you just need to specify the internet device to sniff, and a file to write to (pcap file):

$ ettercap -T -i eth0 -w output.pcap

or you can start the program and interact with the text-based menu:

$ ettercap -T -i eth0

Remember: if you run the program in this way, it will not conduct a man in the middle attack, and will not give you options to conduct a man in the middle attack. This means that you need to ensure you can see the traffic you want to sniff.

If you're on a network hub, all ports see all traffic - so you don't need to do anything to see everyone else's traffic. However, if you're on a network switch, ports only see traffic intended for the device on that port. To see all the traffic, you'll need to perform a man in the middle attack.

Man in the Middle

A basic man-in-the-middle attack using its text-based interface is specified using the -M flag and looks like this:

$ ettercap -Tq -i eth0 -M arp / /

Here we specify the type of MITM attack as ARP poisoning. Other MITM attacks available include icmp and dhcp, for replacing gateway; port, for port stealing; ndp, for ndp hijacking.

Note that the target is of the form MAC/IPs/PORTs, in this case the leading/trailing blanks mean any MAC and any port.

Also see Kali/Layer 4 Attacks and Man in the Middle.

Unified Sniffing in Ettercap GUI

If you are trying to perform a MITM attack by sniffing/sending traffic from a single network device, you can use the unified sniffing mode in Ettercap to perform your man-in-the-middle attack.

The physical arrangement required for this type of attack is that you are on the same subnet as the target - typically connected to the same router.

Ettercap ARP Poisoning

Now we'll actually perform the ARP poisoning with Ettercap. Start the Ettercap GUI with the command

$ ettercap -G


Sniffing Type in Ettercap

Now we'll specify the type of sniffing we want Ettercap to do. As mentioned above, we'll use Unified mode.

Ettercap can either sniff in Bridged mode or Unified mode. Bridged mode means the attacker has multiple networking devices, and is sniffing as traffic crosses a bridge from one device to another. Unified uses a single network device, where the sniffing and forwarding all happens on the same network port.

Select Sniff > Unified Sniffing from the menu.


Finding Hosts in Ettercap

Once we've picked our sniffing method, we need to pick a target and then start our attack.

We can run a quick scan of different hosts acting as parties in network traffic. Click Hosts > Scan for Hosts to run a quick scan and get a list of host targets. You should see Ettercap populate a list of host IP and MAC addresses.

If you don't see the list of hosts, click View > Connections.


Select Ettercap Poison Target

Now that you have a list of hosts, find your target in the list and click on it. (Or, if you want to attack every computer on the network, don't select any list item.)

Start MITM Attack

Click Mitm > Arp Poisoning to select the Arp Poisoning attack.

This will print a message letting you know that the ARP Poisoning attack is beginning. As interesting/juicy information shows up on the wire, Ettercap will extract it and display it, just in case you don't capture it or find it with Wireshark.


Make sure and check "sniff remote connections" before you start the attack.


Your man in the middle attack is now running on the local network. By monitoring traffic on your device eth0, you can see all of the traffic passing through the device and on to the sheep.

Monitoring Statistics

You can monitor the statistics of traffic sniffed from Ettercap, click View > Statistics and watch the numbers roll by.

Monitoring with Wireshark

If you watch in Wireshark, you'll notice, among other things, a bunch of black packets. This is because your computer is duplicating every packet that reaches it, by forwarding it:


This is something that is symptomatic of every Man in the Middle attack that involves ARP spoofing, and is the reason why a physical network tap (a Layer 1 bridge) is much preferred to ARP spoofing (a Layer 2/Layer 3 bridge).

Remaining Questions

Several questions remain about this process. Here are a few:

  • What's generating all of this TCP dup ack and keep-alive ack traffic?
  • Where do the sniffed goodies get printed and logged to? Are they saved by default? Where?
  • Does or can ettercap create pcap files? (use the -w or --write flag)