Provided by: ettercap-common_0.7.4.2-1_amd64 bug


       ettercap-plugins - A collection of plugins for ettercap


       Ettercap(8)  supports  loadable  modules at runtime. They are called plugins and they come
       within the source tarball. They are automatically compiled if your system supports them or
       until you specify the --disable-plugins option to the configure script.
       Some of older ettercap plugins (roper, banshee, and so on) have not been ported in the new
       version.  By the way, you can achieve the same results by using new filtering engine.
       If you use interactive mode, most plugins need to "Start Sniff" before using them.

       To have a list of plugins installed in your system do that command:

              ettercap -P list

       The following is a list of available plugins:


              It reports suspicious ARP activity by passively  monitoring  ARP  requests/replies.
              It can report ARP posioning attempts, or simple IP-conflicts or IP-changes.  If you
              build the initial host list the plugin will run more accurately.

              example :

              ettercap -TQP arp_cop //


              It will automatically add new victims to the ARP poisoning mitm  attack  when  they
              come  up.  It  looks  for ARP requests on the lan and when detected it will add the
              host to the victims list if it was specified in the TARGET. The host is added  when
              an arp request is seen form it, since communicating hosts are alive :)


              It  performs a check to see if the arp poisoning module of ettercap was successful.
              It sends spoofed ICMP echo packets to all the victims of the  poisoning  pretending
              to be each of the other targets. If we can catch an ICMP reply with our MAC address
              as destination it means that the poisoning between those two targets is successful.
              It  checks  both  ways  of  each communication.  This plugin makes sense only where
              poisoning makes sense.  The test fails if you specify only  one  target  in  silent
              mode.  You can't run this plugin from command line because the poisoning process is
              not started yet. You have to launch it from the proper menu.


              This plugin intercepts DNS query and reply with a spoofed answer. You can chose  to
              which  address  the plugin has to reply by modifying the etter.dns file. The plugin
              intercepts A, PTR and MX request. If it was an A request, the name is  searched  in
              the  file and the ip address is returned (you can use wildcards in the name). If if
              was a PTR request, the ip is searched in the file and the name is returned  (except
              for  those  name  containing  a wildcard). In case of MX request a special reply is
              crafted. The host is resolved with a  fake  host  ''  and  the  additional
              record  contains  the  ip  address  of  ''. The first address or name that
              matches is returned, so be careful with the order.


              This plugin runs a d.o.s. attack against a victim IP address. It first "scans"  the
              victim to find open ports, then starts to flood these ports with SYN packets, using
              a "phantom" address as source IP. Then  it  uses  fake  ARP  replies  to  intercept
              packets  for the phantom host. When it receives SYN-ACK from the victim, it replies
              with an ACK packet creating an ESTABLISHED connection.  You have to use a  free  IP
              address  in  your subnet to create the "phantom" host (you can use find_ip for this
              purpose).  You can't run this plugin in unoffensive mode.
              This    plugin    is    based    on    the    original    Naptha     DoS     attack

              example :

              ettercap -TQP dos_attack


              Only a template to demonstrate how to write a plugin.


              Very  simple  plugin  that  listens for ARP requests to show you all the targets an
              host wants to talk to. It can also help you finding addresses in an unknown LAN.

              example :

              ettercap -TQzP find_conn

              ettercap -TQu -i eth0 -P find_conn


              Try to identify ettercap packets sent on the LAN. It could be useful to  detect  if
              someone  is  using  ettercap.  Do  not  rely on it 100% since the tests are only on
              particular sequence/identification numbers.


              Find the first unused IP address in the range specified by the user in  the  target
              list.  Some  other plugins (such as gre_relay) need an unused IP address of the LAN
              to create a "fake" host.  It can also be useful to  obtain  an  IP  address  in  an
              unknown  LAN  where there is no dhcp server. You can use find_conn to determine the
              IP addressing of the LAN, and then find_ip.  You have to build  host  list  to  use
              this  plugin  so  you  can't  use  it  in unoffensive mode. If you don't have an IP
              address for your interface, give it a bogus one (e.g. if the LAN is,
              use  to  avoid  conflicting  IP),  then launch this plugin specifying the
              subnet range.  You can run it either from the command line or from the proper menu.

              example :

              ettercap -TQP find_ip //

              ettercap -TQP find_ip /


              Uses the passive fingerprint capabilities to fingerprint a remote host. It  does  a
              connect() to the remote host to force the kernel to reply to the SYN with a SYN+ACK
              packet. The reply will be collected and the fingerprint is displayed. The connect()
              obey to the connect_timeout parameter in etter.conf(5). You can specify a target on
              command-line or let the plugin ask the target host to  be  fingerprinted.  You  can
              also  specify  multiple  target  with  the  usual  multi-target  specification (see
              ettercap(8)). if you specify multiple ports, all the ports will be  tested  on  all
              the IPs.

              example :

              ettercap -TzP finger /
              ettercap -TzP finger /,23,25


              Use  this  plugin  to submit a fingerprint to the ettercap website. If you found an
              unknown fingerprint, but you know for sure the operating system of the target,  you
              can  submit it so it will be inserted in the database in the next ettercap release.
              We need your help to increase the passive  fingerprint  database.  Thank  you  very

              example :

              ettercap -TzP finger_submit


              This  plugin can be used to sniff GRE-redirected remote traffic.  The basic idea is
              to create a GRE tunnel that sends all the traffic on  a  router  interface  to  the
              ettercap  machine.  The  plugin will send back the GRE packets to the router, after
              ettercap "manipulation" (you  can  use  "active"  plugins  such  as  smb_down,  ssh
              decryption, filters, etc... on redirected traffic) It needs a "fake" host where the
              traffic has to be redirected to (to avoid kernel's responses). The "fake"  IP  will
              be  the  tunnel  endpoint.   Gre_relay plugin will impersonate the "fake" host.  To
              find an unused IP address for the "fake" host you can use find_ip plugin.  Based on
              the   original   Tunnelx   technique   by   Anthony   C.   Zboralski  published  in
     by HERT.


              This plugin try to discover the gateway of the lan by sending TCP SYN packets to  a
              remote host. The packet has the destination IP of a remote host and the destination
              mac address of a local host. If ettercap receives  the  SYN+ACK  packet,  the  host
              which  own  the  source  mac address of the reply is the gatway.  This operation is
              repeated for each host in the 'host list', so you need to have a  valid  host  list
              before launching this plugin.

              example :

              ettercap -TP gw_discover /


              The  isolate  plugin will isolate an host form the LAN. It will poison the victim's
              arp cache with its own mac address  associated  with  all  the  host  it  tries  to
              contact.  This  way  the  host  will not be able to contact other hosts because the
              packet will never reach the wire.
              You can specify all the host or only a group. the targets specification  work  this
              way:  the  target1  is  the  victim and must be a single host, the target2 can be a
              range of addresses and represent the hosts that will be blocked to the victim.

              examples :

              ettercap -TzqP isolate / //
              ettercap -TP isolate / /


              It performs a check of the link type (hub or  switch)  by  sending  a  spoofed  ARP
              request  and listening for replies. It needs at least one entry in the host list to
              perform the check. With two or more hosts the test will be more accurate.

              example :

              ettercap -TQP link_type /
              ettercap -TQP link_type //


              It forces the pptp tunnel to negotiate  MS-CHAPv1  authentication  instead  of  MS-
              CHAPv2,  that is usually easier to crack (for example with LC4).  You have to be in
              the "middle" of the connection to use it successfully.  It hooks the ppp dissector,
              so you have to keep them active.


              Forces  no  compression/encryption  for  pptp tunnels during negotiation.  It could
              fail if client (or the  server)  is  configured  to  hang  off  the  tunnel  if  no
              encryption  is negotiated.  You have to be in the "middle" of the connection to use
              it successfully.  It hooks the ppp dissector, so you have to keep them active.


              It forces the pptp tunnel to negotiate PAP (cleartext)  authentication.   It  could
              fail  if PAP is not supported, if pap_secret file is missing, or in case windows is
              configured with "authomatic use of domain account". (It could fail for  many  other
              reasons  too).   You  have  to  be  in  the  "middle"  of  the connection to use it
              successfully.  It hooks the ppp dissector, so you have to keep them active.


              Forces re-negotiation on an existing pptp tunnel.  You can force re-negotiation for
              grabbing  passwords  already  sent.  Furthermore you can launch it to use pptp_pap,
              pptp_chapms1 or pptp_clear on existing tunnels  (those  plugins  work  only  during
              negotiation  phase).   You  have  to be in the "middle" of the connection to use it
              successfully.  It hooks the ppp dissector, so you have to keep them active.


              Floods the LAN with random MAC addresses. Some switches will fail open in repeating
              mode,  facilitating  sniffing.  The  delay  between  each  packet  is  based on the
              port_steal_send_delay value in etter.conf.
              It is useful only on ethernet switches.

              example :

              ettercap -TP rand_flood


              It sends to the browser the URLs sniffed thru HTTP sessions. So you are able to see
              the   webpages   in  real  time.  The  command  executed  is  configurable  in  the
              etter.conf(5) file. It sends to the browser only the  GET  requests  and  only  for
              webpages,  ignoring  single  request to images or other amenities.  Don't use it to
              view your own connection :)


              Simple arp responder. When it intercepts an arp request for a host in the  targets'
              lists, it replies with attacker's MAC address.

              example :

              ettercap -TQzP reply_arp /
              ettercap -TQzP reply_arp //


              It  solicits  poisoning  packets  after  broadcast ARP requests (or replies) from a
              posioned host.  For example: we are poisoning Group1 impersonating Host2. If  Host2
              makes  a  broadcast  ARP  request  for Host3, it is possible that Group1 caches the
              right MAC address for Host2 contained in the ARP  packet.  This  plugin  re-poisons
              Group1 cache immediately after a legal broadcast ARP request (or reply).
              This plugin is effective only during an arp-posioning session.
              In  conjunction  with  the reply_arp plugin, repoison_arp is a good support for the
              standard arp-poisoning mitm method.

              example :

              ettercap -T -M arp:remote -P repoison_arp / /


              Check if someone is poisoning between some host in the list and us.  First  of  all
              it  checks  if two hosts in the list have the same mac address.  It could mean that
              one of those is poisoning us pretending to be the other.  It  could  generate  many
              false-positives  in  a  proxy-arp  environment.   You  have  to build hosts list to
              perform this check.  After that, it sends icmp echo packets to  each  host  in  the
              list  and checks if the source mac address of the reply differs from the address we
              have stored in the list for that ip.  It could mean that someone is poisoning  that
              host pretending to have our ip address and forwards intercepted packets to us.  You
              can't perform this active test in unoffensive mode.

              example :

              ettercap -TQP scan_poisoner //


              It tries to find if anyone is sniffing in promisc  mode.  It  sends  two  different
              kinds  of  malformed  arp  request  to  each  target in the host list and waits for
              replies. If a reply arrives from the target host, it's more or less  probable  that
              this  target  has  the NIC in promisc mode. It could generate false-positives.  You
              can launch it either from the command line or  from  the  plugin  menu.   Since  it
              listens  for  arp  replies  it  is  better  that you don't use it while sending arp

              example :

              ettercap -TQP search_promisc /
              ettercap -TQP search_promisc //


              It forces the client to send  smb  password  in  clear-text  by  mangling  protocol
              negotiation.  You  have to be in the "middle" of the connection to successfully use
              it. It hooks the smb dissector, so you have to keep  it  active.   If  you  use  it
              against  a  windows  client it will probably result in a failure.  Try it against a
              *nix smbclient :)


              It  forces  the  client  to  not  to  use  NTLM2  password  exchange   during   smb
              authentication.  This  way, obtained hashes can be easily cracked by LC4.  You have
              to be in the "middle" of the connection to successfully use it.  It hooks  the  smb
              dissector, so you have to keep it active.


              It  sends  spanning tree BPDUs pretending to be a switch with the highest priority.
              Once in the "root" of the spanning tree, ettercap can receive all  the  "unmanaged"
              network traffic.
              It is useful only against a group of switches running STP.
              If there is another switch with the highest priority, try to manually decrease your
              MAC address before running it.

              example :

              ettercap -TP stp_mangler


       ettercap(8) ettercap_curses(8) etterlog(8) etterfilter(8) etter.conf(5)