bionic (8) ettercap_curses.8.gz

Provided by: ettercap-common_0.8.2-10build4_amd64 bug

NAME

       ettercap - Man page for the Ncurses GUI.

GENERAL DESCRIPTION

       The curses GUI is quite simple and intuitive.
       It  is  menu-driven.  Every  flag  or  function  can  be modified/called through the upper menu. All user
       messages are printed in the bottom window. If you want to see the old messages, you can scroll the window
       buffer  by  pressing  the UP, DOWN, PPAGE, NPAGE keys.  The middle part is used to display information or
       dialogs for the user.

       The menus can be opened by pressing the relative hotkey. For the menus the hotkey is represented  by  the
       uppercase  initial  letter  of the title (e.g. 'S' for Sniffing, 'T' for Targets). The functions within a
       menu can be called by pressing the hotkey depicted near the function name on the right. Hotkeys  prefixed
       with 'C-' are to be used in conjunction with the CTRL key (e.g. 'C-f' means CTRL+f).

       You  can  switch the focus between the objects on the screen by pressing the TAB key or by clicking on it
       with the mouse (if you are running ettercap within an xterm). Mouse events are supported only through the
       xterm.  You can use the mouse to select objects, open a menu, choose a function, scroll the elevators for
       the scrolling windows, etc etc.

       When you open multiple windows in the middle part, they will overlap. Use the TAB key to  switch  between
       them. Use CTRL+Q to close the focused window.
       You  can  also  use CTRL+Q to close the input dialog if you want to cancel the requested input. (i.e. you
       have selected the wrong function and you want to go back).

       To have a quick help on the shortcuts you can use against a particular window press the SPACE key. A help
       window  will  be  displayed  with a list of shortcuts that can be used. If the window does not appear, no
       shortcuts are available.

HOW TO SELECT IT

       To use the ncurses GUI you have to:

       - compile ettercap with ncurses support (obviously)
       - run it with the -C flag

       Passing the -C flag is sufficient, but if you want you can pass other flags that  will  be  automatically
       set for the ncurses GUI. You will be able to override them using the menu to change the options.

ONCE STARTED

       As  soon  as  ettercap  is launched with the Ncurses GUI, you will be prompted with multiple choices. The
       first screen lets you select if you want to open a pcap file or dump the sniffed traffic to  a  file,  if
       you  want  unified  sniffing  or  bridged one, permits you to set a pcap file on the captured traffic and
       enables you to log all the sniffed data.

       Once you have selected a sniffing method (from  file,  unified  or  bridged)  this  screen  will  not  be
       reachable anymore. The only way is to restart ettercap.

       Let's analyze each menu in the start screen:

       File

              Open...
                     Open a pcap file and analyze it. All the functionalities available for live sniffing are in
                     place except for those sending or forwarding packets (mitm attacks and so on...).

              Dump to file...
                     All the traffic sniffed by the live capture will be dumped to that file. The  filters,  not
                     the targets, have effects on this file, as all the packets received by pcap will be dumped.
                     The only way to not dump a certain packet is to set a proper pcap filter (see below).

              Exit
                     Exits from ettercap and returns to the command prompt.

       Sniff

              Unified sniffing...
                     Choosing this function you will be prompted to select the network interface to be used  for
                     sniffing.  The  first  up  and  running  interface  is  suggested in the input box.  For an
                     explanation of what unified sniffing is, refer to ettercap(8).
                     TIP: if you use the 'u' hotkey, this step will be skipped  and  the  default  interface  is
                     automatically selected.

              Bridged sniffing...
                     After  selecting  the  two interfaces to be used, you will enter the Bridged sniffing mode.
                     For an explanation of what bridged sniffing is, refer to ettercap(8).

              Set pcap filter...
                     Here you can insert a tcpdump-like filter for the capturing process.
                     IMPORTANT: if you manage to use a mitm attack, remember that if ettercap  does  not  see  a
                     packet,  it  will  NOT  be  forwarded.  So  be sure of what you are doing by setting a pcap
                     filter.

       Options

              Unoffensive
                     This enable/disable the unoffensive flag. The asterisk '*' means "the option  is  enabled".
                     Otherwise the option is not enabled.

              Promisc mode
                     Enable/disable  the  promisc  mode for the live capture on a network interface.  This is an
                     "asterisk-option" as the unoffensive one.

              Set netmask
                     Use the specified netmask instead of the one associated with the current iface. This option
                     is  useful  if  you have the NIC with an associated netmask of class B and you want to scan
                     (with the arp scan) only a C class.

THE INTERESTING PART

       Once you have selected an offline sniffing or a live capture, the upper menu  is  modified  and  you  can
       start to do the interesting things...
       Some of the following menu are only available in live capture.

       Start

              Start sniffing
                     Starts  the  sniffing  process depending on what you have selected on startup (live or from
                     file)

              Stop sniffing
                     Stops the sniffing thread.

              Exit
                     Returns to your favourite shell ;)

       Targets

              Current Targets
                     Displays a list of hosts in each TARGET. You can selectively remove a host by selecting  it
                     and  press  'd'  or  add  a new host pressing 'a'. To switch between the two lists, use the
                     ARROWS keys.

              Select TARGET(s)
                     Lets you select the TARGET(s) as explained in ettercap(8). The syntax is the  same  as  for
                     the command line specification.

              Protocol...
                     You can choose to sniff only TCP, only UDP or both (ALL).

              Reverse matching
                     Reverse  the  matching  of  a  packet.  It  is  equivalent  to  a  NOT  before  the  target
                     specification.

              Wipe Targets
                     Restores both TARGETS to ANY/ANY/ANY

       Hosts

              Hosts list
                     Displays the list of hosts detected through an ARP  scan  or  converted  from  the  passive
                     profiles. This list is used by MITM attacks when the ANY target is selected, so if you want
                     to exclude a host from the attack, simply delete it from the list.
                     You can remove a host from the list by pressing 'd', add it to TARGET1 by pressing  '1'  or
                     add it to TARGET2 by pressing '2'.

              Scan for hosts
                     Perform the ARP scan of the netmask if no TARGETS are selected. If TARGETS was specified it
                     only scans for those hosts.

              Load from file...
                     Loads the hosts list from a file previously saved with "save to file" or hand crafted.

              Save to file...
                     Save the current hosts list to a file.

       View

              Connections
                     Displays the connection list. To see detailed information about a connection press 'd',  or
                     press  'k'  to  kill  it. To see the traffic for a specific connection, select it and press
                     enter. Once the two-panel interface is displayed you can move  the  focus  with  the  arrow
                     keys.  Press  'j'  to  switch between joined and split visualization. Press 'k' to kill the
                     connection. Press 'y' to inject interactively and 'Y' to inject a file.  Note  that  it  is
                     important which panel has the focus as the injected data will be sent to that address.
                     HINT: connections marked with an asterisk contain account(s) information.

              Profiles
                     Diplays  the passive profile hosts list. Selecting a host will display the relative details
                     (including account with user and pass for that host).
                     You can convert the passive profile list into the hosts list by  pressing  'c'.   To  purge
                     remote  hosts,  press  'l'.  To purge local hosts, press 'r'. You can also dump the current
                     profile to a file by pressing 'd'; the dumped file can be opened with etterlog(8).
                     HINT: profiles marked with an asterisk contain account(s) information.

              Statistics
                     Displays some statistics about the sniffing process.

              Resolve IP addresses
                     Enables DNS resolution for all the sniffed IP address. CAUTION: this  will  extremely  slow
                     down  ettercap.  By  the  way  the  passive  dns resolution is always active. It sniffs dns
                     replies and stores them in a cache. If an ip address is present in that cache, it  will  be
                     automatically resolved. It is dns resolution for free... ;)

              Visualization method
                     Change  the  visualization  method  for  the  sniffed  data. Available methods: ascii, hex,
                     ebcdic, text, html.

              Visualization regex
                     Set the visualization  regular  expression.  Only  packets  matching  this  regex  will  be
                     displayed in the connection data window.

              Set the WiFi key
                     Set  the WiFi key used to decrypt WiFi encrypted packets. See ettercap(8) for the format of
                     the key.

       Mitm

              [...]  For each type of attack, a menu entry is displayed. Simply select the attack you  want  and
                     fill the arguments when asked. You can activate more than one attack at a time.

              Stop mitm attack(s)
                     Stops all the mitm attacks currently active.

       Filters

              Load a filter...
                     Load a precompiled filter file. The file must be compiled with etterfilter(8) before it can
                     be loaded.

              Stop filtering
                     Unload the filter and stop filtering the connections.

       Logging

              Log all packets and infos...
                     Given a file name, it will create two files: filename.eci (for information about hosts) and
                     filename.ecp (for all the interesting packets). This is the same as the -L option.

              Log only infos...
                     This is used only to sniff information about hosts (same as the -l option).

              Stop logging info
                     Come on... it is self explanatory.

              Log user messages...
                     Will log all the messages appearing in the bottom window (same as -m option).

              Compressed file
                     Asterisk-option to control whether or not the logfile should be compressed.

       Plugins

              Manage the plugins
                     Opens  the  plugin  management  window. You can select a plugin and activate it by pressing
                     'enter'. Plugins already active can be recognized by the [1] symbol instead of [0]. If  you
                     select an active plugin, it will be deactivated.

              Load a plugin...
                     You  can  load a plugin file that is not in the default search path. (remember that you can
                     browse directories with EC_UID permissions).

ORIGINAL AUTHORS

       Alberto Ornaghi (ALoR) <alor@users.sf.net>
       Marco Valleri (NaGA) <naga@antifork.org>

PROJECT STEWARDS

       Emilio Escobar (exfil)  <eescobar@gmail.com>
       Eric Milam (Brav0Hax)  <jbrav.hax@gmail.com>

OFFICIAL DEVELOPERS

       Mike Ryan (justfalter)  <falter@gmail.com>
       Gianfranco Costamagna (LocutusOfBorg)  <costamagnagianfranco@yahoo.it>
       Antonio Collarino (sniper)  <anto.collarino@gmail.com>
       Ryan Linn   <sussuro@happypacket.net>
       Jacob Baines   <baines.jacob@gmail.com>

CONTRIBUTORS

       Dhiru Kholia (kholia)  <dhiru@openwall.com>
       Alexander Koeppe (koeppea)  <format_c@online.de>
       Martin Bos (PureHate)  <purehate@backtrack.com>
       Enrique Sanchez
       Gisle Vanem  <giva@bgnett.no>
       Johannes Bauer  <JohannesBauer@gmx.de>
       Daten (Bryan Schneiders)  <daten@dnetc.org>

SEE ALSO

       ettercap(8) ettercap_plugins(8) etterlog(8) etterfilter(8) etter.conf(5) ettercap-pkexec(8)