bionic (8) ettercap_plugins.8.gz

Provided by: ettercap-common_0.8.2-10build4_amd64 bug

NAME

       ettercap-plugins - A collection of plugins for ettercap

DESCRIPTION

       Ettercap(8) supports loadable modules at runtime. They are called plugins and they come within the source
       tarball.  They  are  automatically  compiled  if  your  system  supports  them  or  until   you   specify
       -DENABLE_PLUGINS=OFF option to the cmake configure script.
       Some  of  older ettercap plugins (roper, banshee, and so on) have not been ported in the new version.  By
       the way, you can achieve the same results by using new filtering engine.
       If you use interactive mode, most plugins need to "Start Sniff" before using them.

       To have a list of plugins installed in your system do that command:

              ettercap -P list

       The following is a list of available plugins:

       arp_cop

              It reports suspicious ARP activity by passively monitoring ARP requests/replies.   It  can  report
              ARP  posioning attempts, or simple IP-conflicts or IP-changes.  If you build the initial host list
              the plugin will run more accurately.

              example :

              ettercap -TQP arp_cop //

       autoadd

              It will automatically add new victims to the ARP poisoning mitm attack when they come up. It looks
              for  ARP  requests on the lan and when detected it will add the host to the victims list if it was
              specified in the TARGET.  The  host  is  added  when  an  arp  request  is  seen  form  it,  since
              communicating hosts are alive :)

       chk_poison

              It  performs  a  check  to  see  if the arp poisoning module of ettercap was successful.  It sends
              spoofed ICMP echo packets to all the victims of the poisoning pretending to be each of  the  other
              targets.  If  we  can  catch  an  ICMP reply with our MAC address as destination it means that the
              poisoning between those two targets is successful. It checks  both  ways  of  each  communication.
              This  plugin makes sense only where poisoning makes sense.  The test fails if you specify only one
              target in silent mode.  You can't run this plugin from command line because the poisoning  process
              is not started yet. You have to launch it from the proper menu.

       dns_spoof

              This  plugin  intercepts DNS query and reply with a spoofed answer. You can chose to which address
              the plugin has to reply by modifying the etter.dns file. The plugin intercepts A, AAAA,  PTR,  MX,
              WINS,  SRV  and  TXT  request. If it was an A request, the name is searched in the file and the IP
              address is returned (you can use wildcards in the name).
              The same applies if it was a AAAA request.

              If it was a PTR request, the IP address is searched in the file and the name is  returned  (except
              for those name containing a wildcard). For PTR requests, IPv4 or IPv6 addresses are supported.

              In  case  of  MX  request  a  special  reply  is  crafted.  The  host is resolved with a fake host
              'mail.host' and the additional record contains the IP address of 'mail.host'.  The  first  address
              that  matches  is  returned, so be careful with the order. The IP address for MX requests can be a
              IPv4 or a IPv6 address.

              If the request was a WINS request, the name is  searched  in  the  file  and  the  IP  address  is
              returned.

              In  case  of  SRV  request,  a  special  reply  is  crafted. The host is resolved with a fake host
              'srv.host' and the additional record contains the IP address of 'srv.host'. The IP address for SRV
              requests can be a IPv4 or a IPv6 address.

              In  case  of  a TXT request, the string defined is being returned. The string has to be wrapped in
              double quotes. Wildcards for the requested name can also be used.

              A special reply can be spoofed for A or AAAA requests, if the 'undefined address' is specified  as
              the  IP  address  in  the  file. Then the client gets a response which stops resolution processing
              imediately. This way one can control which address family is being used to access  a  dual-stacked
              host.

              In  the  case  of an ANY request, all matching results of type A, AAAA, MX and TXT are returned in
              the reply. If the 'undefined address' for A or AAAA records is defined, nothing  is  returned  for
              these types whether or not the name matches.

       mdns_spoof

              This  plugin  does  the  same as the dns_spoof plugin described above, despite that it listens for
              mDNS (Multicast DNS) queries on UDP port 5353.  To choose to which address the plugin shall reply,
              you  have  to  modify  a  diffent  file  called  etter.mdns. Due to the nature of mDNS, the plugin
              intercepts only A, AAAA, PTR and SRV requests.

              The way the mdns_spoof plugin interprets the etter.mdns file and the rules that apply are the same
              as with the dns_spoof plugin.

       dos_attack

              This  plugin runs a d.o.s. attack against a victim IP address. It first "scans" the victim to find
              open ports, then starts to flood these ports with SYN packets, using a "phantom" address as source
              IP. Then it uses fake ARP replies to intercept packets for the phantom host. When it receives SYN-
              ACK from the victim, it replies with an ACK packet creating an ESTABLISHED connection.   You  have
              to use a free IP address in your subnet to create the "phantom" host (you can use find_ip for this
              purpose).  You can't run this plugin in unoffensive mode.
              This     plugin      is      based      on      the      original      Naptha      DoS      attack
              (http://razor.bindview.com/publish/advisories/adv_NAPTHA.html)

              example :

              ettercap -TQP dos_attack

       dummy

              Only a template to demonstrate how to write a plugin.

       find_conn

              Very simple plugin that listens for ARP requests to show you all the targets an host wants to talk
              to. It can also help you finding addresses in an unknown LAN.

              example :

              ettercap -TQzP find_conn

              ettercap -TQu -i eth0 -P find_conn

       find_ettercap

              Try to identify ettercap packets sent on the LAN. It could be useful to detect if someone is using
              ettercap.  Do  not  rely on it 100% since the tests are only on particular sequence/identification
              numbers.

       find_ip

              Find the first unused IP address in the range specified by the user in the target list. Some other
              plugins  (such as gre_relay) need an unused IP address of the LAN to create a "fake" host.  It can
              also be useful to obtain an IP address in an unknown LAN where there is no dhcp  server.  You  can
              use find_conn to determine the IP addressing of the LAN, and then find_ip.  You have to build host
              list to use this plugin so you can't use it in unoffensive mode. If you don't have an  IP  address
              for  your interface, give it a bogus one (e.g. if the LAN is 192.168.0.0/24, use 10.0.0.1 to avoid
              conflicting IP), then launch this plugin specifying the subnet range.  You can run it either  from
              the command line or from the proper menu.

              example :

              ettercap -TQP find_ip //

              ettercap -TQP find_ip /192.168.0.1-254/

       finger

              Uses the passive fingerprint capabilities to fingerprint a remote host. It does a connect() to the
              remote host to force the kernel to reply to the SYN with a  SYN+ACK  packet.  The  reply  will  be
              collected and the fingerprint is displayed. The connect() obey to the connect_timeout parameter in
              etter.conf(5). You can specify a target on command-line or let the plugin ask the target  host  to
              be  fingerprinted.  You can also specify multiple target with the usual multi-target specification
              (see ettercap(8)). if you specify multiple ports, all the ports will be tested on all the IPs.

              example :

              ettercap -TzP finger /192.168.0.1/22
              ettercap -TzP finger /192.168.0.1-50/22,23,25

       finger_submit

              Use this plugin to submit a  fingerprint  to  the  ettercap  website.  If  you  found  an  unknown
              fingerprint,  but  you  know  for sure the operating system of the target, you can submit it so it
              will be inserted in the database in the next ettercap release. We need your help to  increase  the
              passive fingerprint database. Thank you very much.

              example :

              ettercap -TzP finger_submit

       fraggle_attack

              This  plugin performs a DoS attack because it sends a large amount of UDP echo and chargen traffic
              to all hosts in target2 with a fake source ip address (victim).

              example (192.168.0.5 is the victim):

              ettercap -i eth1 -Tq /192.168.0.5/ // -P fraggle_attack

       gre_relay

              This plugin can be used to sniff GRE-redirected remote traffic.  The basic idea is to create a GRE
              tunnel  that  sends all the traffic on a router interface to the ettercap machine. The plugin will
              send back the GRE packets to the router, after  ettercap  "manipulation"  (you  can  use  "active"
              plugins such as smb_down, ssh decryption, filters, etc... on redirected traffic) It needs a "fake"
              host where the traffic has to be redirected to (to avoid kernel's responses). The "fake"  IP  will
              be  the tunnel endpoint.  Gre_relay plugin will impersonate the "fake" host.  To find an unused IP
              address for the "fake" host you can use find_ip plugin.  Based on the original  Tunnelx  technique
              by Anthony C. Zboralski.

       gw_discover

              This  plugin  try  to discover the gateway of the lan by sending TCP SYN packets to a remote host.
              The packet has the destination IP of a remote host and the destination  mac  address  of  a  local
              host.  If  ettercap  receives the SYN+ACK packet, the host which own the source mac address of the
              reply is the gatway.  This operation is repeated for each host in the 'host list', so you need  to
              have a valid host list before launching this plugin.

              example :

              ettercap -TP gw_discover /192.168.0.1-50/

       isolate

              The  isolate  plugin will isolate an host form the LAN. It will poison the victim's arp cache with
              its own mac address associated with all the host it tries to contact. This way the host  will  not
              be able to contact other hosts because the packet will never reach the wire.
              You can specify all the host or only a group. the targets specification work this way: the target1
              is the victim and must be a single host, the target2 can be a range of addresses and represent the
              hosts that will be blocked to the victim.

              examples :

              ettercap -TzqP isolate /192.168.0.1/ //
              ettercap -TP isolate /192.168.0.1/ /192.168.0.2-30/

       link_type

              It  performs  a  check  of  the  link  type  (hub  or switch) by sending a spoofed ARP request and
              listening for replies. It needs at least one entry in the host list to perform the check. With two
              or more hosts the test will be more accurate.

              example :

              ettercap -TQP link_type /192.168.0.1/
              ettercap -TQP link_type //

       pptp_chapms1

              It  forces  the  pptp  tunnel  to negotiate MS-CHAPv1 authentication instead of MS-CHAPv2, that is
              usually easier to crack (for example with LC4).  You have to be in the "middle" of the  connection
              to use it successfully.  It hooks the ppp dissector, so you have to keep them active.

       pptp_clear

              Forces no compression/encryption for pptp tunnels during negotiation.  It could fail if client (or
              the server) is configured to hang off the tunnel if no encryption is negotiated.  You have  to  be
              in the "middle" of the connection to use it successfully.  It hooks the ppp dissector, so you have
              to keep them active.

       pptp_pap

              It forces the pptp tunnel to negotiate PAP (cleartext) authentication.  It could fail  if  PAP  is
              not  supported,  if  pap_secret file is missing, or in case windows is configured with "authomatic
              use of domain account". (It could fail for many other  reasons  too).   You  have  to  be  in  the
              "middle"  of  the  connection  to use it successfully.  It hooks the ppp dissector, so you have to
              keep them active.

       pptp_reneg

              Forces re-negotiation on an existing pptp tunnel.   You  can  force  re-negotiation  for  grabbing
              passwords already sent.  Furthermore you can launch it to use pptp_pap, pptp_chapms1 or pptp_clear
              on existing tunnels (those plugins work only during negotiation phase).  You have  to  be  in  the
              "middle"  of  the  connection  to use it successfully.  It hooks the ppp dissector, so you have to
              keep them active.

       rand_flood

              Floods the LAN with random MAC  addresses.  Some  switches  will  fail  open  in  repeating  mode,
              facilitating  sniffing.  The delay between each packet is based on the port_steal_send_delay value
              in etter.conf.
              It is useful only on ethernet switches.

              example :

              ettercap -TP rand_flood

       remote_browser

              It sends to the browser the URLs sniffed thru HTTP sessions. So you are able to see  the  webpages
              in  real  time.  The  command  executed is configurable in the etter.conf(5) file. It sends to the
              browser only the GET requests and only for webpages, ignoring single request to  images  or  other
              amenities.  Don't use it to view your own connection :)

       reply_arp

              Simple  arp  responder.  When  it  intercepts  an arp request for a host in the targets' lists, it
              replies with attacker's MAC address.

              example :

              ettercap -TQzP reply_arp /192.168.0.1/
              ettercap -TQzP reply_arp //

       repoison_arp

              It solicits poisoning packets after broadcast ARP requests (or replies) from a posioned host.  For
              example:  we  are poisoning Group1 impersonating Host2. If Host2 makes a broadcast ARP request for
              Host3, it is possible that Group1 caches the right MAC address for  Host2  contained  in  the  ARP
              packet.  This  plugin  re-poisons Group1 cache immediately after a legal broadcast ARP request (or
              reply).
              This plugin is effective only during an arp-posioning session.
              In conjunction with the reply_arp plugin, repoison_arp is a good support  for  the  standard  arp-
              poisoning mitm method.

              example :

              ettercap -T -M arp:remote -P repoison_arp /192.168.0.10-20/ /192.168.0.1/

       scan_poisoner

              Check if someone is poisoning between some host in the list and us.  First of all it checks if two
              hosts in the list have the same mac address.  It could mean that one  of  those  is  poisoning  us
              pretending  to  be  the other.  It could generate many false-positives in a proxy-arp environment.
              You have to build hosts list to perform this check.  After that, it sends  icmp  echo  packets  to
              each  host  in the list and checks if the source mac address of the reply differs from the address
              we have stored in the list for that ip.  It  could  mean  that  someone  is  poisoning  that  host
              pretending  to have our ip address and forwards intercepted packets to us.  You can't perform this
              active test in unoffensive mode.

              example :

              ettercap -TQP scan_poisoner //

       search_promisc

              It tries to find if anyone is sniffing in promisc mode. It sends two different kinds of  malformed
              arp  request  to  each  target in the host list and waits for replies. If a reply arrives from the
              target host, it's more or less probable that this target has the NIC in  promisc  mode.  It  could
              generate false-positives.  You can launch it either from the command line or from the plugin menu.
              Since it listens for arp replies it is better that you don't use it while sending arp request.

              example :

              ettercap -TQP search_promisc /192.168.0.1/
              ettercap -TQP search_promisc //

       smb_clear

              It forces the client to send smb password in clear-text by mangling protocol negotiation. You have
              to be in the "middle" of the connection to successfully use it. It hooks the smb dissector, so you
              have to keep it active.  If you use it against a windows client  it  will  probably  result  in  a
              failure.  Try it against a *nix smbclient :)

       smb_down

              It  forces  the  client to not to use NTLM2 password exchange during smb authentication. This way,
              obtained hashes can be easily cracked by LC4.  You have to be in the "middle" of the connection to
              successfully use it.  It hooks the smb dissector, so you have to keep it active.

       smurf_attack

              The Smurf Attack is a DoS attack in which huge numbers of ICMP packets with the intended victim(s)
              IP(s) in target1 are sent to the hosts in target2. This causes all hosts on the target2  to  reply
              to the ICMP request, causing significant traffic to the victim's computer(s).

              example (192.168.0.5 is the victim):

              ettercap -i eth1 -Tq /192.168.0.5/ // -P fraggle_attack

       sslstrip

              While  performing the SSL mitm attack, ettercap substitutes the real ssl certificate with its own.
              The fake certificate is created on the fly and all the fields are filled  according  to  the  real
              cert  presented  by  the   server.  Only  the   issuer is modified and signed with the private key
              contained in the 'etter.ssl.crt' file.  If you want to use a different private  key  you  have  to
              regenerate this file. To regenerate the cert file use the following commands:

              openssl genrsa -out etter.ssl.crt 1024
              openssl req -new -key etter.ssl.crt -out tmp.csr
              openssl x509 -req -days 1825 -in tmp.csr -signkey etter.ssl.crt -out tmp.new
              cat tmp.new >> etter.ssl.crt
              rm -f tmp.new tmp.csr

              NOTE: SSL mitm is not available (for now) in bridged mode.

              NOTE:  You can use the --certificate/--private-key long options if you want to specify a different
              file rather  than the etter.ssl.crt file.

       stp_mangler

              It sends spanning tree BPDUs pretending to be a switch with the  highest  priority.  Once  in  the
              "root" of the spanning tree, ettercap can receive all the "unmanaged" network traffic.
              It is useful only against a group of switches running STP.
              If  there  is  another switch with the highest priority, try to manually decrease your MAC address
              before running it.

              example :

              ettercap -TP stp_mangler

ORIGINAL AUTHORS

       Alberto Ornaghi (ALoR) <alor@users.sf.net>
       Marco Valleri (NaGA) <naga@antifork.org>

PROJECT STEWARDS

       Emilio Escobar (exfil)  <eescobar@gmail.com>
       Eric Milam (Brav0Hax)  <jbrav.hax@gmail.com>

OFFICIAL DEVELOPERS

       Mike Ryan (justfalter)  <falter@gmail.com>
       Gianfranco Costamagna (LocutusOfBorg)  <costamagnagianfranco@yahoo.it>
       Antonio Collarino (sniper)  <anto.collarino@gmail.com>
       Ryan Linn   <sussuro@happypacket.net>
       Jacob Baines   <baines.jacob@gmail.com>

CONTRIBUTORS

       Dhiru Kholia (kholia)  <dhiru@openwall.com>
       Alexander Koeppe (koeppea)  <format_c@online.de>
       Martin Bos (PureHate)  <purehate@backtrack.com>
       Enrique Sanchez
       Gisle Vanem  <giva@bgnett.no>
       Johannes Bauer  <JohannesBauer@gmx.de>
       Daten (Bryan Schneiders)  <daten@dnetc.org>

SEE ALSO

       ettercap(8) ettercap_curses(8) etterlog(8) etterfilter(8) etter.conf(5) ettercap-pkexec(8)