Ettercap(8)幫助
(翻譯來自百度翻譯,原文附於文后,個人潤色)
1.概述
Ettercap-多用途嗅探器/內容過濾器,用於中間人攻擊
重要提示
自Ettercap Ng(以前為0.7.0)以來,所有選項都已更改。甚至目標規范也發生了變化。請仔細閱讀本手冊。
2.基本用法
Ettercap [選項] [目標1] [目標2]
如果啟用了IPv6:目標的格式為 mac/ips/ipv6/ports
否則,目標的格式為 mac/ips/ports
其中,IP和端口可以是范圍(例如/192.168.0.1-30,40,50/20,22,25)
3.描述
Ettercap是作為交換局域網的嗅探器而誕生的(很明顯,甚至是“hubbed”的),但在開發過程中,它獲得了越來越多的特性,使它成為中間人攻擊的一個強大而靈活的工具。它支持許多協議(甚至是加密協議)的主動和被動分離,並包含許多網絡和主機分析功能(如操作系統指紋)。
它有兩個主要的嗅探選項:
UNIFIED,這個方法嗅探通過電纜的所有數據包。你可以選擇是否將接口置於promisc模式(-p選項)。未定向到運行ettercap的主機的數據包將使用第3層路由自動轉發。因此,您可以使用另一個工具發起的MITM攻擊,並讓EtterCap修改數據包並為您轉發它們。Ettercap始終禁用內核IP_轉發。這樣做是為了防止轉發一個數據包兩次(一次由EtterCap轉發,一次由內核轉發)。這是一種侵入性行為。因此,我們建議您僅在啟用了無影響模式的情況下在網關上使用EtterCap。由於ettercap只在一個網絡接口上偵聽,因此以攻擊性模式在網關上啟動它將不允許從第二個接口重新路由數據包。
BRIDGED,它使用兩個網絡接口,在執行嗅探和內容過濾的同時將流量從一個轉發到另一個。這種嗅探方法是完全隱蔽的,因為沒有辦法發現有人在電纜的中間。您可以將此方法視為第1層的MITM攻擊。您將處於兩個實體之間的電纜中間。不要在網關上使用它,否則它會將您的網關轉換為網橋。提示:您可以使用內容篩選引擎刪除不應通過的數據包。這樣,EtterCap將作為內聯IP工作;)
您還可以在使用統一嗅探的同時執行中間人攻擊。你可以選擇你喜歡的MITM攻擊。MITM攻擊模塊獨立於嗅探和過濾過程,因此您可以同時發起多個攻擊或使用自己的工具進行攻擊。關鍵的一點是,數據包必須以正確的MAC地址和不同的IP地址(只有這些數據包才會被轉發)到達ETERCAP。
相關的EtterCap功能包括:
SSH1支持:您可以嗅探用戶並傳遞,甚至是ssh1連接的數據。Ettercap是第一個能夠全雙工嗅探ssh連接的軟件。
SSL支持:您可以嗅探SSL安全數據…向客戶機提供了一個假證書,並對會話進行了解密。
已建立連接中的字符注入:您可以將字符注入到服務器(模擬命令)或客戶端(模擬回復),以保持連接活動!!
包過濾/刪除:您可以設置一個過濾腳本,在TCP或UDP負載中搜索特定的字符串(甚至十六進制),並將其替換為您的字符串或刪除整個包。過濾引擎可以匹配網絡協議的任何字段,並修改您想要的任何內容(請參閱etterfilter(8))。
通過隧道和路由管理進行遠程流量嗅探:您可以使用Linux烹飪的接口或使用集成插件嗅探隧道或路由管理的遠程連接,並對它們執行MITM攻擊。
插件支持:您可以使用EtterCap的API創建自己的插件。
密碼收集器:TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG (其他即將推出...)
被動操作系統指紋:被動掃描局域網(不發送任何數據包)並收集局域網中主機的詳細信息:操作系統、運行服務、開放端口、IP、MAC地址和網絡適配器供應商。
終止連接:從連接列表中,您可以終止所需的所有連接。
4.目標
目標沒有發送方和接收方之分。這兩個目標旨在過濾從一個目標到另一個目標的流量,反之亦然(因為連接是雙向的)。
目標的格式為mac/ips/ports。
注意:如果啟用了IPv6,則目標的格式為mac/ips/ipv6/ports。如果你願意,你可以省略它的任何部分,這將代表該部分的任何部分。
例如
“//80”表示任何MAC地址、任何IP和唯一端口80
“/10.0.0.1/”表示任何MAC地址,僅IP 10.0.0.1和任何端口
MAC必須是唯一的,格式為 00:11:22:33:44:55
ips是以點符號表示的IP范圍。您可以用(連字符)指定范圍,用(逗號)指定單個IP。您還可以使用;(分號)表示不同的IP地址。
例如 “10.0.0.1-5;10.0.1.33”擴展為IP 10.0.0.1, 2, 3, 4, 5和10.0.1.33。
端口是一系列端口。您可以用(連字符)指定范圍,用(逗號)指定單端口。
例如“20-25,80,110”擴展到端口20,21,22,23,24,25,80和110
注:您可以通過將-r選項添加到命令行來反轉目標的匹配。因此,如果您想嗅探除10.0.0.1的流量之外的所有流量,可以指定“./ettercap-r/10.0.0.1/”
注:目標還負責局域網的初始掃描。您可以使用它們將掃描限制為網絡掩碼中主機的一個子集。將掃描兩個目標之間的合並結果。記住,不指定目標意味着“沒有目標”,但是指定“/”意味着“子網中的所有主機”。
5.刪除權限
EtterCap需要根權限才能打開鏈接層套接字。在初始化階段之后,不再需要根目錄特權,因此ettercap將它們放到uid=65535(無人)中。由於ettercap必須寫入(創建)日志文件,因此必須在具有正確權限的目錄(例如/tmp/)中執行。如果要將privs刪除到不同的uid,可以使用要將privs刪除到的uid值導出環境變量ec uid(例如export ec uid=500),或者在etter.conf文件中設置正確的參數。
6.密閉攻擊
在執行ssl mitm攻擊時,ettercap用自己的證書替換真實的ssl證書。假證書是動態創建的,所有字段都是根據服務器提供的真實證書填寫的。只有頒發者被修改並使用“etter.ssl.crt”文件中包含的私鑰簽名。如果要使用其他私鑰,必須重新生成此文件。要重新生成cert文件,請使用以下命令:
openssl genrsa -out etter.ssl.crt 1024 openssl req -new -key etter.ssl.crt -out tmp.csr openssl x509 -req -days 1825 -in tmp.csr -signkey etter.ssl.crt -out tmp.new cat tmp.new >> etter.ssl.crt rm -f tmp.new tmp.csr
注意:在橋接模式下,SSL MITM暫時不可用。
注意:如果要指定其他文件而不是etter.ssl.crt文件,則可以使用--certificate/--private key long選項。
選項組合起來的選擇通常是有意義的。EtterCap將警告用戶不支持的選項組合。
7.嗅探和攻擊選項
Ettercap-Ng有一種新的統一嗅探方法。這意味着內核中的IP_轉發總是被禁用的,並且轉發是由EtterCap完成的。對於綁定到iface的每個數據包,目標MAC地址等於主機的MAC地址和不同的目標IP地址的數據包都將由ettercap轉發。在轉發之前,Ettercap可以過濾、嗅探、記錄或刪除內容。不管這些包是如何被劫持的,EtterCap都會處理它們。您甚至可以使用外部程序來劫持數據包。您可以完全控制應接收的內容。您可以使用內部MITM攻擊,將接口設置為promisc模式,使用插件或使用您想要的任何方法。
重要提示:如果在網關上運行ettercap,請記住在殺死ettercap后重新啟用IP_轉發。由於ettercap放棄了它的特權,它無法恢復IP_轉發。
-M, --mitm <METHOD:ARGS>
MITM攻擊
此選項將激活中間人攻擊。MIMT攻擊完全獨立於嗅探。攻擊的目的是劫持數據包並將其重定向到EtterCap。如有必要,嗅探引擎會將它們向前移動。您可以選擇您喜歡的MITM攻擊,也可以將其中一些攻擊組合起來,同時執行不同的攻擊。如果mitm方法需要一些參數,可以在冒號后指定它們。(例如-m dhcp:ip_pool、netmask等)
以下MITM攻擊可用:
arp ([remote],[oneway])
該方法實現了ARP中毒的MITM攻擊。ARP請求/回復會發送給受害者,毒害他們的ARP緩存。一旦緩存中毒,受害者將把所有數據包發送給攻擊者,然后攻擊者可以修改並轉發到真正的目的地。
在靜默模式下(-z選項)僅選擇第一個目標,如果要在靜默模式下毒害多個目標,請使用-j選項從文件加載列表。
您可以選擇空目標,它們將擴展為“任意”(LAN中的所有主機)。目標列表與主機列表(由ARP掃描創建)結合在一起,結果用於確定攻擊的受害者。
參數“remote”是可選的,如果要嗅探網關中毒的遠程IP地址,必須指定它。實際上,如果您在目標中指定了一個受害者和gw,那么ettercap將只嗅探它們之間的連接,但是為了使ettercap能夠嗅探通過gw的連接,您必須使用這個參數。
參數“oneway”將強制EtterCap僅從Target1中毒到Target2。如果你只想毒害客戶機而不是路由器(在那里可以有一個ARP觀察器),這是很有用的。
例子:
目標為:10.0.0.1-5//10.0.0.15-20/主機列表為:10.0.0.1 10.0.0.3 10.0.0.16 10.0.0.18
受害者之間的聯系是:1和16,1和18,3和16,3和18
如果目標彼此重疊,將跳過具有相同IP地址的關聯。
注意:如果您試圖毒害一個客戶機,您必須在內核中設置正確的路由表,指定gw。如果路由表不正確,中毒的客戶機將無法在Internet上導航。
icmp (MAC/IP)
此攻擊實現ICMP重定向。它向局域網中的主機發送一個欺騙的ICMP重定向消息,假裝是一個更好的因特網路由。所有到Internet的連接都將重定向到攻擊者,而攻擊者又將把它們轉發到真正的網關。由此產生的攻擊是半雙工的MITM。只有客戶端被重定向,因為網關不會接受直接連接網絡的重定向消息。確保不要使用修改有效負載長度的過濾器。可以使用篩選器修改數據包,但長度必須相同,因為TCP序列不能以兩種方式更新。您必須將局域網的實際網關的MAC和IP地址作為參數傳遞。顯然,你必須能夠嗅探所有的交通。如果你在一個開關上,你必須使用不同的MITM攻擊,如ARP中毒。
注意:要限制重定向到給定目標,請將其指定為目標
例子:
-M icmp:00:11:22:33:44:55/10.0.0.1 將重定向通過該網關的所有連接。
dhcp (ip_pool/netmask/dns)
此攻擊執行DHCP欺騙。它假裝是一個DHCP服務器,試圖用真實的服務器贏得競爭條件,迫使客戶端接受攻擊者的回復。這樣,Ettercap就能夠操縱gw參數並劫持客戶端生成的所有傳出流量。由此產生的攻擊是半雙工的MITM。所以一定要使用適當的過濾器(參見上面的ICMP部分)。您必須通過要使用的IP池、網絡掩碼和DNS服務器的IP。由於ettercap試圖贏得與真實服務器的競爭,因此它不會檢查是否已分配IP。您必須指定一個包含可用地址的IP池。IP池的形式與目標規范相同。如果客戶機發送一個DHCP請求(建議IP地址),那么Ettercap將在該IP上確認,並且只修改gw選項。如果客戶機進行了一次DHCP發現,那么ettercap將使用您在命令行上指定的列表的第一個未使用的IP地址。每個發現都使用一個IP地址。當列表結束時,EtterCap將停止提供新的IP地址,並只答復DHCP請求。如果您不想提供任何IP地址,而只想更改dhcp request/ack的路由器信息,可以指定一個空的IP_池。
警告:如果您指定一個正在使用的IP列表,您將破壞您的網絡!一般來說,小心使用這種攻擊。它真的會把事情搞砸!當你停止攻擊時,所有的受害者仍然會相信,在租約到期之前,EtterCap是一個代理…
例子:
-M dhcp:192.168.0.30,35,50-60/255.255.255.0/192.168.0.1 reply to DHCP offer and request.
-M dhcp:/255.255.255.0/192.168.0.1 reply only to DHCP request.
port ([remote],[tree])
此攻擊實施端口竊取。當ARP中毒無效時(例如使用靜態映射的ARP),這種技術對於在交換環境中進行嗅探很有用。
它用ARP包淹沒局域網(基於etter.conf中的端口竊取延遲選項)。如果不指定“樹”選項,則每個“竊取”數據包的目標MAC地址與攻擊者的相同(其他NIC看不到這些數據包),則源MAC地址將是主機列表中的一個MAC。這個過程“竊取”主機列表中每個受害者主機的交換機端口。利用低延遲,攻擊者將接收發送到“被盜”MAC地址的數據包,從而贏得與真正的端口所有者的競爭條件。當攻擊者收到“被盜”主機的數據包時,它會停止泛洪過程,並對數據包的實際目的地執行ARP請求。當它收到ARP回復時,它確定受害者已經“收回”了他的端口,因此,Ettercap可以按原樣將數據包重新發送到目的地。現在我們可以重新啟動泛洪過程,等待新的包。如果使用“tree”選項,則每個竊取數據包的目標MAC地址都將是假的,因此這些數據包將傳播到其他交換機(而不僅僅是直接連接的交換機)。這樣,您就可以竊取樹中其他交換機上的端口(如果有的話),但會產生大量的流量(根據端口竊取延遲)。“遠程”選項的含義與“arp”mitm方法中的含義相同。
當你停止攻擊時,EtterCap會向每台被盜主機發送一個ARP請求,並返回它們的交換機端口。
您可以根據目標選擇執行半雙工或全雙工MITM。
注意:僅在以太網交換機上使用此MITM方法。小心使用,會造成性能損失或大破壞。
注意:不能只在mitm模式下使用這個方法(-o標志),因為它鈎住了嗅探引擎,並且不能使用交互式數據注入。
注意:與其他MITM方法結合使用可能會很危險。
注意:由於lipcap和libnet設計以及缺少某些ioctl(),此mitm方法在Solaris和Windows上不起作用。(如果有人請求,我們將在這些操作系統上使用此方法…)
例子:
目標是:/10.0.0.1//10.0.0.15/
您將截獲和可視化10.0.0.1和10.0.0.15之間的流量,但您也將收到10.0.0.1和10.0.0.15之間的所有流量。
目標是:/10.0.0.1/您將截獲並可視化10.0.0.1的所有流量。
ndp ([remote],[oneway])
注意:只有啟用了IPv6支持時,才支持此MITM方法。
該方法實現了用於IPv6連接的MITM的NDP中毒攻擊。向受害者發送ND請求/回復,毒害他們的鄰居緩存。一旦緩存中毒,受害者將向攻擊者發送所有的IPv6數據包,然后攻擊者可以修改這些數據包並將其轉發到真正的目的地。
在靜默模式下(-z選項)僅選擇第一個目標,如果要在靜默模式下毒害多個目標,請使用-j選項從文件加載列表。
您可以選擇空目標,它們將擴展為“任意”(LAN中的所有主機)。目標列表與主機列表(由ARP掃描創建)結合在一起,結果用於確定攻擊的受害者。
參數“remote”是可選的,如果要嗅探網關中毒的遠程IP地址,必須指定它。實際上,如果您在目標中指定了一個受害者和gw,那么ettercap將只嗅探它們之間的連接,但是為了使ettercap能夠嗅探通過gw的連接,您必須使用這個參數。
參數“oneway”將強制EtterCap僅從Target1中毒到Target2。如果您只想毒害客戶機而不是路由器(在那里可以有一個ARP觀察器),那么這很有用。
例子:
目標是://fe80::260d:afff:fe6e:f378//2001:db8::2:1/尚未支持IPv6地址范圍。
注意:如果您試圖毒害一個客戶機,您必須在內核中設置正確的路由表,指定gw。如果路由表不正確,中毒的客戶機將無法在Internet上導航。
注意:在ipv6中,路由器的鏈路本地地址通常被用作網關地址。因此,您需要將路由器的鏈路本地地址設置為一個目標,將受害者的全局單播地址設置為另一個目標,以便使用ndp中毒設置成功的ipv6-mitm攻擊。
-o, --only-mitm
此選項禁用嗅探線程並僅啟用MITM攻擊。如果您想使用ettercap執行MITM攻擊,以及使用另一個嗅探器(如wireshark)嗅探流量,則非常有用。請記住,這些數據包不是由ettercap轉發的。內核將負責轉發。記住激活內核中的“IP轉發”功能。
-f, --pcapfilter <FILTER>
在PCAP庫中設置捕獲篩選器。格式與tcpdump(1)相同。記住,這種過濾器不會嗅出網絡中的數據包,所以如果你想執行MITM攻擊,那么Ettercap將無法轉發被劫持的數據包。這些濾波器有助於降低進入EtterCap解碼模塊的網絡負載影響。
-B, --bridge <IFACE>
橋接嗅探。您需要兩個網絡接口。Ettercap將看到的所有流量從一個轉發到另一個。它對處於物理層中間的人很有用。它是完全隱形的,因為它是被動的,用戶無法看到攻擊者。您可以內容過濾所有流量,因為您是“電纜”的透明代理。
-r, --read <FILE>
離線嗅探。啟用此選項后,Ettercap將從PCAP兼容文件中嗅探數據包,而不是從線路中捕獲。如果您有一個從tcpdump或Wire-Shark轉儲的文件,並且您希望對其進行分析(搜索密碼或被動指紋),那么這非常有用。顯然,在從文件進行嗅探時,不能使用“主動”嗅探(ARP中毒或橋接)。
-w, --write <FILE>
將數據包寫入PCAP文件。如果您必須在交換的LAN上使用“主動”嗅探(ARP中毒),但您希望使用TCP-Dump或Wireshark分析數據包,那么這非常有用。您可以使用此選項將數據包轉儲到文件,然后將其加載到您最喜歡的應用程序中。
注意:轉儲文件收集所有數據包,忽略目標。這樣做是因為您可能希望記錄甚至是不受EtterCap支持的協議,因此您可以使用其他工具分析它們。
提示:您可以將-w選項與-r選項結合使用。通過這種方式,您將能夠過濾轉儲數據包的有效負載或解密WEP加密的WiFi流量,並將其轉儲到另一個文件。
8.用戶界面選項
-T, --text
只顯示文本的界面,只顯示printf();可以交互,隨時按“h”以獲取有關您可以執行的操作的幫助。
-q, --quiet
安靜模式。它只能與控制台接口一起使用。它不打印數據包內容。如果要將PCAP文件轉換為EtterCap日志文件,這很有用。
例子:
ettercap -Tq -L dumpfile -r pcapfile
-s,-script<commands>
使用此選項,您可以在用戶在鍵盤上鍵入命令時向ettercap輸入命令。這樣,您就可以在您喜歡的腳本中使用ettercap。您可以通過以下命令發出一個特殊命令:s(x)。此命令將休眠x秒。
例子:
ettercap -T -s 'lq' will print the list of the hosts and exit
ettercap -T -s 's(300)olqq' will collect the infos for 5 minutes, print the list of the local profiles and exit
-C, --curses
基於ncurses的圖形用戶界面。完整描述見Ettercap詛咒(8)。
-G, --gtk
好的GTK2接口(感謝Daten)。
-D, --daemonize
監控EtterCap。此選項將從當前控制終端上分離ettercap,並將其設置為守護進程。您可以將此功能與“日志”選項結合起來,在后台記錄所有流量。如果守護進程由於任何原因失敗,它將創建文件“./ettercap”daemonized.log“,在該文件中報告ettercap捕獲的錯誤。此外,如果希望對守護進程進行完整的調試,建議您在調試模式下重新編譯ettercap。
9.一般選項
-b, --broadcast
告訴EtterCap處理來自廣播地址的數據包。
-i, --iface <IFACE>
使用此<IFACE>而不是默認值。接口可以取消配置(需要libnet>=1.1.2),但在這種情況下,您不能使用mitm攻擊,您應該設置無惡意標志。
-I, --iflist
此選項將打印可在Ettercap中使用的所有可用網絡接口的列表。該選項在Windows下特別有用,因為在Windows中,接口的名稱不如在*nix下那么明顯。
-Y, --secondary <interface list>
指定從中捕獲數據包的(或單個)輔助接口的列表。
-A, --address <ADDRESS>
使用此<address>代替當前iface的自動檢測。如果您有一個具有多個IP地址的接口,則此選項非常有用。
-n, --netmask <NETMASK>
使用此<netmask>而不是與當前iface關聯的。如果您的網卡關聯的網絡掩碼為B類,並且您只想掃描(使用ARP掃描)C類,則此選項非常有用。
-R, --reversed
反轉目標選擇中的匹配。這意味着沒有(焦油)。除了選定的目標。
-t, --proto <PROTO>
僅嗅探協議數據包(默認為TCP+UDP)。如果您希望通過目標規范選擇端口,但希望區分TCP或UDP,則此功能非常有用。proto可以是“tcp”、“udp”或“all”。
-6, --ip6scan
發送ICMPv6探測以發現鏈接上的活動IPv6節點。此選項向所有節點地址發送ping請求,以激勵活動的IPv6主機響應。如果你試圖隱藏自己,就不應該使用這個選項。因此,此選項是可選的。
注意:此選項僅在啟用了IPv6支持時可用。
-z, --silent
不要對局域網進行初始的ARP掃描。
注意:您將沒有主機列表,因此不能使用多操作功能。您只能為一個ARP中毒攻擊選擇兩個主機,通過目標指定它們
-p, --nopromisc
通常,ettercap會將接口置於promisc模式,以嗅探網絡上的所有流量。如果只想嗅探您的連接,請使用此標志不啟用promisc模式。
-S, --nosslmitm
通常,為了攔截HTTPS流量,EtterCap會偽造SSL證書。此選項禁用該行為。
-u, --unoffensive
每次EtterCap啟動時,它都會禁用內核中的IP轉發,並開始轉發數據包本身。這個選項阻止這樣做,所以IP轉發的責任留給內核。如果要運行多個EtterCap實例,此選項非常有用。您將有一個實例(不帶-u選項的實例)轉發數據包,而所有其他實例在不轉發數據包的情況下進行工作。否則,您將得到數據包副本。它還禁止為每個連接內部創建會話。它提高了性能,但您將無法在運行中修改數據包。如果要使用MITM攻擊,必須使用單獨的實例。如果接口未配置(沒有IP地址),則必須使用此選項。如果要在網關上運行ettercap,此選項也很有用。它不會禁用轉發,並且網關將正確路由數據包。
-j, --load-hosts <FILENAME>
它可以用於從-k選項創建的文件中加載主機列表。(見下文)
-k, --save-hosts <FILENAME>
將主機列表保存到文件中。當你有很多主機,並且你不想在啟動時在任何時候使用EtterCap時進行ARP風暴時,這是很有用的。只需使用這個選項並將列表轉儲到一個文件,然后使用-j<filename>選項從中加載信息。
-P, --plugin <PLUGIN>
運行所選插件。許多插件需要目標規范,總是使用目標。使用此參數的多次出現來選擇多個插件。在控制台模式下(-c選項),執行獨立插件,然后退出應用程序。鈎子插件被激活,並執行正常的嗅探。要獲得可用外部插件的列表,請使用“list”(不帶引號)作為插件名稱(例如/ettercap-p list)。
注意:您也可以直接從接口激活插件(按“h”以獲得內聯幫助)
關於插件和如何編寫自己的插件的更多詳細信息,請參見手冊頁的ettercap_plugin(8)。
-F, --filter <FILE>
從文件加載過濾器。過濾器必須與ETERFILTER(8)一起堆放。該實用程序將編譯過濾器腳本並生成一個符合EtterCap的二進制過濾器文件。閱讀EtterFilter(8)手冊頁,以獲取可在篩選腳本中使用的函數列表。通過多次指定選項,可以加載任意數量的過濾器;數據包按命令行上指定的順序通過每個過濾器。您也可以通過將:0附加到文件名來加載腳本而不啟用它。注意:這些過濾器不同於使用--pcapfil-ter設置的過濾器。Ettercap篩選器是內容篩選器,可以在轉發數據包之前修改其有效負載。PCAP過濾器僅用於捕獲某些數據包。注意:您可以使用pcapfile上的過濾器來修改它們並保存到另一個文件,但是在這種情況下,您必須注意您正在做什么,因為ettercap不會重新計算校驗和,也不會拆分超過mtu(snaplen)的數據包或類似的數據包。
-W, --wifi-key <KEY>
您可以指定一個密鑰來解密WiFi數據包(WEP或WPA)。只有成功解密的數據包才會傳遞到解碼器堆棧,其他數據包將被跳過並顯示一條消息。參數具有以下語法:type:bits:t:string。其中“type”可以是:wep、wpa pws或wpa psk,“bit s”是密鑰的位長度(64、128或256),“t”是字符串的類型(“s”是字符串,“p”是密碼短語)。字符串“”可以是字符串或轉義的十六進制序列。
例子:
--wifi-key wep:128:p:secret --wifi-key wep:128:s:ettercapwep0 --wifi-key 'wep:64:s:\x01\x02\x03\x04\x05' --wifi-key wpa:pwd:ettercapwpa:ssid --wifi-key wpa:psk: 663eb260e87cf389c6bd7331b28d82f5203b0cae4e315f9cbb7602f3236708a6 -a, --config <CONFIG>
加載可選配置文件而不是/etc/etter.conf中的默認配置文件。如果您有許多針對不同情況的預配置文件,則此選項非常有用。
--certificate <FILE>
告訴Ettercap使用指定的證書文件進行ssl-mitm攻擊。
--private-key <FILE>
告訴Ettercap使用指定的私鑰文件進行ssl-mitm攻擊。
10.可視化(GUI)選項
-e, --regex <REGEX>
只處理與regex匹配的數據包。
此選項與-l一起使用非常有用。它只記錄與posix regex regex匹配的包。
它甚至影響嗅探數據包的可視化。如果設置了它,則只顯示與regex匹配的數據包。
-V, --visual <FORMAT>
使用此選項設置要顯示的數據包的可視化方法。
FORMAT可以是以下之一:
hex 以hex格式打印數據包。
例子:
字符串“http/1.1 304 not modified”變為:
0000:4854 5450 2F31 2E31 2033 3034 204E 6F74 HTTP/1.1 304 not
0010:204D 6F64 6966 6965 64 modified
ascii 只打印“可打印”字符,其他字符顯示為點“.”
text 只打印“可打印”字符,而忽略其他字符。
ebcdic 將EBCDIC文本轉換為ASCII。
html 從文本中刪除所有HTML標記。標記是< >之間的每個字符串。
例子:
<title>This is the title.<title>,但<title>等將不顯示。
這是標題,但不會顯示以下內容。
utf8 以utf-8格式打印數據包。執行轉換時使用的編碼在etter.conf(5)文件中聲明。
-d, --dns
將IP地址解析為主機名。
注意:在記錄重要信息時,這可能會嚴重降低ETERCAP的速度。每次找到新主機時,都會執行對DNS的查詢。EtterCap為已解析的主機保留緩存以提高速度,但新主機需要新的查詢,DNS可能需要2或3秒來響應未知主機。
提示:Ettercap收集它在資源表中嗅探的DNS答復,因此即使您指定不解析主機名,也會解析其中一些主機名,因為答復以前被嗅探過。把它當作一個免費的被動DNS解析…;)
-E, --ext-headers
打印每個顯示的數據包的擴展頭。(例如,MAC地址)
-Q, --superquiet
超靜音模式。不要在收集用戶和密碼時打印它們。只存儲在配置文件中。在純文本模式下運行EtterCap可能很有用,但您不希望被解剖信息淹沒。當使用插件時很有用,因為嗅探過程始終處於活動狀態,它將打印所有列選擇的信息,使用此選項可以禁止顯示這些消息。注意:此選項自動設置-q選項。
例子:
ettercap -TzQP finger /192.168.0.1/22
11.記錄到文件選項
-L, --log <LOGFILE>
將所有數據包記錄到二進制文件中。這些文件可以由EtterLog(8)解析,以提取人類可讀的數據。使用此選項,將記錄由EtterCap嗅探的所有數據包,以及它可以收集的所有被動信息(主機信息+用戶和密碼)。給定一個日志文件,ettercap將創建logfile.ecp(用於數據包)和logfile.eci(用於信息)。
注意:如果在命令行上指定此選項,則不必考慮特權,因為日志文件是在啟動階段打開的(具有高權限)。但是,如果在EtterCap已經啟動時啟用日志選項,則必須位於uid=65535或uid=ec-uid可以寫入的目錄中。
注意:日志文件可以使用deflate算法使用-c選項進行壓縮。
-l, --log-info <LOGFILE>
與-l非常相似,但它只記錄每個主機的被動信息+用戶和密碼。文件名為logfile.eci
-m, --log-msg <LOGFILE>
它存儲在由Ettercap打印的所有用戶消息中。當您在守護進程模式下使用ettercap或如果您想跟蹤所有消息,這可能很有用。事實上,有些解剖者打印信息,但信息不存儲在任何地方,因此這是跟蹤信息的唯一方法。
-c, --compress
在轉儲日志文件時,使用gzip算法對其進行壓縮。EtterLog(8)能夠處理壓縮和未壓縮的日志文件。
-o, --only-local
存儲僅屬於LAN主機的配置文件信息。
注意:此選項僅對內存中選擇的配置文件有效。當登錄到一個文件時,所有主機都會被記錄。如果要拆分它們,請使用相關的etterlog(8)選項。
-O, --only-remote
存儲僅屬於遠程主機的配置文件信息。
12.標准選項
-v, --version
打印版本並退出。
-h, --help
打印幫助屏幕,其中包含可用選項的簡短摘要。
13.實例
下面是一些使用EtterCap的示例。
1 ettercap -Tp
使用控制台界面,不要將界面置於promisc模式。你只能看到你的交通。
1 ettercap -Tzq
使用控制台界面,不要ARP掃描網絡,保持安靜。不會顯示包內容,但會顯示用戶和密碼以及其他消息。
1 ettercap -T -j /tmp/victims -M arp /10.0.0.1-7/ /10.0.0.10-20/
將從/tmp/受害者加載主機列表,並對兩個目標執行ARP中毒攻擊。列表將與目標連接,結果列表用於ARP中毒。
1 ettercap -T -M arp // //
對局域網中的所有主機執行ARP中毒攻擊。小心!!
ettercap -T -M arp:remote /192.168.1.1/ /192.168.1.2-10/
在2到10之間對網關和局域網中的主機執行ARP中毒。“遠程”選項需要能夠嗅探主機通過網關進行的遠程通信。
1 ettercap -Tzq //110
只從每個主機嗅探pop3協議。
1 ettercap -Tzq /10.0.0.1/21,22,23
嗅探telnet、ftp和ssh到10.0.0.1的連接。
ettercap -P list
打印所有可用插件的列表文件
~/.config/ettercap_gtk
在會話之間存儲持久信息(例如窗口位置)。
14.其他內容
原作者
Alberto Ornaghi (ALoR) <alor@users.sf.net>
Marco Valleri (NaGA) <naga@antifork.org>
項目負責人
Emilio Escobar(exfil)<eescobar@gmail.com>
Eric Milam(brav0hax)<jbrav.hax@gmail.com>
官方開發商
Mike Ryan (justfalter) <falter@gmail.com>
Gianfranco Costamagna (LocutusOfBorg) <costamagnagianfranco@yahoo.it>
Antonio Collarino (sniper) <anto.collarino@gmail.com>
Ryan Linn <sussuro@happypacket.net>
Jacob Baines <baines.jacob@gmail.com>
貢獻者
Dhiru Kholia (kholia) <dhiru@openwall.com>
Alexander Koeppe (koeppea) <format_c@online.de>
Martin Bos (PureHate) <purehate@backtrack.com>
Enrique Sanchez
Gisle Vanem <giva@bgnett.no>
Johannes Bauer <JohannesBauer@gmx.de>
Daten (Bryan Schneiders) <daten@dnetc.org>
參見
etter.conf(5) ettercap_curses(8) ettercap_plugins(8) etterlog(8) etter‐
filter(8) ettercap-pkexec(8)
Github下載
https://github.com/Ettercap/ettercap/downloads
Git
git clone git://github.com/Ettercap/ettercap.git 或 git clone https://github.com/Ettercap/ettercap.git
漏洞
我們的軟件從來沒有漏洞。
。
。
它只是發展出隨機的特征。qwq
已知錯誤
-Ettercap不處理碎片數據包…嗅探器只顯示第一段。然而,所有片段都是正確轉發的。
+請將錯誤報告、補丁或建議發送至ettercap-betatesting@lists.sourceforge.net> 或訪問 https://github.com/Ettercap/etter‐ cap/issues.
+要報告錯誤,請按照readme.bugs文件中的說明進行操作。
哲學的取名
"Even if blessed with a feeble intelligence, they are cruel and smart..." this is the description of Ettercap, a monster of the RPG Advanced Dungeons & Dragon.
之所以選擇“Ettercap”這個名字,是因為它與“Ethernet Cap”有關聯,這意味着“Ethernet Capture”(Ethernet Capture)(Ettercap實際上是這樣做的),還因為這些怪物有強大的毒害……你知道,ARP中毒…;)
The Lord Of The (Token)Ring
(the fellowship of the packet)
"One Ring to link them all, One Ring to ping them, one Ring to bring them all and in the darkness sniff them."
最后的話
“今天的編程是一場軟件工程師之間的競賽,他們致力於構建更大更好的防白痴程序,而宇宙則致力於制造更大更好的白痴。到目前為止,宇宙正在取勝。
Manual Reference Pages - ETTERCAP (8)
NAME
ettercap NG-0.7.3 - A multipurpose sniffer/content filter for man in the middle attacks
CONTENTS
Synopsis
Description
Target Specification
Privileges Dropping
Ssl Mitm Attack
Options
Examples
Authors
Availability
Cvs
Bugs
Philological History
The Lord Of The (Token)Ring
Last words
***** IMPORTANT NOTE ******
Since ettercap NG (formerly 0.7.0), all the options have been changed. Even the target specification has been changed. Please read carefully this man page.
SYNOPSIS
ettercap [ OPTIONS] [ TARGET1] [ TARGET2]TARGET is in the form MAC/IPs/PORTs
where IPs and PORTs can be ranges (e.g. /192.168.0.1-30,40,50/20,22,25)
DESCRIPTION
Ettercap was born as a sniffer for switched LAN (and obviously even "hubbed" ones), but during the development process it has gained more and more features that have changed it to a powerful and flexible tool for man-in-the-middle attacks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many features for network and host analysis (such as OS fingerprint).It has two main sniffing options:
UNIFIED, this method sniffs all the packets that pass on the cable. You can choose to put or not the interface in promisc mode (-p option). The packet not directed to the host running ettercap will be forwarded automatically using layer 3 routing. So you can use a mitm attack launched from a different tool and let ettercap modify the packets and forward them for you.
The kernel ip_forwarding is always disabled by ettercap. This is done to prevent to forward a packet twice (one by ettercap and one by the kernel). This is an invasive behaviour on gateways. So we recommend you to use ettercap on the gateways ONLY with the UNOFFENSIVE MODE ENABLED. Since ettercap listens only on one network interface, launching it on the gateway in offensive mode will not allow packets to be rerouted back from the second interface.BRIDGED, it uses two network interfaces and forward the traffic from one to the other while performing sniffing and content filtering. This sniffing method is totally stealthy since there is no way to find that someone is in the middle on the cable. You can look at this method as a mitm attack at layer 1. You will be in the middle of the cable between two entities. Don’t use it on gateways or it will transform your gateway into a bridge. HINT: you can use the content filtering engine to drop packets that should not pass. This way ettercap will work as an inline IPS ;)
You can also perform man in the middle attacks while using the unified sniffing. You can choose the mitm attack that you prefer. The mitm attack module is independent from the sniffing and filtering process, so you can launch several attacks at the same time or use your own tool for the attack. The crucial point is that the packets have to arrive to ettercap with the correct mac address and a different ip address (only these packets will be forwarded).
The most relevant ettercap features are:
SSH1 support : you can sniff User and Pass, and even the data of an SSH1 connection. ettercap is the first software capable to sniff an SSH connection in FULL-DUPLEX
SSL support : you can sniff SSL secured data... a fake certificate is presented to the client and the session is decrypted.
Characters injection in an established connection : you can inject characters to the server (emulating commands) or to the client (emulating replies) maintaining the connection alive !!
Packet filtering/dropping: You can set up a filter script that searches for a particular string (even hex) in the TCP or UDP payload and replace it with yours or drop the entire packet. The filtering engine can match any field of the network protocols and modify whatever you want (see etterfilter(8)).
Remote traffic sniffing through tunnels and route mangling: You can play with linux cooked interfaces or use the integrated plugin to sniff tunneled or route-mangled remote connections and perform mitm attacks on them.
Plug-ins support : You can create your own plugin using the ettercap’s API.
Password collector for : TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG (other protocols coming soon...)
Passive OS fingerprint: you scan passively the lan (without sending any packet) and gather detailed info about the hosts in the LAN: Operating System, running services, open ports, IP, mac address and network adapter vendor.
Kill a connection: from the connections list you can kill all the connections you want
TARGET SPECIFICATION
There is no concept of SOURCE nor DEST. The two targets are intended to filter traffic coming from one to the other and vice-versa (since the connection is bidirectional).TARGET is in the form MAC/IPs/PORTs. If you want you can omit any of its parts and this will represent an ANY in that part.
e.g.
"//80" means ANY mac address, ANY ip and ONLY port 80
"/10.0.0.1/" means ANY mac address, ONLY ip 10.0.0.1 and ANY portMAC must be unique and in the form 00:11:22:33:44:55
IPs is a range of IP in dotted notation. You can specify range with the - (hyphen) and single ip with , (comma). You can also use ; (semicolon) to indicate different ip addresses.
e.g.
"10.0.0.1-5;10.0.1.33" expands into ip 10.0.0.1, 2, 3, 4, 5 and 10.0.1.33PORTs is a range of PORTS. You can specify range with the - (hyphen) and single port with , (comma).
e.g.
"20-25,80,110" expands into ports 20, 21, 22, 23, 24, 25, 80 and 110NOTE:
you can reverse the matching of the TARGET by adding the -R option to the command line. So if you want to sniff ALL the traffic BUT the one coming or going to 10.0.0.1 you can specify "./ettercap -R /10.0.0.1/"NOTE:
TARGETs are also responsible of the initial scan of the lan. You can use them to restrict the scan to only a subset of the hosts in the netmask. The result of the merging between the two targets will be scanned. remember that not specifying a target means "no target", but specifying "//" means "all the hosts in the subnet.
PRIVILEGES DROPPING
ettercap needs root privileges to open the Link Layer sockets. After the initialization phase, the root privs are not needed anymore, so ettercap drops them to UID = 65535 (nobody). Since ettercap has to write (create) log files, it must be executed in a directory with the right permissions (e.g. /tmp/). If you want to drop privs to a different uid, you can export the environment variable EC_UID with the value of the uid you want to drop the privs to (e.g. export EC_UID=500) or set the correct parameter in the etter.conf file.
SSL MITM ATTACK
While performing the SSL mitm attack, ettercap substitutes the real ssl certificate with its own. The fake certificate is created on the fly and all the fields are filled according to the real cert presented by the server. Only the issuer is modified and signed with the private key contained in the ’etter.sll.crt’ file. If you want to use a different private key you have to regenerate this file. To regenerate the cert file use the following commands:openssl genrsa -out etter.ssl.crt 1024
openssl req -new -key etter.ssl.crt -out tmp.csr
openssl x509 -req -days 1825 -in tmp.csr -signkey etter.ssl.crt -out tmp.new
cat tmp.new >> etter.ssl.crt
rm -f tmp.new tmp.csr NOTE: SSL mitm is not available (for now) in bridged mode.
OPTIONS
Options that make sense together can generally be combined. ettercap will warn the user about unsupported option combinations.
SNIFFING AND ATTACK OPTIONS ettercap NG has a new unified sniffing method. This implies that ip_forwarding in the kernel is always disabled and the forwarding is done by ettercap. Every packet with destination mac address equal to the host’s mac address and destination ip address different for the one bound to the iface will be forwarded by ettercap. Before forwarding them, ettercap can content filter, sniff, log or drop them. It does not matter how these packets are hijacked, ettercap will process them. You can even use external programs to hijack packet.
You have full control of what ettercap should receive. You can use the internal mitm attacks, set the interface in promisc mode, use plugins or use every method you want.IMPORTANT NOTE: if you run ettercap on a gateway, remember to re-enable the ip_forwarding after you have killed ettercap. Since ettercap drops its privileges, it cannot restore the ip_forwarding for you.
-M, --mitm <METHOD:ARGS> MITM attack
This option will activate the man in the middle attack. The mimt attack is totally independent from the sniffing. The aim of the attack is to hijack packets and redirect them to ettercap. The sniffing engine will forward them if necessary.
You can choose the mitm attack that you prefer and also combine some of them to perform different attacks at the same time.
If a mitm method requires some parameters you can specify them after the colon. (e.g. -M dhcp:ip_pool,netmask,etc )The following mitm attacks are available:
arp ([remote],[oneway]) This method implements the ARP poisoning mitm attack. ARP requests/replies are sent to the victims to poison their ARP cache. Once the cache has been poisoned the victims will send all packets to the attacker which, in turn, can modify and forward them to the real destination. In silent mode (-z option) only the first target is selected, if you want to poison multiple target in silent mode use the -j option to load a list from a file.
You can select empty targets and they will be expanded as ’ANY’ (all the hosts in the LAN). The target list is joined with the hosts list (created by the arp scan) and the result is used to determine the victims of the attack.
The parameter "remote" is optional and you have to specify it if you want to sniff remote ip address poisoning a gateway. Indeed if you specify a victim and the gw in the TARGETS, ettercap will sniff only connection between them, but to enable ettercap to sniff connections that pass thru the gw, you have to use this parameter.
The parameter "oneway" will force ettercap to poison only from TARGET1 to TARGET2. Useful if you want to poison only the client and not the router (where an arp watcher can be in place).
Example:
the targets are: /10.0.0.1-5/ /10.0.0.15-20/
and the host list is: 10.0.0.1 10.0.0.3 10.0.0.16 10.0.0.18the associations between the victims will be:
1 and 16, 1 and 18, 3 and 16, 3 and 18if the targets overlap each other, the association with identical ip address will be skipped.
NOTE: if you manage to poison a client, you have to set correct routing table in the kernel specifying the GW. If your routing table is incorrect, the poisoned clients will not be able to navigate the Internet.
icmp (MAC/IP) This attack implements ICMP redirection. It sends a spoofed icmp redirect message to the hosts in the lan pretending to be a better route for internet. All connections to internet will be redirected to the attacker which, in turn, will forward them to the real gateway. The resulting attack is a HALF-DUPLEX mitm. Only the client is redirected, since the gateway will not accept redirect messages for a directly connected network. BE SURE TO NOT USE FILTERS THAT MODIFY THE PAYLOAD LENGTH. you can use a filter to modify packets, but the length must be the same since the tcp sequences cannot be updated in both ways.
You have to pass as argument the MAC and the IP address of the real gateway for the lan.
Obviously you have to be able to sniff all the traffic. If you are on a switch you have to use a different mitm attack such as arp poisoning.NOTE: to restrict the redirection to a given target, specify it as a TARGET
Example:
-M icmp:00:11:22:33:44:55/10.0.0.1
will redirect all the connections that pass thru that gateway.
dhcp (ip_pool/netmask/dns) This attack implements DHCP spoofing. It pretends to be a DHCP server and tries to win the race condition with the real one to force the client to accept the attacker’s reply. This way ettercap is able to manipulate the GW parameter and hijack all the outgoing traffic
Generated by the clients.
The resulting attack is a HALF-DUPLEX mitm. So be sure to use appropriate filters (see above in the ICMP section).You have to pass the ip pool to be used, the netmask and the ip of the dns server. Since ettercap tries to win the race with the real server, it DOES NOT CHECK if the ip is already assigned. You have to specify an ip pool of FREE addresses to be used. The ip pool has the same form of the target specification.
If the client sends a dhcp request (suggesting an ip address) ettercap will ack on that ip and modify only the gw option. If the client makes a dhcp discovery, ettercap will use the first unused ip address of the list you have specified on command line. Every discovery consumes an ip address. When the list is over, ettercap stops offering new ip addresses and will reply only to dhcp requests.
If you don’t want to offer any ip address, but only change the router information of dhcp request/ack, you can specify an empty ip_pool.BIG WARNING: if you specify a list of ip that are in use, you will mess your network! In general, use this attack carefully. It can really mess things up! When you stop the attack, all the victims will be still convinced that ettercap is the gateway until the lease expires...
Example:
-M dhcp:192.168.0.30,35,50-60/255.255.255.0/192.168.0.1
reply to DHCP offer and request.-M dhcp:/255.255.255.0/192.168.0.1
reply only to DHCP request.
port ([remote],[tree]) This attack implements Port Stealing. This technique is useful to sniff in a switched environment when ARP poisoning is not effective (for example where static mapped ARPs are used). It floods the LAN (based on port_steal_delay option in etter.conf) with ARP packets. If you don’t specify the "tree" option, the destination MAC address of each "stealing" packet is the same as the attacker’s one (other NICs won’t see these packets), the source MAC address will be one of the MACs in the host list. This process "steals" the switch port of each victim host in the host list. Using low delays, packets destined to "stolen" MAC addresses will be received by the attacker, winning the race condition with the real port owner. When the attacker receives packets for "stolen" hosts, it stops the flooding process and performs an ARP request for the real destination of the packet. When it receives the ARP reply it’s sure that the victim has "taken back" his port, so ettercap can re-send the packet to the destination as is. Now we can re-start the flooding process waiting for new packets.
If you use the "tree" option, the destination MAC address of each stealing packet will be a bogus one, so these packets will be propagated to other switches (not only the directly connected one). This way you will be able to steal ports on other switches in the tree (if any), but you will generate a huge amount of traffic (according to port_steal_delay). The "remote" option has the same meaning as in "arp" mitm method.
When you stop the attack, ettercap will send an ARP request to each stolen host giving back their switch ports.
You can perform either HALF or FULL DUPLEX mitm according to target selection.NOTE: Use this mitm method only on ethernet switches. Use it carefully, it could produce performances loss or general havoc.
NOTE: You can NOT use this method in only-mitm mode (-o flag), because it hooks the sniffing engine, and you can’t use interactive data injection.
NOTE: It could be dangerous to use it in conjunction with other mitm methods.
NOTE: This mitm method doesn’t work on Solaris and Windows because of the lipcap and libnet design and the lack of certain ioctl(). (We will feature this method on these OSes if someone will request it...)
Example:
The targets are: /10.0.0.1/ /10.0.0.15/
You will intercept and visualize traffic between 10.0.0.1 and 10.0.0.15, but you will receive all the traffic for 10.0.0.1 and 10.0.0.15 too.The target is: /10.0.0.1/
You will intercept and visualize all the traffic for 10.0.0.1.
-o, --only-mitm This options disables the sniffing thread and enables only the mitm attack. Useful if you want to use ettercap to perform mitm attacks and another sniffer (such as ethereal) to sniff the traffic. Keep in mind that the packets are not forwarded by ettercap. The kernel will be responsible for the forwarding. Remember to activate the "ip forwarding" feature in your kernel.
-f, --pcapfilter <FILTER> Set a capturing filter in the pcap library. The format is the same as tcpdump(1). Remember that this kind of filter will not sniff packets out of the wire, so if you want to perform a mitm attack, ettercap will not be able to forward hijacked packets.
These filters are useful to decrease the network load impact into ettercap decoding module.
-B, --bridge <IFACE> BRIDGED sniffing
You need two network interfaces. ettercap will forward form one to the other all the traffic it sees. It is useful for man in the middle at the physical layer. It is totally stealthy since it is passive and there is no way for an user to see the attacker.
You can content filter all the traffic as you were a transparent proxy for the "cable".
OFF LINE SNIFFING
-r, --read <FILE>OFF LINE sniffing
With this option enabled, ettercap will sniff packets from a pcap compatible file instead of capturing from the wire.
This is useful if you have a file dumped from tcpdump or ethereal and you want to make an analysis (search for passwords or passive fingerprint) on it.
Obviously you cannot use "active" sniffing (arp poisoning or bridging) while sniffing from a file.-w, --write <FILE> WRITE packet to a pcap file
This is useful if you have to use "active" sniffing (arp poison) on a switched LAN but you want to analyze the packets with tcpdump or ethereal. You can use this option to dump the packets to a file and then load it into your favourite application.NOTE: dump file collect ALL the packets disregarding the TARGET. This is done because you may want to log even protocols not supported by ettercap, so you can analyze them with other tools.
TIP: you can use the -w option in conjunction with the -r one. This way you will be able to filter the payload of the dumped packets or decrypt WEP-encrypted WiFi traffic and dump them to another file.
USER INTERFACES OPTIONS
-T, --textThe text only interface, only printf ;)
It is quite interactive, press ’h’ in every moment to get help on what you can do.
-q, --quiet Quiet mode. It can be used only in conjunction with the console interface. It does not print packet content. It is useful if you want to convert pcap file to ettercap log files. example:
ettercap -Tq -L dumpfile -r pcapfile
-s, --script <COMMANDS> With this option you can feed ettercap with command as they were typed on the keyboard by the user. This way you can use ettercap within your favourite scripts. There is a special command you can issue thru this command: s(x). this command will sleep for x seconds. example:
ettercap -T -s ’lq’ will print the list of the hosts and exit
ettercap -T -s ’s(300)olqq’ will collect the infos for 5 minutes, print the list of the local profiles and exit
-C, --curses Ncurses based GUI. See ettercap_curses(8) for a full description.
-G, --gtk The nice GTK2 interface (thanks Daten...).
-D, --daemonize Daemonize ettercap. This option will detach ettercap from the current controlling terminal and set it as a daemon. You can combine this feature with the "log" option to log all the traffic in the background. If the daemon fails for any reason, it will create the file "./ettercap_daemonized.log" in which the error caught by ettercap will be reported. Furthermore, if you want to have a complete debug of the daemon process, you are encouraged to recompile ettercap in debug mode.
GENERAL OPTIONS
-i, --iface <IFACE>Use this <IFACE> instead of the default one. The interface can be unconfigured (requires libnet >= 1.1.2), but in this case you cannot use MITM attacks and you should set the unoffensive flag.
-I, --iflist This option will print the list of all available network interfaces that can be used within ettercap. The option is particulary usefull under windows where the name of the interface is not so obvious as under *nix.
-n, --netmask <NETMASK> Use this <NETMASK> instead of the one associated with the current iface. This option is useful if you have the NIC with an associated netmask of class B and you want to scan (with the arp scan) only a class C.
-R, --reversed Reverse the matching in the TARGET selection. It means not(TARGET). All but the selected TARGET.
-t, --proto <PROTO> Sniff only PROTO packets (default is TCP + UDP).
This is useful if you want to select a port via the TARGET specification but you want to differentiate between tcp or udp.
PROTO can be "tcp", "udp" or "all" for both.
-z, --silent Do not perform the initial ARP scan of the LAN. NOTE: you will not have the hosts list, so you can’t use the multipoison feature. you can only select two hosts for an ARP poisoning attack, specifying them through the TARGETs
-p, --nopromisc Usually, ettercap will put the interface in promisc mode to sniff all the traffic on the wire. If you want to sniff only your connections, use this flag to NOT enable the promisc mode.
-u, --unoffensive Every time ettercap starts, it disables ip forwarding in the kernel and begins to forward packets itself. This option prevent to do that, so the responsibility of ip forwarding is left to the kernel.
This options is useful if you want to run multiple ettercap instances. You will have one instance (the one without the -u option) forwarding the packets, and all the other instances doing their work without forwarding them. Otherwise you will get packet duplicates.
It also disables the internal creation of the sessions for each connection. It increases performances, but you will not be able to modify packets on the fly.
If you want to use a mitm attack you have to use a separate instance.
You have to use this option if the interface is unconfigured (without an ip address.)
This is also useful if you want to run ettercap on the gateway. It will not disable the forwarding and the gateway will correctly route the packets.
-j, --load-hosts <FILENAME> It can be used to load a hosts list from a file created by the -k option. (see below)
-k, --save-hosts <FILENAME> Saves the hosts list to a file. Useful when you have many hosts and you don’t want to do an ARP storm at startup any time you use ettercap. Simply use this options and dump the list to a file, then to load the information from it use the -j <filename> option.
-P, --plugin <PLUGIN> Run the selected PLUGIN. Many plugins need target specification, use TARGET as always.
In console mode (-C option), standalone plugins are executed and then the application exits. Hook plugins are activated and the normal sniffing is performed.
To have a list of the available external plugins use "list" (without quotes) as plugin name (e.g. ./ettercap -P list).NOTE: you can also activate plugins directly from the interfaces (always press "h" to get the inline help)
More detailed info about plugins and about how to write your own are found in the man page ettercap_plugin(8)
-F, --filter <FILE> Load the filter from the file <FILE>. The filter must be compiled with etterfilter(8). The utility will compile the filter script and produce an ettercap-compliant binary filter file. Read the etterfilter(8) man page for the list of functions you can use inside a filter script.
NOTE: these filters are different from those set with --pcapfilter. An ettercap filter is a content filter and can modify the payload of a packet before forwarding it. Pcap filter are used to capture only certain packets.
NOTE: you can use filters on pcapfile to modify them and save to another file, but in this case you have to pay attention on what you are doing, since ettercap will not recalculate checksums, nor split packets exceeding the mtu (snaplen) nor anything like that.
-W, --wep-key <KEY> You can specify a WEP key to decrypt WiFi packets. Only the packets decrypted successfully will be passed to the decoders stack, the others will be skipped with a message.
The parameter has the following syntax: N:T:KEY. Where N is the bit length of the wep key (64, 128 or 256), T is the type of the string (’s’ for string and ’p’ for passphrase). KEY can be a string or an escaped hex sequences.example:
--wep-key 128:p:secret
--wep-key 128:s:ettercapwep0
--wep-key ’64:s:\x01\x02\x03\x04\x05’
-a, --config <CONFIG> Loads an alternative config file instead of the default in /etc/etter.conf. This is useful if you have many preconfigured files for different situations.
VISUALIZATION OPTIONS -e, --regex <REGEX> Handle only packets that match the regex.
This option is useful in conjunction with -L. It logs only packets that match the posix regex REGEX.
It impacts even the visualization of the sniffed packets. If it is set only packets matching the regex will be displayed.
-V, --visual <FORMAT> Use this option to set the visualization method for the packets to be displayed. FORMAT may be one of the following:
hex Print the packets in hex format. example:
the string "HTTP/1.1 304 Not Modified" becomes:
0000: 4854 5450 2f31 2e31 2033 3034 204e 6f74 HTTP/1.1 304 Not
0010: 204d 6f64 6966 6965 64 Modifiedascii Print only "printable" characters, the others are displayed as dots ’.’
text Print only the "printable" characters and skip the others.
ebcdic Convert an EBCDIC text to ASCII.
html Strip all the html tags from the text. A tag is every string between < and >. example:
<title>This is the title</title>, but the following <string> will not be displayed.
This is the title, but the following will not be displayed.
utf8 Print the packets in UTF-8 format. The encoding used while performing the conversion is declared in the etter.conf(5) file.
-d, --dns Resolve ip addresses into hostnames. NOTE: this may seriously slow down ettercap while logging passive information. Every time a new host is found, a query to the dns is performed. Ettercap keeps a cache for already resolved host to increase the speed, but new hosts need a new query and the dns may take up to 2 or 3 seconds to respond for an unknown host.
HINT: ettercap collects the dns replies it sniffs in the resolution table, so even if you specify to not resolve the hostnames, some of them will be resolved because the reply was previously sniffed. think about it as a passive dns resolution for free... ;)
-E, --ext-headers Print extended headers for every displayed packet. (e.g. mac addresses)
-Q, --superquiet Super quiet mode. Do not print users and passwords as they are collected. Only store them in the profiles. It can be useful to run ettercap in text only mode but you don’t want to be flooded with dissectors messages. Useful when using plugins because the sniffing process is always active, it will print all the collected infos, with this option you can suppress these messages.
NOTE: this options automatically sets the -q option.example:
ettercap -TzQP finger /192.168.0.1/22
LOGGING OPTIONS
-L, --log <LOGFILE>Log all the packets to binary files. These files can be parsed by etterlog(8) to extract human readable data. With this option, all packets sniffed by ettercap will be logged, together with all the passive info (host info + user & pass) it can collect. Given a LOGFILE, ettercap will create LOGFILE.ecp (for packets) and LOGFILE.eci (for the infos). NOTE: if you specify this option on command line you don’t have to take care of privileges since the log file is opened in the startup phase (with high privs). But if you enable the log option while ettercap is already started, you have to be in a directory where uid = 65535 or uid = EC_UID can write.
NOTE: the logfiles can be compressed with the deflate algorithm using the -c option.
-l, --log-info <LOGFILE> Very similar to -L but it logs only passive information + users and passwords for each host. The file will be named LOGFILE.eci
-m, --log-msg <LOGFILE> It stores in <LOGFILE> all the user messages printed by ettercap. This can be useful when you are using ettercap in daemon mode or if you want to track down all the messages. Indeed, some dissectors print messages but their information is not stored anywhere, so this is the only way to keep track of them.
-c, --compress Compress the logfile with the gzip algorithm while it is dumped. etterlog(8) is capable of handling both compressed and uncompressed log files.
-o, --only-local Stores profiles information belonging only to the LAN hosts. NOTE: this option is effective only against the profiles collected in memory. While logging to a file ALL the hosts are logged. If you want to split them, use the related etterlog(8) option.
-O, --only-remote Stores profiles information belonging only to remote hosts.
STANDARD OPTIONS
-U, --updateConnects to the ettercap website (ettercap.sf.net) and retrieve the latest databases used by ettercap.
If you want only to check if an update is available, prepend the -z option. The order does matter: ettercap -zUSECURITY NOTE: The updates are not signed so an attacker may poison your DNS server and force the updateNG.php to feed ettercap with fake databases. This can harm to your system since it can overwrite any file containing the string "Revision: ".
-v, --version Print the version and exit.
-h, --help prints the help screen with a short summary of the available options.
EXAMPLES
Here are some examples of using ettercap.
ettercap -Tp Use the console interface and do not put the interface in promisc mode. You will see only your traffic.
ettercap -Tzq Use the console interface, do not ARP scan the net and be quiet. The packet content will not be displayed, but user and passwords, as well as other messages, will be displayed.
ettercap -T -j /tmp/victims -M arp /10.0.0.1-7/ /10.0.0.10-20/ Will load the hosts list from /tmp/victims and perform an ARP poisoning attack against the two target. The list will be joined with the target and the resulting list is used for ARP poisoning.
ettercap -T -M arp // // Perform the ARP poisoning attack against all the hosts in the LAN. BE CAREFUL !!
ettercap -T -M arp:remote /192.168.1.1/ /192.168.1.2-10/ Perform the ARP poisoning against the gateway and the host in the lan between 2 and 10. The ’remote’ option is needed to be able to sniff the remote traffic the hosts make through the gateway.
ettercap -Tzq //110 Sniff only the pop3 protocol from every hosts.
ettercap -Tzq /10.0.0.1/21,22,23 Sniff telnet, ftp and ssh connections to 10.0.0.1.
ettercap -P list Prints the list of all available plugins
AUTHORS
Alberto Ornaghi (ALoR) < alor@users.sf.net>
Marco Valleri (NaGA) < naga@antifork.org>
SEE ALSO
etter.conf(5) ettercap_curses(8) ettercap_plugins(8) etterlog(8) etterfilter(8)
AVAILABILITY
http://ettercap.sourceforge.net/download/
CVS
cvs -d:pserver: anonymous@cvs.ettercap.sf.net:/cvsroot/ettercap login
cvs -d:pserver: anonymous@cvs.ettercap.sf.net:/cvsroot/ettercap co ettercap_ng
BUGS
Our software never has bugs.
It just develops random features. ;)KNOWN-BUGS
- ettercap doesn’t handle fragmented packets... only the first segment will be displayed by the sniffer. However all the fragments are correctly forwarded.
+ please send bug-report, patches or suggestions to <alor@users.sourceforge.net> or visit http://ettercap.sourceforge.net/forum/ and post it in the BUGS section.
+ to report a bug, follow the instructions in the README.BUGS file
PHILOLOGICAL HISTORY
"Even if blessed with a feeble intelligence, they are cruel and smart..." this is the description of Ettercap, a monster of the RPG Advanced Dungeons & Dragon.The name "ettercap" was chosen because it has an assonance with "ethercap" which means "ethernet capture" (what ettercap actually does) and also because such monsters have a powerful poison... and you know, arp poisoning... ;)
The Lord Of The (Token)Ring
(the fellowship of the packet)"One Ring to link them all, One Ring to ping them,
one Ring to bring them all and in the darkness sniff them."
Last words
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning." - Rich Cook
版權信息:
英文原文來自Linux man,您可以在bash下鍵入
man ettercap
來獲得英文版內容。
網頁選取的格式化后的版本來自https://www.irongeek.com/i.php?page=backtrack-3-man/ettercap
中文版由BaiduFanyi翻譯,個人潤色並更改了幾處錯誤。