Provided by: ettercap-common_0.8.2-2build1_i386 bug


       ettercap-plugins - A collection of plugins for ettercap


       Ettercap(8)  supports  loadable  modules  at  runtime.  They are called
       plugins and they come within the source tarball. They are automatically
       compiled   if   your   system   supports  them  or  until  you  specify
       -DENABLE_PLUGINS=OFF option to the cmake configure script.
       Some of older ettercap plugins (roper, banshee, and  so  on)  have  not
       been  ported  in the new version.  By the way, you can achieve the same
       results by using new filtering engine.
       If you use interactive mode, most plugins need to "Start Sniff"  before
       using them.

       To have a list of plugins installed in your system do that command:

              ettercap -P list

       The following is a list of available plugins:


              It  reports  suspicious ARP activity by passively monitoring ARP
              requests/replies.  It can  report  ARP  posioning  attempts,  or
              simple  IP-conflicts  or  IP-changes.   If you build the initial
              host list the plugin will run more accurately.

              example :

              ettercap -TQP arp_cop //


              It will automatically add new victims to the ARP poisoning  mitm
              attack  when  they come up. It looks for ARP requests on the lan
              and when detected it will add the host to the victims list if it
              was  specified  in  the  TARGET.  The  host is added when an arp
              request is seen form it, since communicating hosts are alive :)


              It performs a check to  see  if  the  arp  poisoning  module  of
              ettercap  was successful.  It sends spoofed ICMP echo packets to
              all the victims of the poisoning pretending to be  each  of  the
              other  targets.  If  we  can  catch  an  ICMP reply with our MAC
              address as destination it means that the poisoning between those
              two   targets  is  successful.  It  checks  both  ways  of  each
              communication.  This plugin makes  sense  only  where  poisoning
              makes  sense.   The test fails if you specify only one target in
              silent mode.  You  can't  run  this  plugin  from  command  line
              because  the  poisoning  process is not started yet. You have to
              launch it from the proper menu.


              This plugin intercepts  DNS  query  and  reply  with  a  spoofed
              answer.  You  can chose to which address the plugin has to reply
              by modifying the etter.dns file. The plugin intercepts A,  AAAA,
              PTR,  MX, WINS, SRV and TXT request. If it was an A request, the
              name is searched in the file and the IP address is returned (you
              can use wildcards in the name).
              The same applies if it was a AAAA request.

              If  it was a PTR request, the IP address is searched in the file
              and the name is returned (except for  those  name  containing  a
              wildcard).   For  PTR  requests,  IPv4  or  IPv6  addresses  are

              In case of MX request a special reply is crafted.  The  host  is
              resolved  with a fake host '' and the additional record
              contains the IP address of ''. The first  address  that
              matches  is  returned,  so  be  careful  with  the order. The IP
              address for MX requests can be a IPv4 or a IPv6 address.

              If the request was a WINS request, the name is searched  in  the
              file and the IP address is returned.

              In  case of SRV request, a special reply is crafted. The host is
              resolved with a fake host '' and the  additional  record
              contains  the  IP  address of ''. The IP address for SRV
              requests can be a IPv4 or a IPv6 address.

              In case of a TXT request, the string defined is being  returned.
              The string has to be wrapped in double quotes. Wildcards for the
              requested name can also be used.

              A special reply can be spoofed for A or AAAA  requests,  if  the
              'undefined  address' is specified as the IP address in the file.
              Then  the  client  gets  a  response  which   stops   resolution
              processing  imediately.  This  way one can control which address
              family is being used to access a dual-stacked host.

              In the case of an ANY request, all matching results of  type  A,
              AAAA,  MX  and  TXT are returned in the reply. If the 'undefined
              address' for A or AAAA records is defined, nothing  is  returned
              for these types whether or not the name matches.


              This  plugin  does  the  same  as the dns_spoof plugin described
              above, despite that it listens for mDNS (Multicast DNS)  queries
              on  UDP  port 5353.  To choose to which address the plugin shall
              reply, you have to modify a diffent file called etter.mdns.  Due
              to  the  nature of mDNS, the plugin intercepts only A, AAAA, PTR
              and SRV requests.

              The way the mdns_spoof plugin interprets the etter.mdns file and
              the rules that apply are the same as with the dns_spoof plugin.


              This plugin runs a d.o.s. attack against a victim IP address. It
              first "scans" the victim to find  open  ports,  then  starts  to
              flood these ports with SYN packets, using a "phantom" address as
              source IP. Then it uses fake ARP replies  to  intercept  packets
              for  the phantom host. When it receives SYN-ACK from the victim,
              it  replies  with  an  ACK  packet   creating   an   ESTABLISHED
              connection.  You have to use a free IP address in your subnet to
              create  the  "phantom"  host  (you  can  use  find_ip  for  this
              purpose).  You can't run this plugin in unoffensive mode.
              This   plugin  is  based  on  the  original  Naptha  DoS  attack

              example :

              ettercap -TQP dos_attack


              Only a template to demonstrate how to write a plugin.


              Very simple plugin that listens for ARP requests to show you all
              the  targets  an  host  wants  to  talk to. It can also help you
              finding addresses in an unknown LAN.

              example :

              ettercap -TQzP find_conn

              ettercap -TQu -i eth0 -P find_conn


              Try to identify ettercap packets sent on the LAN.  It  could  be
              useful to detect if someone is using ettercap. Do not rely on it
              100%    since    the    tests    are    only    on    particular
              sequence/identification numbers.


              Find  the  first unused IP address in the range specified by the
              user in the target list. Some other plugins (such as  gre_relay)
              need  an  unused  IP address of the LAN to create a "fake" host.
              It can also be useful to obtain an IP address in an unknown  LAN
              where  there  is  no  dhcp  server.  You  can  use  find_conn to
              determine the IP addressing of the LAN, and then  find_ip.   You
              have  to  build host list to use this plugin so you can't use it
              in unoffensive mode. If you don't have an IP  address  for  your
              interface,   give   it   a   bogus  one  (e.g.  if  the  LAN  is
    , use  to  avoid  conflicting  IP),  then
              launch  this plugin specifying the subnet range.  You can run it
              either from the command line or from the proper menu.

              example :

              ettercap -TQP find_ip //

              ettercap -TQP find_ip /


              Uses the  passive  fingerprint  capabilities  to  fingerprint  a
              remote host. It does a connect() to the remote host to force the
              kernel to reply to the SYN with a SYN+ACK packet. The reply will
              be  collected  and  the  fingerprint is displayed. The connect()
              obey to the connect_timeout parameter in etter.conf(5). You  can
              specify  a  target  on  command-line  or  let the plugin ask the
              target host to be fingerprinted. You can also  specify  multiple
              target   with   the   usual   multi-target   specification  (see
              ettercap(8)). if you specify multiple ports, all the ports  will
              be tested on all the IPs.

              example :

              ettercap -TzP finger /
              ettercap -TzP finger /,23,25


              Use this plugin to submit a fingerprint to the ettercap website.
              If you found an unknown fingerprint, but you know for  sure  the
              operating  system of the target, you can submit it so it will be
              inserted in the database in the next ettercap release.  We  need
              your  help  to  increase the passive fingerprint database. Thank
              you very much.

              example :

              ettercap -TzP finger_submit


              This plugin performs a DoS  attack  because  it  sends  a  large
              amount  of  UDP echo and chargen traffic to all hosts in target2
              with a fake source ip address (victim).

              example ( is the victim):

              ettercap -i eth1 -Tq / // -P fraggle_attack


              This plugin can be used to sniff GRE-redirected remote  traffic.
              The  basic  idea  is  to  create a GRE tunnel that sends all the
              traffic on a router  interface  to  the  ettercap  machine.  The
              plugin  will  send  back  the  GRE  packets to the router, after
              ettercap "manipulation" (you can use "active"  plugins  such  as
              smb_down, ssh decryption, filters, etc... on redirected traffic)
              It needs a "fake" host where the traffic has to be redirected to
              (to  avoid kernel's responses). The "fake" IP will be the tunnel
              endpoint.  Gre_relay plugin will impersonate  the  "fake"  host.
              To  find  an  unused  IP address for the "fake" host you can use
              find_ip plugin.  Based on  the  original  Tunnelx  technique  by
              Anthony C. Zboralski.


              This  plugin  try  to discover the gateway of the lan by sending
              TCP SYN packets to a remote host. The packet has the destination
              IP  of  a remote host and the destination mac address of a local
              host. If ettercap receives the SYN+ACK packet,  the  host  which
              own  the  source  mac  address of the reply is the gatway.  This
              operation is repeated for each host in the 'host list',  so  you
              need to have a valid host list before launching this plugin.

              example :

              ettercap -TP gw_discover /


              The  isolate  plugin  will isolate an host form the LAN. It will
              poison  the  victim's  arp  cache  with  its  own  mac   address
              associated  with  all the host it tries to contact. This way the
              host will not be able to contact other hosts because the  packet
              will never reach the wire.
              You  can  specify  all  the  host  or  only a group. the targets
              specification work this way: the target1 is the victim and  must
              be  a  single  host, the target2 can be a range of addresses and
              represent the hosts that will be blocked to the victim.

              examples :

              ettercap -TzqP isolate / //
              ettercap -TP isolate / /


              It performs a check of the link type (hub or switch) by  sending
              a  spoofed  ARP  request  and listening for replies. It needs at
              least one entry in the host list to perform the check. With  two
              or more hosts the test will be more accurate.

              example :

              ettercap -TQP link_type /
              ettercap -TQP link_type //


              It  forces the pptp tunnel to negotiate MS-CHAPv1 authentication
              instead of MS-CHAPv2, that  is  usually  easier  to  crack  (for
              example  with  LC4).   You  have  to  be  in the "middle" of the
              connection to use it successfully.  It hooks the ppp  dissector,
              so you have to keep them active.


              Forces   no   compression/encryption  for  pptp  tunnels  during
              negotiation.  It  could  fail  if  client  (or  the  server)  is
              configured   to   hang  off  the  tunnel  if  no  encryption  is
              negotiated.  You have to be in the "middle" of the connection to
              use it successfully.  It hooks the ppp dissector, so you have to
              keep them active.


              It  forces  the  pptp  tunnel  to  negotiate   PAP   (cleartext)
              authentication.   It  could  fail  if  PAP  is not supported, if
              pap_secret file is missing, or in  case  windows  is  configured
              with "authomatic use of domain account". (It could fail for many
              other reasons too).  You have to  be  in  the  "middle"  of  the
              connection  to use it successfully.  It hooks the ppp dissector,
              so you have to keep them active.


              Forces re-negotiation on an existing pptp tunnel.  You can force
              re-negotiation for grabbing passwords already sent.  Furthermore
              you can launch it to use pptp_pap, pptp_chapms1 or pptp_clear on
              existing  tunnels  (those  plugins  work only during negotiation
              phase).  You have to be in the "middle" of the connection to use
              it  successfully.   It  hooks  the ppp dissector, so you have to
              keep them active.


              Floods the LAN with random MAC  addresses.  Some  switches  will
              fail  open  in  repeating mode, facilitating sniffing. The delay
              between each packet is based on the port_steal_send_delay  value
              in etter.conf.
              It is useful only on ethernet switches.

              example :

              ettercap -TP rand_flood


              It  sends to the browser the URLs sniffed thru HTTP sessions. So
              you are able to see the  webpages  in  real  time.  The  command
              executed  is configurable in the etter.conf(5) file. It sends to
              the browser  only  the  GET  requests  and  only  for  webpages,
              ignoring single request to images or other amenities.  Don't use
              it to view your own connection :)


              Simple arp responder. When it intercepts an arp  request  for  a
              host  in  the  targets'  lists,  it  replies with attacker's MAC

              example :

              ettercap -TQzP reply_arp /
              ettercap -TQzP reply_arp //


              It solicits poisoning packets after broadcast ARP  requests  (or
              replies)  from  a  posioned host.  For example: we are poisoning
              Group1 impersonating Host2.  If  Host2  makes  a  broadcast  ARP
              request  for  Host3, it is possible that Group1 caches the right
              MAC address for Host2 contained in the ARP packet.  This  plugin
              re-poisons  Group1 cache immediately after a legal broadcast ARP
              request (or reply).
              This plugin is effective only during an arp-posioning session.
              In conjunction with the reply_arp plugin, repoison_arp is a good
              support for the standard arp-poisoning mitm method.

              example :

              ettercap  -T  -M  arp:remote  -P  repoison_arp /


              Check if someone is poisoning between some host in the list  and
              us.   First  of  all it checks if two hosts in the list have the
              same mac address.  It could mean that one of those is  poisoning
              us  pretending  to  be the other.  It could generate many false-
              positives in a proxy-arp environment.  You have to  build  hosts
              list  to  perform  this  check.   After that, it sends icmp echo
              packets to each host in the list and checks if  the  source  mac
              address  of the reply differs from the address we have stored in
              the list for that ip.  It could mean that someone  is  poisoning
              that  host  pretending  to  have  our  ip  address  and forwards
              intercepted packets to us.  You can't perform this  active  test
              in unoffensive mode.

              example :

              ettercap -TQP scan_poisoner //


              It tries to find if anyone is sniffing in promisc mode. It sends
              two different kinds of malformed arp request to each  target  in
              the host list and waits for replies. If a reply arrives from the
              target host, it's more or less probable that this target has the
              NIC in promisc mode. It could generate false-positives.  You can
              launch it either from the command line or from the plugin  menu.
              Since it listens for arp replies it is better that you don't use
              it while sending arp request.

              example :

              ettercap -TQP search_promisc /
              ettercap -TQP search_promisc //


              It forces the client to  send  smb  password  in  clear-text  by
              mangling protocol negotiation. You have to be in the "middle" of
              the  connection  to  successfully  use  it.  It  hooks  the  smb
              dissector, so you have to keep it active.  If you use it against
              a windows client it will probably result in a failure.   Try  it
              against a *nix smbclient :)


              It  forces  the  client  to  not  to use NTLM2 password exchange
              during smb authentication. This  way,  obtained  hashes  can  be
              easily  cracked  by  LC4.  You have to be in the "middle" of the
              connection to successfully use it.  It hooks the smb  dissector,
              so you have to keep it active.


              The  Smurf  Attack is a DoS attack in which huge numbers of ICMP
              packets with the intended victim(s) IP(s) in target1 are sent to
              the  hosts  in  target2. This causes all hosts on the target2 to
              reply to the ICMP request, causing significant  traffic  to  the
              victim's computer(s).

              example ( is the victim):

              ettercap -i eth1 -Tq / // -P fraggle_attack


              While  performing  the SSL mitm attack, ettercap substitutes the
              real ssl certificate with its  own.   The  fake  certificate  is
              created  on  the  fly and all the fields are filled according to
              the real cert presented by the   server.  Only  the   issuer  is
              modified  and  signed  with  the  private  key  contained in the
              'etter.ssl.crt' file.  If you want to use  a  different  private
              key  you  have  to  regenerate this file. To regenerate the cert
              file use the following commands:

              openssl genrsa -out etter.ssl.crt 1024
              openssl req -new -key etter.ssl.crt -out tmp.csr
              openssl x509 -req -days 1825 -in tmp.csr -signkey  etter.ssl.crt
              cat >> etter.ssl.crt
              rm -f tmp.csr

              NOTE: SSL mitm is not available (for now) in bridged mode.

              NOTE:  You  can use the --certificate/--private-key long options
              if you want  to  specify  a  different  file  rather   than  the
              etter.ssl.crt file.


              It  sends spanning tree BPDUs pretending to be a switch with the
              highest priority. Once in  the  "root"  of  the  spanning  tree,
              ettercap can receive all the "unmanaged" network traffic.
              It is useful only against a group of switches running STP.
              If  there  is  another  switch with the highest priority, try to
              manually decrease your MAC address before running it.

              example :

              ettercap -TP stp_mangler


       Alberto Ornaghi (ALoR) <>
       Marco Valleri (NaGA) <>


       Emilio Escobar (exfil)  <>
       Eric Milam (Brav0Hax)  <>


       Mike Ryan (justfalter)  <>
       Gianfranco Costamagna (LocutusOfBorg)  <>
       Antonio Collarino (sniper)  <>
       Ryan Linn   <>
       Jacob Baines   <>


       Dhiru Kholia (kholia)  <>
       Alexander Koeppe (koeppea)  <>
       Martin Bos (PureHate)  <>
       Enrique Sanchez
       Gisle Vanem  <>
       Johannes Bauer  <>
       Daten (Bryan Schneiders)  <>


       ettercap(8) ettercap_curses(8) etterlog(8) etterfilter(8) etter.conf(5)