Ettercap Cheat Sheet

Ettercap is a free, open-source tool that can be used for man-in-the-middle attacks on networks. As such, it can be a threat to network security. However, network administrators need to be aware of this tool to check the vulnerabilities of their systems.

What is Ettercap?

It is a packet capture tool that can write packets back onto the network. Thus, data streams can be diverted and altered on the fly. The system can also be used for protocol analysis to analyze network traffic and work out which applications generate the most traffic.

There is a GUI interface for Ettercap, and it is also possible to use Ettercap at the command line. However, the interface is not so hot. Moreover, given the high standard of network monitoring tools that network administrators are used to nowadays, it is unlikely that you would get Ettercap to perform network traffic analysis.

The most common uses for Ettercap are man-in-the-middle attacks through ARP poisoning. Additionally, hackers use this tool, and you can use it for penetration testing.

Ettercap operating system compatibility

Ettercap is primarily a tool for Linux and other Unix-like operating systems. It is available for the following Linux distros:

The software will also run on Unix:

Mac operating system versions that the official release notes say will run Ettercap are:

  • 10.6 Snow Leopard
  • 10.7 Lion

The release notes state that the Ettercap can be installed on Windows, but this implementation is not supported. There is a second version of Ettercap that is available for 32-bit systems running Windows. The Windows version mentioned by the developers are:

  • Windows Vista
  • Windows 7
  • Windows 8

Install Ettercap

The installation process is slightly different for each operating system.

Install Ettercap on Kali Linux

If you have Kali Linux, there isn’t anything that you need to do to install Ettercap. It is already installed.

Install Ettercap on Ubuntu Linux

Go to the command line and enter the two commands:

sudo apt update

sudo apt install ettercap-common

Install Ettercap on Debian, BackTrack, and Mint Linux

Open a Terminal session and enter:

sudo apt update

sudo apt-get install ettercap-gtk

Install Ettercap on CentOS, Fedora, and RHEL

Issue the commands:

sudo apt update

yum install ettercap

Install Ettercap on Windows Vista, Windows 7, and Windows 8

  1. Go to the Web page https://sourceforge.net/projects/ettercap/files/unofficial%20binaries/windows/
  2. Click on the top .msi entry listed on the page.
  3. Choose a directory to download the file.
  4. Click on the installer file once it has been downloaded.

What is the best operating system for Ettercap

The latest version of the Windows-compatible package for Ettercap available on SourceForge was posted in December 2011. Unfortunately, this is very old, and user feedback reports that the system crashes frequently.

You will see several sites that claim to have a working version of Ettercap for Windows 10. However, be careful – only download software from well-known sites, such as GitHub or SourceForge. Hackers set up their download sites to lure in trusting members of the public. The software you find on these sites is fake and contains malware instead of the promised utilities.

To summarize, there is no working version of Ettercap, and the version for Windows 7 and Windows 8 doesn’t work very well. The only serious version of Ettercap is available for Linux. The system works well on any version of Linux. However, the best distro for using Ettercap is probably Kali Linux.

Using Ettercap

You can test the resilience of your system settings by running a range of white hat hacker attacks in a penetration testing exercise with the Ettercap utilities. The episodes you can emulate are:

  • Man-in-the-middle attacks
  • DNS spoofing
  • Credentials capture
  • DoS attack

Let’s take a look at each of these attacks and how you can implement them with Ettercap.

Man-in-the-middle attacks

In a man-in-the-middle attack, each side in a network conversation thinks they are exchanging data with each other but communicating with the hacker. For example, a connects to B, but the hacker intercepts the connection request and responds to A, pretending to be B. Optionally, at the same time, the hacker might connect to B, pretending to be A. This second connection would be necessary to extract data from B that will enable the hacker to convince A that it is connected to B.

The primary motivation for the man-in-the-middle attack is to steal data from A so that the hacker can later access B in the guise of A. In this case, the hacker doesn’t actively need to interact with the victim, just watch traffic passing back and forth between the victim and the site on the Web.

A typical goal in this attack scenario would be to steal a user’s login credentials for a valuable system, such as online banking. The same aim can be satisfied with phishing email scams, which are technically easier to implement, and so currently, man-in-the-middle attacks are not so prevalent.

There are two ways to divert traffic through your computer for manipulation, and both can be implemented with Ettercap. The first of these is ARP poisoning, and the second is a DNS attack. ARP poisoning is the easiest method of the two and better results for a man-in-the-middle attack on a local network. The ARP poisoning method lies at the heart of Ettwrcap’s attack methodology.

Adjust the Ettercap configuration for ARP poisoning

First, update the Ettercap configuration file to accrue traffic to the superuser.

sudo vi /etc/Ettercap/etter.conf

Look for the [privs] section in the file. Change the following two lines.

ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default

Save the file.

Set up the MITM attack

Make a note of your network’s router. Type the following command:

ip r

The results will state default via and then an IP address. This is the address of the router. Write it down.

Start up Ettercap with its front-end graphical interface. With the command:

sudo -E Ettercap -G

In this attack strategy, we will get the victim’s computer to believe our computer is the router. The sending computer already knows the IP address of the router. We won’t change that. Instead, we will link the MAC address of our computer to that IP address.

Ettercap Interface

Click on Sniff in the top menu and then select Unified Sniffing from the drop-down menu. You will see an Ettercap Input dialog box. Select the network interface that is on the same network as the target computer and press OK.

Click on the Hosts option on the top menu and select Scan for hosts from the drop-down menu. Next, click on the Hosts option again and choose Hosts List. This will show you the other devices connected to the network. First, you need to work out which of these is your target computer.

The Hosts List shows the IP addresses of all computers connected to the network. Click on the line for the target and click on the Add to Target 1 button. Next, click on the address of the network’s router and press the Add to Target 2 button. You can add as many Target 1 addresses as you like. For every Target 1 address, you insert in this setup, the computer associates with that IP address will have its traffic diverted through the computer running the Ettercap system. All other computers will communicate with the router in the usual manner.

Click on the MITM option on the top menu and then on ARP poisoning. In the dialog box that appears, select Sniff remote connections and then click on OK. Next, click on the Start option in the top menu and then choose Start Sniffing. This remaps the IP address of the router to your computer. The Ettercap system will forward the traffic to the actual router and channel responses back to the target.

Run the MITM attack

Now you will receive all of the traffic from that target machine going to the router. Any HTTPS connections will be downshifted to unprotected HTTP communication.

In the Ettercap interface, click on the View option on the top menu and select Connections from the drop-down menu. Next, click on a line in the connection list shown in the central panel of the interface to open a split board. This will show you the packet header data for the connection. If the payload isn’t encrypted, you should read the contents of the packet body.

DNS spoofing

To hijack traffic between a target and an external website to perform a man-in-the-middle attack, you can use DNS spoofing.  The domain name system cross-references Web domain names with the actual IP addresses of the servers that host the pages for that site. Therefore, updating a local DNS server to give your IP address for a domain will enable you to capture traffic to and from that site.

The DNS spoofing option allows you to read and pass through all traffic or intercept it completely, delivering your version of the desired website to the victim.

Adjust the Ettercap configuration for DNS spoofing

You need to alter the configuration file of your Ettercap instance to perform DNS spoofing. DNS spoofing doesn’t replace the ARP poisoning technique explained in the previous section. You need the ARP poisoning system to be active through Ettercap for the DNS spoofing service to work.

Edit the etter.dns file with Vi:

sudo vi /etc/Ettercap/etter.dns

This file will be the local DNS database referred to by your target computer. This is the closest DNS server to the victim, so any sites that aren’t mentioned in your local record will be referenced through the next closest, which the victim’s DNS server will specify.

Enter a record for the website that you want to capture connections for. This should be in the format <domain name> A <server IP address>. For example, if you want all traffic from the victim’s computer to compatritech.com to be delivered to your computer on the network and your local address is 127.0.0.3, the record you write in would be:

comparitech.com A 127.0.0.3

You can make as many entries as you like, and it is possible to point many different sites to the same address.

Save the altered etter.dns file.

Run the DNS spoofing attack

When running these tests, you have the advantage of being inside the local network. A hacker could use this tool to divert requests to any location on earth – the new server address doesn’t have to be on the local network. However, with Ettercap, the interception provided by the ARP poisoning has to be operating on the local network for this attack to work.

Go to the Ettercap interface. Remember, it should already be running ARP poisoning for one or several victims on the network.

Click on Plugins in the top menu and then select Manage the plugins from the drop-down menu. This will open a new tab in the interface and list all available plugins. Scan the list and find dns_spoof. Double-click on this line to activate the service. This means that you etter.dns becomes the local DNS server for the victim computers you have in your Target 1 hosts list.

Credentials capture

You can read the contents of passing packets in the Ettercap interface once ARP poisoning is active. However, if the target computer uses HTTPS to communicate with websites, all of the traffic will have the contents of the packet payload encrypted. The encryption key will be negotiated between the two ends of the connection when contact is established. The easiest way to break this protection is to remove the need for HTTPS. This stops the victim’s computer from using HTTPS and forces it just to use HTTP to communicate with websites, thus leaving the payload unencrypted and readable.

Go back to the etter.conf file and edit it:

sudo vi /etc/Ettercap/etter.conf

Skip to the section that says # if you use iptables and remove the comment hash from the front of the two redir lines. These downgrade SSL connections to unprotected HTTP. Save the file.

Now, when you go back to the Ettercap interface and View > Connections, you will be able to read the packet contents and find the usernames and passwords passed within the HTML protocol message format.

DoS attack

You can completely block all web access for specific endpoints on your network through Ettercap. To do this, you need to have the ARP poisoning attack, described above, operating. After that, the block will work for all of the endpoints added to your Target 1 list.

Once the ARP poisoning is running, click on Plugins in the top menu and select Manage the plugins from the drop-down list. This will show a list of available services. Scan down the list to find a line for dos_attack. This is usually the following line after the dns_spoof entry. Double click on the dos_attack line to activate the attack.

Defending against Ettercap

This guide has shown you a few easy tests to see how hackers can mess up the communications on your network using Ettercap. Although Ettercap is known as a hacker tool, it has one weakness: it needs to be running on a computer within a network to be effective.

In this guide, we looked at how to use Ettercap through its graphical user interface. However, there is also a command-line version, and this could be set up without any visible indicators on the targeted computer. A hacker could write scripts to install Ettercap and set an ARP poisoning session running without the user seeing this background operation.

One way to defend against the use of Ettercap by hackers to damage your network security is to scan every endpoint for the Ettercap process. This can easily be performed by any endpoint detection and response (EDR) service, which will probably already be primed to spot and kill Ettercap.

The most likely way that a hacker would get Ettercap running on one of your network’s endpoints is to masquerade an installer program, which is also known as a “dropper”, as a PDF or a zip file attached to an email. This would then activate once the conned user opened it. Thus, it is essential to educate users against opening attachments on emails.

Ettercap FAQs

What is Ettercap used for?

Ettercap is a security analysis tool that emulates a “man in the middle” attack to detect system vulnerabilities. The service deploys techniques such as ARP poisoning and password decryption to capture traffic and insert fake responses into the stream. It can also be used for DoS attacks.

Is Ettercap a sniffer?

Ettercap was originally designed to be a packet sniffer and that function is still at the heart of the tool. Think of Ettercap as a packet sniffer with added functions. Those extra functions are now considered to be the main reason to use Ettercdap – for network attacks or penetration testing.

What is ARP spoofing vs ARP poisoning?

ARP Spoofing and ARP Poisoning are used to mean the same thing, which is altering address resolution protocol records. “Spoofing” means impersonating, so ARP spoofing means representing a computer with the IP address that was originally assigned to another computer’s MAC address. In the interest of thoroughness, this should also include altering the relevant ARP record. “Poisoning” means corrupting the ARP table. It is possible to implement spoofing without poisoning. However, this relies on the tricked computer not checking ARP tables, so it is better to implement poisoning as well.