Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.
It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.
Ettercap NG uses the unified sniffing method which is the base for all the attacks.
Data injection in an established connection and filtering (substitute or drop a packet) on the fly is also possible, keeping the connection synchronized.
Many sniffing modes were implemented to give you a powerful and complete sniffing suite. It’s possible to sniff in four modes: IP Based, MAC Based, ARP Based (full-duplex) and PublicARP Based (half-duplex).
It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.
Key Features
- IP-based: packets are filtered based on IP source and destination.
- MAC-based: packets are filtered based on MAC address, useful for sniffing connections through a gateway.
- ARP-based: uses ARP poisoning to sniff on a switched LAN between two hosts (full-duplex).
- PublicARP-based: uses ARP poisoning to sniff on a switched LAN from a victim host to all other hosts (half-duplex).
The software also offers the following features:
- Character injection into an established connection: characters can be injected into a server
(emulating commands) or to a client (emulating replies) while maintaining a live connection. - SSH1 support: the sniffing of a username and password, and even the data of an SSH1 connection. Ettercap is the first software capable of sniffing an SSH connection in full duplex.
- HTTPS support: the sniffing of HTTP SSL secured data–even when the connection is made through a proxy.
- Remote traffic through a GRE tunnel: the sniffing of remote traffic through a GRE tunnel from a remote Cisco router, and perform a man-in-the-middle attack on it.
- Plug-in support: creation of custom plugins using Ettercap’s API.
- Password collectors for: TELNET, FTP, POP, IMAP, rlogin, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, Napster, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, Half-Life, Quake 3, MSN, YMSG.
- Packet filtering/dropping: setting up a filter that searches for a particular string (or hexadecimal sequence) in the TCP or UDP payload and replaces it with a custom string/sequence of choice, or drops the entire packet.
- OS fingerprinting: determine the OS of the victim host and its network adapter.
- Kill a connection: killing connections of choice from the connections-list.
- Passive scanning of the LAN: retrieval of information about hosts on the LAN, their open ports, the version numbers of available services, the type of the host (gateway, router or simple PC) and estimated distances in number of hops.
- Hijacking of DNS(Domain Name System) requests.
- Ettercap also has the ability to actively or passively find other poisoners on the LAN.
Website: www.ettercap-project.org
Support: GitHub Code Repository
Developer: Alberto Ornaghi and Marco Valleri
License: GNU General Public License v2.0
Ettercap is written in C. Learn C with our recommended free books and free tutorials.
Related Software
| Network Analyzers | |
|---|---|
| Wireshark | Network protocol analyzer with a rich and powerful feature set |
| IPTraf-ng | Feature-laden network statistic monitoring tool |
| Ettercap | Comprehensive suite for man in the middle attacks |
| Kismet | Wireless network and device detector, sniffer, wardriving tool, WIDS framework |
| netsniff-ng | Swiss army knife for daily Linux network plumbing |
| darkstat | Captures network traffic, calculates usage statistics, and serves reports over HTTP |
| EtherApe | Graphical network monitor |
| justniffer | Network TCP packet sniffer with reliable TCP flow rebuilding |
| tcpflow | TCP/IP packet demultiplexer |
| tcpdump | Powerful and hugely respected command-line packet analyzer |
| sniffglue | Packet sniffer written in Rust |
| sniffer | Alternative network traffic sniffer |
| dsniff | Collection of tools for network auditing and penetration testing |
| ngrep | grep applied to the network layer |
| sniffit | CORBA based sniffer system with ncurses interactive mode |
| Jomon | Network forensics and sniffer tool |
Read our verdict in the software roundup.
| Passive OS Fingerprinting | |
|---|---|
| PacketFence | Network access control solution with passive DHCP fingerprinting |
| Ettercap | Comprehensive suite for man in the middle attacks |
| PRADS | Passive Real-time Asset Detection System |
| p0f | Array of passive traffic fingerprinting mechanisms that are highly scalable |
| satori | Python rewrite of passive OS fingerprinting tool |
Read our verdict in the software roundup.
 Explore our comprehensive directory of recommended free and open source software. Our carefully curated collection spans every major software category.This directory is part of our ongoing series of informative articles for Linux enthusiasts. It features hundreds of detailed reviews, along with open source alternatives to proprietary solutions from major corporations such as Google, Microsoft, Apple, Adobe, IBM, Cisco, Oracle, and Autodesk. You’ll also find interesting projects to try, hardware coverage, free programming books and tutorials, and much more. Know a useful open source Linux program that we haven’t covered yet? Let us know by completing this form. |