Options that make sense together can generally be combined. ettercap will warn the user about unsupported
option combinations.
SNIFFINGANDATTACKOPTIONS
ettercap NG has a new unified sniffing method. This implies that ip_forwarding in the kernel is always
disabled and the forwarding is done by ettercap. Every packet with destination mac address equal to the
host's mac address and destination ip address different for the one bound to the iface will be forwarded
by ettercap. Before forwarding them, ettercap can content filter, sniff, log or drop them. It does not
matter how these packets are hijacked, ettercap will process them. You can even use external programs to
hijack packet.
You have full control of what ettercap should receive. You can use the internal mitm attacks, set the
interface in promisc mode, use plugins or use every method you want.
IMPORTANT NOTE: if you run ettercap on a gateway, remember to re-enable the ip_forwarding after you have
killed ettercap. Since ettercap drops its privileges, it cannot restore the ip_forwarding for you.
-M, --mitm<METHOD:ARGS>
MITM attack
This option will activate the man in the middle attack. The mitm attack is totally independent
from the sniffing. The aim of the attack is to hijack packets and redirect them to ettercap. The
sniffing engine will forward them if necessary.
You can choose the mitm attack that you prefer and also combine some of them to perform different
attacks at the same time.
If a mitm method requires some parameters you can specify them after the colon. (e.g. -M
dhcp:ip_pool,netmask,etc )
The following mitm attacks are available:
arp ([remote],[oneway])
This method implements the ARP poisoning mitm attack. ARP requests/replies are sent to the
victims to poison their ARP cache. Once the cache has been poisoned the victims will send
all packets to the attacker which, in turn, can modify and forward them to the real
destination.
In silent mode (-z option) only the first target is selected, if you want to poison
multiple target in silent mode use the -j option to load a list from a file.
You can select empty targets and they will be expanded as 'ANY' (all the hosts in the LAN).
The target list is joined with the hosts list (created by the arp scan) and the result is
used to determine the victims of the attack.
The parameter "remote" is optional and you have to specify it if you want to sniff remote
ip address poisoning a gateway. Indeed if you specify a victim and the gw in the TARGETS,
ettercap will sniff only connection between them, but to enable ettercap to sniff
connections that pass thru the gw, you have to use this parameter.
The parameter "oneway" will force ettercap to poison only from TARGET1 to TARGET2. Useful
if you want to poison only the client and not the router (where an arp watcher can be in
place).
Example:
the targets are: /10.0.0.1-5/ /10.0.0.15-20/
and the host list is: 10.0.0.1 10.0.0.3 10.0.0.16 10.0.0.18
the associations between the victims will be:
1 and 16, 1 and 18, 3 and 16, 3 and 18
if the targets overlap each other, the association with identical ip address will be
skipped.
NOTE: if you manage to poison a client, you have to set correct routing table in the kernel
specifying the GW. If your routing table is incorrect, the poisoned clients will not be
able to navigate the Internet.
icmp (MAC/IP)
This attack implements ICMP redirection. It sends a spoofed icmp redirect message to the
hosts in the lan pretending to be a better route for internet. All connections to internet
will be redirected to the attacker which, in turn, will forward them to the real gateway.
The resulting attack is a HALF-DUPLEX mitm. Only the client is redirected, since the
gateway will not accept redirect messages for a directly connected network. BE SURE TO NOT
USE FILTERS THAT MODIFY THE PAYLOAD LENGTH. you can use a filter to modify packets, but the
length must be the same since the tcp sequences cannot be updated in both ways.
You have to pass as argument the MAC and the IP address of the real gateway for the lan.
Obviously you have to be able to sniff all the traffic. If you are on a switch you have to
use a different mitm attack such as arp poisoning.
NOTE: to restrict the redirection to a given target, specify it as a TARGET
Example:
-M icmp:00:11:22:33:44:55/10.0.0.1
will redirect all the connections that pass thru that gateway.
dhcp (ip_pool/netmask/dns)
This attack implements DHCP spoofing. It pretends to be a DHCP server and tries to win the
race condition with the real one to force the client to accept the attacker's reply. This
way ettercap is able to manipulate the GW parameter and hijack all the outgoing traffic
generated by the clients.
The resulting attack is a HALF-DUPLEX mitm. So be sure to use appropriate filters (see
above in the ICMP section).
You have to pass the ip pool to be used, the netmask and the ip of the dns server. Since
ettercap tries to win the race with the real server, it DOES NOT CHECK if the ip is already
assigned. You have to specify an ip pool of FREE addresses to be used. The ip pool has the
same form of the target specification.
If the client sends a dhcp request (suggesting an ip address) ettercap will ack on that ip
and modify only the gw option. If the client makes a dhcp discovery, ettercap will use the
first unused ip address of the list you have specified on command line. Every discovery
consumes an ip address. When the list is over, ettercap stops offering new ip addresses and
will reply only to dhcp requests.
If you don't want to offer any ip address, but only change the router information of dhcp
request/ack, you can specify an empty ip_pool.
BIG WARNING: if you specify a list of ip that are in use, you will mess your network! In
general, use this attack carefully. It can really mess things up! When you stop the
attack, all the victims will be still convinced that ettercap is the gateway until the
lease expires...
Example:
-M dhcp:192.168.0.30,35,50-60/255.255.255.0/192.168.0.1
reply to DHCP offer and request.
-M dhcp:/255.255.255.0/192.168.0.1
reply only to DHCP request.
port ([remote],[tree])
This attack implements Port Stealing. This technique is useful to sniff in a switched
environment when ARP poisoning is not effective (for example where static mapped ARPs are
used).
It floods the LAN (based on port_steal_delay option in etter.conf) with ARP packets. If you
don't specify the "tree" option, the destination MAC address of each "stealing" packet is
the same as the attacker's one (other NICs won't see these packets), the source MAC address
will be one of the MACs in the host list. This process "steals" the switch port of each
victim host in the host list. Using low delays, packets destined to "stolen" MAC addresses
will be received by the attacker, winning the race condition with the real port owner.
When the attacker receives packets for "stolen" hosts, it stops the flooding process and
performs an ARP request for the real destination of the packet. When it receives the ARP
reply it's sure that the victim has "taken back" his port, so ettercap can re-send the
packet to the destination as is. Now we can re-start the flooding process waiting for new
packets.
If you use the "tree" option, the destination MAC address of each stealing packet will be a
bogus one, so these packets will be propagated to other switches (not only the directly
connected one). This way you will be able to steal ports on other switches in the tree (if
any), but you will generate a huge amount of traffic (according to port_steal_delay). The
"remote" option has the same meaning as in "arp" mitm method.
When you stop the attack, ettercap will send an ARP request to each stolen host giving back
their switch ports.
You can perform either HALF or FULL DUPLEX mitm according to target selection.
NOTE: Use this mitm method only on ethernet switches. Use it carefully, it could produce
performances loss or general havoc.
NOTE: You can NOT use this method in only-mitm mode (-o flag), because it hooks the
sniffing engine, and you can't use interactive data injection.
NOTE: It could be dangerous to use it in conjunction with other mitm methods.
NOTE: This mitm method doesn't work on Solaris and Windows because of the lipcap and libnet
design and the lack of certain ioctl(). (We will feature this method on these OSes if
someone will request it...)
Example:
The targets are: /10.0.0.1/ /10.0.0.15/
You will intercept and visualize traffic between 10.0.0.1 and 10.0.0.15, but you will
receive all the traffic for 10.0.0.1 and 10.0.0.15 too.
The target is: /10.0.0.1/
You will intercept and visualize all the traffic for 10.0.0.1.
ndp ([remote],[oneway])
NOTE: This MITM method is only supported if IPv6 support has been enabled.
This method implements the NDP poisoning attack which is used for MITM of IPv6 connections.
ND requests/replies are sent to the victims to poison their neighbor cache. Once the cache
has been poisoned the victims will send all IPv6 packets to the attacker which, in turn,
can modify and forward them to the real destination.
In silent mode (-z option) only the first target is selected, if you want to poison
multiple target in silent mode use the -j option to load a list from a file.
You can select empty targets and they will be expanded as 'ANY' (all the hosts in the LAN).
The target list is joined with the hosts list (created by the arp scan) and the result is
used to determine the victims of the attack.
The parameter "remote" is optional and you have to specify it if you want to sniff remote
ip address poisoning a gateway. Indeed if you specify a victim and the gw in the TARGETS,
ettercap will sniff only connection between them, but to enable ettercap to sniff
connections that pass thru the gw, you have to use this parameter.
The parameter "oneway" will force ettercap to poison only from TARGET1 to TARGET2. Useful
if you want to poison only the client and not the router (where an arp watcher can be in
place).
Example:
Targets are: //fe80::260d:afff:fe6e:f378/ //2001:db8::2:1/
Ranges of IPv6 addresses are not yet supported.
NOTE: if you manage to poison a client, you have to set correct routing table in the kernel
specifying the GW. If your routing table is incorrect, the poisoned clients will not be
able to navigate the Internet.
NOTE: in IPv6 usually the link-local address of the router is being used as the gateway
address. Therefore you need to set the link-local address of the router as one target and
the global-unicast address of the victim as the other in order to set up a successful IPv6
MITM attack using NDP poisoning.
-o, --only-mitm
This options disables the sniffing thread and enables only the mitm attack. Useful if you want to
use ettercap to perform mitm attacks and another sniffer (such as wireshark) to sniff the traffic.
Keep in mind that the packets are not forwarded by ettercap. The kernel will be responsible for
the forwarding. Remember to activate the "ip forwarding" feature in your kernel.
-f, --pcapfilter<FILTER>
Set a capturing filter in the pcap library. The format is the same as tcpdump(1). Remember that
this kind of filter will not sniff packets out of the wire, so if you want to perform a mitm
attack, ettercap will not be able to forward hijacked packets.
These filters are useful to decrease the network load impact into ettercap decoding module.
-B, --bridge<IFACE>
BRIDGED sniffing
You need two network interfaces. ettercap will forward form one to the other all the traffic it
sees. It is useful for man in the middle at the physical layer. It is totally stealthy since it is
passive and there is no way for an user to see the attacker.
You can content filter all the traffic as you were a transparent proxy for the "cable".
OFFLINESNIFFING-r, --read<FILE>
OFF LINE sniffing
With this option enabled, ettercap will sniff packets from a pcap compatible file instead of
capturing from the wire.
This is useful if you have a file dumped from tcpdump or wireshark and you want to make an
analysis (search for passwords or passive fingerprint) on it.
Obviously you cannot use "active" sniffing (arp poisoning or bridging) while sniffing from a file.
-w, --write<FILE>
WRITE packet to a pcap file
This is useful if you have to use "active" sniffing (arp poison) on a switched LAN but you want to
analyze the packets with tcpdump or wireshark. You can use this option to dump the packets to a
file and then load it into your favourite application.
NOTE: dump file collect ALL the packets disregarding the TARGET. This is done because you may want
to log even protocols not supported by ettercap, so you can analyze them with other tools.
TIP: you can use the -w option in conjunction with the -r one. This way you will be able to filter
the payload of the dumped packets or decrypt WEP-encrypted WiFi traffic and dump them to another
file.
USERINTERFACESOPTIONS-T, --text
The text only interface, only printf ;)
It is quite interactive, press 'h' in every moment to get help on what you can do.
-q, --quiet
Quiet mode. It can be used only in conjunction with the console interface. It does not print
packet content. It is useful if you want to convert pcap file to ettercap log files.
example:
ettercap -Tq -L dumpfile -r pcapfile
-s, --script<COMMANDS>
With this option you can feed ettercap with command as they were typed on the keyboard by the
user. This way you can use ettercap within your favourite scripts. There is a special command you
can issue thru this command: s(x). this command will sleep for x seconds.
example:
ettercap -T -s 'lq' will print the list of the hosts and exit
ettercap -T -s 's(300)olqq' will collect the infos for 5 minutes, print the list of the local
profiles and exit
-C, --curses
Ncurses based GUI. See ettercap_curses(8) for a full description.
-G, --gtk
The nice GTK2 interface (thanks Daten...).
-D, --daemonize
Daemonize ettercap. This option will detach ettercap from the current controlling terminal and set
it as a daemon. You can combine this feature with the "log" option to log all the traffic in the
background. If the daemon fails for any reason, it will create the file
"./ettercap_daemonized.log" in which the error caught by ettercap will be reported. Furthermore,
if you want to have a complete debug of the daemon process, you are encouraged to recompile
ettercap in debug mode.
GENERALOPTIONS-b, --broadcast
Tells Ettercap to process packets coming from Broadcast address.
-i, --iface<IFACE>
Use this <IFACE> instead of the default one. The interface can be unconfigured (requires libnet >=
1.1.2), but in this case you cannot use MITM attacks and you should set the unoffensive flag.
-I, --iflist
This option will print the list of all available network interfaces that can be used within
ettercap. The option is particularly useful under windows where the name of the interface is not
so obvious as under *nix.
-Y, --secondary<interfacelist>
Specify a list of (or single) secondary interfaces to capture packets from.
-A, --address<ADDRESS>
Use this <ADDRESS> instead of the one autodetected for the current iface. This option is useful if
you have an interface with multiple ip addresses.
-n, --netmask<NETMASK>
Use this <NETMASK> instead of the one associated with the current iface. This option is useful if
you have the NIC with an associated netmask of class B and you want to scan (with the arp scan)
only a class C.
-R, --reversed
Reverse the matching in the TARGET selection. It means not(TARGET). All but the selected TARGET.
-t, --proto<PROTO>
Sniff only PROTO packets (default is TCP + UDP).
This is useful if you want to select a port via the TARGET specification but you want to
differentiate between tcp or udp.
PROTO can be "tcp", "udp" or "all" for both.
-6, --ip6scan
Send ICMPv6 probes to discover active IPv6 nodes on the link. This options sends a ping request
to the all-nodes address to motivate active IPv6 hosts to respond. You should not use this option
if you try to hide yourself. Therefore this option is optional.
NOTE: This option is only available if IPv6 support has been enabled.
-z, --silent
Do not perform the initial ARP scan of the LAN.
NOTE: you will not have the hosts list, so you can't use the multipoison feature. you can only
select two hosts for an ARP poisoning attack, specifying them through the TARGETs
-p, --nopromisc
Usually, ettercap will put the interface in promisc mode to sniff all the traffic on the wire. If
you want to sniff only your connections, use this flag to NOT enable the promisc mode.
-S, --nosslmitm
Usually, ettercap forges SSL certificates in order to intercept https traffic. This option
disables that behavior.
-u, --unoffensive
Every time ettercap starts, it disables ip forwarding in the kernel and begins to forward packets
itself. This option prevent to do that, so the responsibility of ip forwarding is left to the
kernel.
This options is useful if you want to run multiple ettercap instances. You will have one instance
(the one without the -u option) forwarding the packets, and all the other instances doing their
work without forwarding them. Otherwise you will get packet duplicates.
It also disables the internal creation of the sessions for each connection. It increases
performances, but you will not be able to modify packets on the fly.
If you want to use a mitm attack you have to use a separate instance.
You have to use this option if the interface is unconfigured (without an ip address.)
This is also useful if you want to run ettercap on the gateway. It will not disable the forwarding
and the gateway will correctly route the packets.
-j, --load-hosts<FILENAME>
It can be used to load a hosts list from a file created by the -k option. (see below)
-k, --save-hosts<FILENAME>
Saves the hosts list to a file. Useful when you have many hosts and you don't want to do an ARP
storm at startup any time you use ettercap. Simply use this options and dump the list to a file,
then to load the information from it use the -j <filename> option.
-P, --plugin<PLUGIN>
Run the selected PLUGIN. Many plugins need target specification, use TARGET as always. Use
multiple occurrences of this parameter to select multiple plugins.
In console mode (-C option), standalone plugins are executed and then the application exits. Hook
plugins are activated and the normal sniffing is performed.
To have a list of the available external plugins use "list" (without quotes) as plugin name (e.g.
./ettercap -P list).
NOTE: you can also activate plugins directly from the interfaces (always press "h" to get the
inline help)
More detailed info about plugins and about how to write your own are found in the man page
ettercap_plugins(8)
--plugin-list<PLUGIN1>[,<PLUGIN2>,...]
Instead of providing multiple occurances of -P plugin, --plugin-list can be used followed by a
comma sepaparated list without any spaces. (e.g. ./ettercap --plugin-list plugin1,plugin2).
-F, --filter<FILE>
Load the filter from the file <FILE>. The filter must be compiled with etterfilter(8). The utility
will compile the filter script and produce an ettercap-compliant binary filter file. Read the
etterfilter(8) man page for the list of functions you can use inside a filter script. Any number
of filters can be loaded by specifying the option multiple times; packets are passed through each
filter in the order specified on the command line. You can also load a script without enabling it
by appending :0 to the filename.
NOTE: these filters are different from those set with --pcapfilter. An ettercap filter is a
content filter and can modify the payload of a packet before forwarding it. Pcap filter are used
to capture only certain packets.
NOTE: you can use filters on pcapfile to modify them and save to another file, but in this case
you have to pay attention on what you are doing, since ettercap will not recalculate checksums,
nor split packets exceeding the mtu (snaplen) nor anything like that.
-W, --wifi-key<KEY>
You can specify a key to decrypt WiFi packets (WEP or WPA). Only the packets decrypted
successfully will be passed to the decoders stack, the others will be skipped with a message.
The parameter has the following syntax: type:bits:t:string. Where 'type' can be: wep, wpa-pws or
wpa-psk, 'bits' is the bit length of the key (64, 128 or 256), 't' is the type of the string ('s'
for string and 'p' for passphrase). 'string' can be a string or an escaped hex sequences.
example:
--wifi-key wep:128:p:secret
--wifi-key wep:128:s:ettercapwep0
--wifi-key 'wep:64:s:\x01\x02\x03\x04\x05'
--wifi-key wpa:pwd:ettercapwpa:ssid
--wifi-key wpa:psk:
663eb260e87cf389c6bd7331b28d82f5203b0cae4e315f9cbb7602f3236708a6
-a, --config<CONFIG>
Loads an alternative config file instead of the default in /etc/etter.conf. This is useful if you
have many preconfigured files for different situations.
--certificate<FILE>
Tells Ettercap to use the specified certificate file for the SSL MiTM attack.
--private-key<FILE>
Tells Ettercap to use the specified private key file for the SSL MiTM attack.
VISUALIZATIONOPTIONS-e, --regex<REGEX>
Handle only packets that match the regex.
This option is useful in conjunction with -L. It logs only packets that match the posix regex
REGEX.
It impacts even the visualization of the sniffed packets. If it is set only packets matching the
regex will be displayed.
-V, --visual<FORMAT>
Use this option to set the visualization method for the packets to be displayed.
FORMAT may be one of the following:
hex Print the packets in hex format.
example:
the string "HTTP/1.1 304 Not Modified" becomes:
0000: 4854 5450 2f31 2e31 2033 3034 204e 6f74 HTTP/1.1 304 Not
0010: 204d 6f64 6966 6965 64 Modified
ascii Print only "printable" characters, the others are displayed as dots '.'
text Print only the "printable" characters and skip the others.
ebcdic Convert an EBCDIC text to ASCII.
html Strip all the html tags from the text. A tag is every string between < and >.
example:
<title>This is the title</title>, but the following <string> will not be displayed.
This is the title, but the following will not be displayed.
utf8 Print the packets in UTF-8 format. The encoding used while performing the conversion is
declared in the etter.conf(5) file.
-d, --dns
Resolve ip addresses into hostnames.
NOTE: this may seriously slow down ettercap while logging passive information. Every time a new
host is found, a query to the dns is performed. Ettercap keeps a cache for already resolved host
to increase the speed, but new hosts need a new query and the dns may take up to 2 or 3 seconds to
respond for an unknown host.
HINT: ettercap collects the dns replies it sniffs in the resolution table, so even if you specify
to not resolve the hostnames, some of them will be resolved because the reply was previously
sniffed. think about it as a passive dns resolution for free... ;)
-E, --ext-headers
Print extended headers for every displayed packet. (e.g. mac addresses)
-Q, --superquiet
Super quiet mode. Do not print users and passwords as they are collected. Only store them in the
profiles. It can be useful to run ettercap in text only mode but you don't want to be flooded with
dissectors messages. Useful when using plugins because the sniffing process is always active, it
will print all the collected infos, with this option you can suppress these messages.
NOTE: this options automatically sets the -q option.
example:
ettercap -TzQP finger /192.168.0.1/22
LOGGINGOPTIONS-L, --log<LOGFILE>
Log all the packets to binary files. These files can be parsed by etterlog(8) to extract human
readable data. With this option, all packets sniffed by ettercap will be logged, together with all
the passive info (host info + user & pass) it can collect. Given a LOGFILE, ettercap will create
LOGFILE.ecp (for packets) and LOGFILE.eci (for the infos).
NOTE: if you specify this option on command line you don't have to take care of privileges since
the log file is opened in the startup phase (with high privs). But if you enable the log option
while ettercap is already started, you have to be in a directory where uid = 65535 or uid = EC_UID
can write.
NOTE: the logfiles can be compressed with the deflate algorithm using the -c option.
-l, --log-info<LOGFILE>
Very similar to -L but it logs only passive information + users and passwords for each host. The
file will be named LOGFILE.eci
-m, --log-msg<LOGFILE>
It stores in <LOGFILE> all the user messages printed by ettercap. This can be useful when you are
using ettercap in daemon mode or if you want to track down all the messages. Indeed, some
dissectors print messages but their information is not stored anywhere, so this is the only way to
keep track of them.
-c, --compress
Compress the logfile with the gzip algorithm while it is dumped. etterlog(8) is capable of
handling both compressed and uncompressed log files.
-o, --only-local
Stores profiles information belonging only to the LAN hosts.
NOTE: this option is effective only against the profiles collected in memory. While logging to a
file ALL the hosts are logged. If you want to split them, use the related etterlog(8) option.
-O, --only-remote
Stores profiles information belonging only to remote hosts.
STANDARDOPTIONS-v, --version
Print the version and exit.
-h, --help
prints the help screen with a short summary of the available options.
Install Now
PNG Icons
