Ettercap Review and Alternatives

Ettercap is a well-established penetration testing tool. This system has been available for free since January 2001. A group of volunteers maintains the system. Alberto Ornaghi and Marco Valleri developed the software. Both of these innovators have full-time jobs elsewhere and didn’t set up a company to market Ettercap. So, there is no commercialization for this project and no sponsoring corporation.

The lack of a big budget means that the Ettercap project struggles to keep its software up to date. For example, although there is a version of Ettercap for Windows, the software hasn’t been updated to allow it to run on Windows 10.

What does Ettercap do?

Ettercap is designed to test the security of Web applications. The service works through ARP poisoning. This fools the computers on a network to send its internet-bound traffic to the Ettercap host. This allows the operator to pass traffic through, alter some data, or block transmissions entirely.

The most common activity that Ettercap is used for is the man-in-the-middle attack (MITM). A MITM attack can be instrumental as a research activity because it can gather credentials that will enable a hacker to install malware or remote access Trojans on a target system. However, a significant weakness of this strategy is that Ettercap is only effective if it is already on a computer within the target network. Therefore, Ettercap should be considered an aide to lateral movement within a compromised network rather than a system that will get you in.

How does Ettercap operate?

Ettercap runs in GUI environments through its console. However, the interface has a menu structure, which offers quick access to many of the commands needed to run an Ettercap attack. It is also possible to open a Command Prompt window and access the utility from there.

Ettercap gets a list of devices connected to the network and presents this list to the user. The operator can select one or many of these devices as targets. The user then has to identify the router on the network. Setting this as the second target address gets Ettercap to present the host computer ads the router only to those devices selected by the user. All of the other computers on the network will continue to work with the standard router.

Once Ettercap is active, all traffic from the target computers goes to Ettercap instead of the router. Ettercap will then forward that traffic onto the router. The host of Ettercap acts as a pass-through for all traffic in both directions. The target computers will not know that their traffic is passing through another device on the way to the router.

Ettercap has a nice trick up its sleeve, which forces target computers to switch from HTTPS to HTTP for Web traffic. This is important because the payloads of HTTPS packets are fully encrypted. Getting the target to use HTTP instead makes all packet contents travel in plain text, allowing their contents to be read.

This diversion of traffic presents several opportunities. The user can just look at passing packets, save them into a file with analysis with another tool, or intercept certain packets. It is possible to edit the contents of packets and resend them. It is also possible to block all traffic from those target computers while allowing all other devices to have unrestricted traffic flows.

Ettercap also allows DNS spoofing. This technique can implement many different strategies, such as sinkholing to prevent target users from accessing specific websites. Another option is to divert traffic to well-known sites to copy sites instead. However, this represents further data, identity, and credentials theft and misinformation, phishing, and masquerading opportunities.

Another facility in the Ettercap package allows a DoS attack to be launched against a specific device on the network. This will overwhelm the computer’s network card, making it impossible for the applications on that device to receive any traffic.

Ettercap installation options

Ettercap is bundled into Kali Linux, and that is probably the best operating system to use to host this system. If you don’t have Kali Linux, then any other distro of Linux would be a good choice. The complete list of recommended Linux distros for Ettercap is:

  • Debian
  • Ubuntu
  • Kali
  • BackTrack
  • Mint
  • Fedora
  • Gentoo
  • Pentoo

The following Linux versions are also often used to host Ettercap, but the developers don’t recommend these as strongly as the distros above.

  • OpenSuSe
  • CentOS
  • RHEL

The Ettercap system can also be installed on these versions of Unix:

  • FreeBSD
  • OpenBSD
  • NetBSD

Ettercap will also run on Solaris but the development team doesn’t give advice on those implementations.

The following versions of macOS can be used to host Ettercap:

  • 10.6 Snow Leopard
  • 10.7 Lion

These are the only versions listed on the Ettercap site. However, it will run on later versions.

The download package for all of the above-operating systems can be located at the Download page of the Ettercap site.

There are third-party sites that offer Ettercap for WindowsSoftpedia is one example. However, this download file has the tar.gz extension, which is not a type that Windows can handle. You need to open it with a zip utility.

The Ettercap software runs on 32-bit architecture. It can be run on Windows Vista, Windows 7, and Windows 8. However, it will not run on Windows 10.

Ettercap strengths and weaknesses

The interface for Ettercap looks a little dated. However, the tool is surprisingly easy to use. Furthermore, it works well; as long as you install it on the exemplary architecture and the correct operating system, it won’t give you any problems at installation. To get a deeper insight into using Ettercap, take a look at the Ettercap Cheat Sheet.

The software is reasonably well maintained – the latest release dates to 1 August 2020. While that is now a year old, this update is more recent than the latest versions of many of the established tools you will encounter for penetration testing.

Looking at Ettercap objectively, it has good points and bad points.


  • A long-established and widely used penetration testing tool
  • A reasonable cycle of updates
  • Completely free to use
  • Creates a convincing man-in-the-middle attack
  • Offers methods to isolate specific endpoints


  • It doesn’t run on 64-bit architecture or Windows 10
  • The interface is a little dated

Alternatives to Ettercap

Ettercap is a reliable, free tool that is widely used by hackers and penetration testers alike. Unfortunately, similar free penetration testing tools went the commercial route of taking on sponsors who use the brand for marketing a paid version while providing funds and facilities to allow the original free version to be fully supported. So, it is a good idea to look for other tools that perform similar tasks.

What should you look for in an alternative to Ettercap?  

We reviewed the market for man-in-the-middle attack systems and assessed the options based on the following criteria:

  • The choice of a GUI interface and a command-line utility
  • A system that can capture and display network packets
  • A service that enables attacks to be launched to test security
  • A system that can reveal the encryption standard being used on a network
  • A facility to log results
  • A free tool or the offer of a free trial for a no-cost assessment
  • A paid tool that offers value for money or a free tool that works

With these selection criteria in mind, we have compiled a list of some good penetration testing tools that will enable you to research endpoints and try hacker attack strategies to test system security.

Here is our list of the six best alternatives to Ettercap:

  1. Invicti (GET FREE DEMO) This is a vulnerability manager rather than a penetration testing tool. This service offers many more system security tests than the few available in Ettercap. If you want to automate your system security testing, then you would be better off with Invicti. This tool performs Web application security testing. It can be launched on-demand, on a schedule, or continuously. Not only does this system look for the paths into a system that hackers use, but it also examines code and identifies faults that could compromise security. Invicti is delivered as a SaaS platform or as on-site software for Windows and Windows Server. You can assess this service through a demo system.
  2. Acunetix (GET FREE DEMO) This vulnerability manager will operate from an external position to test Web applications and has an option to scan within a network for exploits. The package is available in three editions, each of which is suitable for different tasks. The Standard edition offers on-demand scanning, which is closer to the type of use that Ettercap is built for; the middle version offers scheduled sweeps. The top package is a continuous testing service used for applications development testing. Acunetix is available as a hosted SaaS packages or for installation on Windows, macOS, or Linux. Assess Acunetix by accessing a demo system.
  3. Burp Suite This is a very close rival to Ettercap, but this is a commercially developed system, so it has a much better appearance. The Community Edition is free to use and offers ARP poisoning strategies for man-in-the-middle attacks. This tool also includes packet capture, DoS attack, and password guessing facilities. In addition, there are two paid versions of Burp Suite that add on vulnerability management and offer automated system testing for Web applications. The interface for Burp Suite is very well organized, offering separate functions for research and attack but allowing data to be easily transferred from one to the other. Burp Suite installs on Windows, macOS, and Linux. Access the Community edition for free or request a free trial of the Professional edition.
  4. Metasploit, This penetration testing tool, started similarly to Ettercap as a free open source tool. However, the project team partnered with Rapid7 to keep the original tool-free but well funded, while Rapid7 developed a higher, paid version. The free version is called Metasploit Framework, and the paid tool is called Metasploit Pro. As with Burp Suite, the free tier offers pen-testing tools while the higher version adds on a vulnerability manager. This tool intercepts traffic on its way to a Web server and enables a range of services, such as snooping and man-in-the-middle attacks. Metasploit runs on Windows, macOS, or Linux, and you can get a 14-day free trial of Metasploit Pro.
  5. Sqlmap The command-line utility offers a series of investigative and attack strategies for the databases that back up websites. The service operates through a single command with a long list of switches and options associated with it. Each option adapts the tool’s execution and produces a series of probes on a given site for database information. The utility makes it possible to discover databased identifiers, attempt to crack credentials, and access data held in the database’s tables. Attack options include methods to extract data and also to alter values in the database’s tables. Sqlmap is available for Windows, macOS, and Linux, and it is free to use.
  6. Intercepter-NG This Russian-produced hacking tool is awe-inspiring, except that much of the information about using it is only available in Russian. The lack of English support means that Intercepter-NG is rarely used outside of Russia; however, it is worth investigating because it offers a range of powerful attack strategies. It can operate on wireless networks and LANs. Methods possible with this tool include network device detection, packet capture, OS fingerprinting, port scanning, and EternalBlue exploit detector, cookie examination, DNS spoofing, ARP poisoning, man-in-the-middle attacks, ARP cage, HTTP injection, and more. This tool is free to use and is available for Windows, Unix, Linux, macOS, and Android.