ettercap-plugins - A collection of plugins for ettercap
Ettercap(8) supports loadable modules at runtime. They are called plugins and
they come within the source tarball. They are automatically compiled if your
system supports them or until you specify -DENABLE_PLUGINS=OFF option to the
cmake configure script.
Some of older ettercap plugins (roper, banshee, and so on) have not been ported
in the new version. By the way, you can achieve the same results by using new
If you use interactive mode, most plugins need to "Start Sniff" before
- To have a list of plugins installed in your system do that
ettercap -P list
The following is a list of available plugins:
It reports suspicious ARP activity by passively monitoring ARP
requests/replies. It can report ARP posioning attempts, or simple
IP-conflicts or IP-changes. If you build the initial host list the plugin
will run more accurately.
ettercap -TQP arp_cop //
It will automatically add new victims to the ARP poisoning mitm attack when
they come up. It looks for ARP requests on the lan and when detected it
will add the host to the victims list if it was specified in the TARGET.
The host is added when an arp request is seen form it, since communicating
hosts are alive :)
It performs a check to see if the arp poisoning module of ettercap was
successful. It sends spoofed ICMP echo packets to all the victims of the
poisoning pretending to be each of the other targets. If we can catch an
ICMP reply with our MAC address as destination it means that the poisoning
between those two targets is successful. It checks both ways of each
communication. This plugin makes sense only where poisoning makes sense.
The test fails if you specify only one target in silent mode. You can't
run this plugin from command line because the poisoning process is not
started yet. You have to launch it from the proper menu.
This plugin intercepts DNS query and reply with a spoofed answer. You can
chose to which address the plugin has to reply by modifying the etter.dns
file. The plugin intercepts A, AAAA, PTR, MX, WINS, SRV and TXT request.
If it was an A request, the name is searched in the file and the IP
address is returned (you can use wildcards in the name).
The same applies if it was a AAAA request.
If it was a PTR request, the IP address is searched in the file and the name
is returned (except for those name containing a wildcard). For PTR
requests, IPv4 or IPv6 addresses are supported.
In case of MX request a special reply is crafted. The host is resolved with
a fake host 'mail.host' and the additional record contains the IP address
of 'mail.host'. The first address that matches is returned, so be careful
with the order. The IP address for MX requests can be a IPv4 or a IPv6
If the request was a WINS request, the name is searched in the file and the
IP address is returned.
In case of SRV request, a special reply is crafted. The host is resolved
with a fake host 'srv.host' and the additional record contains the IP
address of 'srv.host'. The IP address for SRV requests can be a IPv4 or a
In case of a TXT request, the string defined is being returned. The string
has to be wrapped in double quotes. Wildcards for the requested name can
also be used.
A special reply can be spoofed for A or AAAA requests, if the 'undefined
address' is specified as the IP address in the file. Then the client gets
a response which stops resolution processing imediately. This way one can
control which address family is being used to access a dual-stacked host.
In the case of an ANY request, all matching results of type A, AAAA, MX and
TXT are returned in the reply. If the 'undefined address' for A or AAAA
records is defined, nothing is returned for these types whether or not the
This plugin does the same as the dns_spoof plugin described above, despite
that it listens for mDNS (Multicast DNS) queries on UDP port 5353. To
choose to which address the plugin shall reply, you have to modify a
diffent file called etter.mdns. Due to the nature of mDNS, the plugin
intercepts only A, AAAA, PTR and SRV requests.
The way the mdns_spoof plugin interprets the etter.mdns file and the rules
that apply are the same as with the dns_spoof plugin.
This plugin runs a d.o.s. attack against a victim IP address. It first
"scans" the victim to find open ports, then starts to flood
these ports with SYN packets, using a "phantom" address as
source IP. Then it uses fake ARP replies to intercept packets for the
phantom host. When it receives SYN-ACK from the victim, it replies with an
ACK packet creating an ESTABLISHED connection. You have to use a free IP
address in your subnet to create the "phantom" host (you can use
find_ip for this purpose). You can't run this plugin in unoffensive mode.
This plugin is based on the original Naptha DoS attack
ettercap -TQP dos_attack
Only a template to demonstrate how to write a plugin.
Very simple plugin that listens for ARP requests to show you all the targets
an host wants to talk to. It can also help you finding addresses in an
ettercap -TQzP find_conn
ettercap -TQu -i eth0 -P find_conn
Try to identify ettercap packets sent on the LAN. It could be useful to
detect if someone is using ettercap. Do not rely on it 100% since the
tests are only on particular sequence/identification numbers.
Find the first unused IP address in the range specified by the user in the
target list. Some other plugins (such as gre_relay) need an unused IP
address of the LAN to create a "fake" host. It can also be
useful to obtain an IP address in an unknown LAN where there is no dhcp
server. You can use find_conn to determine the IP addressing of the LAN,
and then find_ip. You have to build host list to use this plugin so you
can't use it in unoffensive mode. If you don't have an IP address for your
interface, give it a bogus one (e.g. if the LAN is 192.168.0.0/24, use
10.0.0.1 to avoid conflicting IP), then launch this plugin specifying the
subnet range. You can run it either from the command line or from the
ettercap -TQP find_ip //
ettercap -TQP find_ip /192.168.0.1-254/
Uses the passive fingerprint capabilities to fingerprint a remote host. It
does a connect() to the remote host to force the kernel to reply to the
SYN with a SYN+ACK packet. The reply will be collected and the fingerprint
is displayed. The connect() obey to the connect_timeout parameter in
etter.conf(5). You can specify a target on command-line or let the plugin
ask the target host to be fingerprinted. You can also specify multiple
target with the usual multi-target specification (see ettercap(8)). if you
specify multiple ports, all the ports will be tested on all the IPs.
ettercap -TzP finger /192.168.0.1/22
ettercap -TzP finger /192.168.0.1-50/22,23,25
Use this plugin to submit a fingerprint to the ettercap website. If you
found an unknown fingerprint, but you know for sure the operating system
of the target, you can submit it so it will be inserted in the database in
the next ettercap release. We need your help to increase the passive
fingerprint database. Thank you very much.
ettercap -TzP finger_submit
This plugin performs a DoS attack because it sends a large amount of UDP
echo and chargen traffic to all hosts in target2 with a fake source ip
example (192.168.0.5 is the victim):
ettercap -i eth1 -Tq /192.168.0.5/ // -P fraggle_attack
This plugin can be used to sniff GRE-redirected remote traffic. The basic
idea is to create a GRE tunnel that sends all the traffic on a router
interface to the ettercap machine. The plugin will send back the GRE
packets to the router, after ettercap "manipulation" (you can
use "active" plugins such as smb_down, ssh decryption, filters,
etc... on redirected traffic) It needs a "fake" host where the
traffic has to be redirected to (to avoid kernel's responses). The
"fake" IP will be the tunnel endpoint. Gre_relay plugin will
impersonate the "fake" host. To find an unused IP address for
the "fake" host you can use find_ip plugin. Based on the
original Tunnelx technique by Anthony C. Zboralski.
This plugin try to discover the gateway of the lan by sending TCP SYN
packets to a remote host. The packet has the destination IP of a remote
host and the destination mac address of a local host. If ettercap receives
the SYN+ACK packet, the host which own the source mac address of the reply
is the gatway. This operation is repeated for each host in the 'host
list', so you need to have a valid host list before launching this plugin.
ettercap -TP gw_discover /192.168.0.1-50/
The isolate plugin will isolate an host form the LAN. It will poison the
victim's arp cache with its own mac address associated with all the host
it tries to contact. This way the host will not be able to contact other
hosts because the packet will never reach the wire.
You can specify all the host or only a group. the targets specification work
this way: the target1 is the victim and must be a single host, the target2
can be a range of addresses and represent the hosts that will be blocked
to the victim.
ettercap -TzqP isolate /192.168.0.1/ //
ettercap -TP isolate /192.168.0.1/ /192.168.0.2-30/
It performs a check of the link type (hub or switch) by sending a spoofed
ARP request and listening for replies. It needs at least one entry in the
host list to perform the check. With two or more hosts the test will be
ettercap -TQP link_type /192.168.0.1/
ettercap -TQP link_type //
It forces the pptp tunnel to negotiate MS-CHAPv1 authentication instead of
MS-CHAPv2, that is usually easier to crack (for example with LC4). You
have to be in the "middle" of the connection to use it
successfully. It hooks the ppp dissector, so you have to keep them active.
Forces no compression/encryption for pptp tunnels during negotiation. It
could fail if client (or the server) is configured to hang off the tunnel
if no encryption is negotiated. You have to be in the "middle"
of the connection to use it successfully. It hooks the ppp dissector, so
you have to keep them active.
It forces the pptp tunnel to negotiate PAP (cleartext) authentication. It
could fail if PAP is not supported, if pap_secret file is missing, or in
case windows is configured with "authomatic use of domain
account". (It could fail for many other reasons too). You have to be
in the "middle" of the connection to use it successfully. It
hooks the ppp dissector, so you have to keep them active.
Forces re-negotiation on an existing pptp tunnel. You can force
re-negotiation for grabbing passwords already sent. Furthermore you can
launch it to use pptp_pap, pptp_chapms1 or pptp_clear on existing tunnels
(those plugins work only during negotiation phase). You have to be in the
"middle" of the connection to use it successfully. It hooks the
ppp dissector, so you have to keep them active.
Floods the LAN with random MAC addresses. Some switches will fail open in
repeating mode, facilitating sniffing. The delay between each packet is
based on the port_steal_send_delay value in etter.conf.
It is useful only on ethernet switches.
ettercap -TP rand_flood
It sends to the browser the URLs sniffed thru HTTP sessions. So you are able
to see the webpages in real time. The command executed is configurable in
the etter.conf(5) file. It sends to the browser only the GET requests and
only for webpages, ignoring single request to images or other amenities.
Don't use it to view your own connection :)
Simple arp responder. When it intercepts an arp request for a host in the
targets' lists, it replies with attacker's MAC address.
ettercap -TQzP reply_arp /192.168.0.1/
ettercap -TQzP reply_arp //
It solicits poisoning packets after broadcast ARP requests (or replies) from
a posioned host. For example: we are poisoning Group1 impersonating Host2.
If Host2 makes a broadcast ARP request for Host3, it is possible that
Group1 caches the right MAC address for Host2 contained in the ARP packet.
This plugin re-poisons Group1 cache immediately after a legal broadcast
ARP request (or reply).
This plugin is effective only during an arp-posioning session.
In conjunction with the reply_arp plugin, repoison_arp is a good support for
the standard arp-poisoning mitm method.
ettercap -T -M arp:remote -P repoison_arp /192.168.0.10-20/ /192.168.0.1/
Check if someone is poisoning between some host in the list and us. First of
all it checks if two hosts in the list have the same mac address. It could
mean that one of those is poisoning us pretending to be the other. It
could generate many false-positives in a proxy-arp environment. You have
to build hosts list to perform this check. After that, it sends icmp echo
packets to each host in the list and checks if the source mac address of
the reply differs from the address we have stored in the list for that ip.
It could mean that someone is poisoning that host pretending to have our
ip address and forwards intercepted packets to us. You can't perform this
active test in unoffensive mode.
ettercap -TQP scan_poisoner //
It tries to find if anyone is sniffing in promisc mode. It sends two
different kinds of malformed arp request to each target in the host list
and waits for replies. If a reply arrives from the target host, it's more
or less probable that this target has the NIC in promisc mode. It could
generate false-positives. You can launch it either from the command line
or from the plugin menu. Since it listens for arp replies it is better
that you don't use it while sending arp request.
ettercap -TQP search_promisc /192.168.0.1/
ettercap -TQP search_promisc //
It forces the client to send smb password in clear-text by mangling protocol
negotiation. You have to be in the "middle" of the connection to
successfully use it. It hooks the smb dissector, so you have to keep it
active. If you use it against a windows client it will probably result in
a failure. Try it against a *nix smbclient :)
It forces the client to not to use NTLM2 password exchange during smb
authentication. This way, obtained hashes can be easily cracked by LC4.
You have to be in the "middle" of the connection to successfully
use it. It hooks the smb dissector, so you have to keep it active.
The Smurf Attack is a DoS attack in which huge numbers of ICMP packets with
the intended victim(s) IP(s) in target1 are sent to the hosts in target2.
This causes all hosts on the target2 to reply to the ICMP request, causing
significant traffic to the victim's computer(s).
example (192.168.0.5 is the victim):
ettercap -i eth1 -Tq /192.168.0.5/ // -P fraggle_attack
While performing the SSL mitm attack, ettercap substitutes the real ssl
certificate with its own. The fake certificate is created on the fly and
all the fields are filled according to the real cert presented by the
server. Only the issuer is modified and signed with the private key
contained in the 'etter.ssl.crt' file. If you want to use a different
private key you have to regenerate this file. To regenerate the cert file
use the following commands:
openssl genrsa -out etter.ssl.crt 1024
openssl req -new -key etter.ssl.crt -out tmp.csr
openssl x509 -req -days 1825 -in tmp.csr -signkey etter.ssl.crt -out tmp.new
cat tmp.new >> etter.ssl.crt
rm -f tmp.new tmp.csr
NOTE: SSL mitm is not available (for now) in bridged mode.
NOTE: You can use the --certificate/--private-key long options if you want
to specify a different file rather than the etter.ssl.crt file.
It sends spanning tree BPDUs pretending to be a switch with the highest
priority. Once in the "root" of the spanning tree, ettercap can
receive all the "unmanaged" network traffic.
It is useful only against a group of switches running STP.
If there is another switch with the highest priority, try to manually
decrease your MAC address before running it.
ettercap -TP stp_mangler
Alberto Ornaghi (ALoR) <firstname.lastname@example.org>
Marco Valleri (NaGA) <email@example.com>
Emilio Escobar (exfil) <firstname.lastname@example.org>
Eric Milam (Brav0Hax) <email@example.com>
Mike Ryan (justfalter) <firstname.lastname@example.org>
Gianfranco Costamagna (LocutusOfBorg) <email@example.com>
Antonio Collarino (sniper) <firstname.lastname@example.org>
Ryan Linn <email@example.com>
Jacob Baines <firstname.lastname@example.org>
Dhiru Kholia (kholia) <email@example.com>
Alexander Koeppe (koeppea) <firstname.lastname@example.org>
Martin Bos (PureHate) <email@example.com>
Gisle Vanem <firstname.lastname@example.org>
Johannes Bauer <JohannesBauer@gmx.de>
Daten (Bryan Schneiders) <email@example.com>
ettercap(8) ettercap_curses(8) etterlog(8)
etterfilter(8) etter.conf(5) ettercap-pkexec(8)