Ettercap-multi-function exchange LAN sniffer

Ettercap-multi-function exchange LAN sniffer

By yaojs@263.net
Ettercap was originally designed to exchange sniffer on the Internet. However, with its development, ettercap has gained more and more functions and has become an effective and flexible intermediary attack tool. It supports active and passive protocol parsing and includes many network and host features (such as OS fingerprint) analysis.

Ettercap has five sniffing methods:

1. ipbased

In IP address-based sniffing mode, ettercap captures packets based on the source IP-PORT and destination IP-PORT.

2. macbased

In MAC address-based mode, ettercap captures data packets based on the source MAC address and the target MAC address (this method is useful when capturing data packets through the gateway)

3. arpbased

Based on ARP spoofing, ettercap uses ARP spoofing to listen for communication between two hosts (Full Duplex) in the LAN ).

4. smartarp

In the smartarp mode, ettercap uses ARP spoofing to listen to the communication (Full Duplex) between a host on the Internet and all other known hosts (hosts in the host table ).

5. publicarp

In publicarp mode, ettercap uses ARP spoofing to listen for the communication (Half Duplex) between a host on the Internet and all other hosts ). This method sends ARP responses in broadcast mode, but if ettercap already has a complete host address table (or the host on the LAN has been scanned when ettercap is started ), ettercap automatically selects the smartarp method and sends the ARP response to all hosts outside the monitored host to avoid IP address conflict messages on Win2k.

The most common features of ettercap include:

1. Inject data into existing connections: You can inject data to the server or client on the basis of the original connection to simulate commands or responses.

2. SSH1 support: you can capture the user and pass information on the SSH1 connection, and even other data. Ettercap is the first software to listen to SSH connections in full duplex.

3. HTTPS support: You can listen to the encrypted data on the http ssl connection, or even connect through the proxy.

4. Remote Communication through GRE channel: You can listen to the GRE channel data stream from a remote Cisco router and conduct man-in-the-middle attacks on it.

5. Plug-in support: You can use the ettercap API to create your own plug-in.

6. Password collection: You can collect the password information of the following protocols, telnet, FTP, Pop, rlogin, SSH1, ICQ, SMB, MySQL, HTTP, nntp, X11, Napster, IRC, Rip, BGP, sock5, IMAP4, VNC, LDAP, NFS, SNMP, halflife, quake3, and msnymsg (new protocols will be supported soon ).

7. data packet filtering and discarding: You can create a filter chain to search for a specific string (or even a hexadecimal number, use this filter chain to filter TCP/UDP packets and replace these packets with their own data, or discard the entire data packet.

8. Passive OS fingerprint extraction: You can obtain detailed information about the computer system on the LAN passively (without actively sending data packets, including the operating system version, running services, opened ports, IP addresses, MAC addresses, and network card manufacturers.

9. OS fingerprint: You can extract the OS fingerprint of the controlled host and Its Nic information (using the Nmap Fyodor database ).

10. Kill a connection: Kill connections in the current connection table, or even all connections.

11. Data Packet production: You can create and send forged data packets. It allows you to forge all information from the Ethernet header to the application layer.

12. Bind the captured data stream to a local port: You can use a client software to connect to the port, perform further protocol decoding or inject data into it (only applicable to ARP-based methods ).

Ettercap has the following advantages:

1. It does not need support from common libraries such as libpcap and Libnet.

2. Sniffing Based on ARP spoofing does not need to set the NIC of the host that executes ettercap to the full accept mode.

3. Supports background execution.

Is it cool ?!

Ettercap options:

<1> listener mode:

-A, -- arpsniff

ARP-based sniffing.
Specifies the method for listening to the exchange network. If you want to use man-in-the-middle technology for attacks, you must use this option. If this parameter is used with the mute mode (-Z option), you must specify two pairs of IP-MAC addresses (Full Duplex) for the arpbased mode, or specify a IP-MAC address (Half Duplex) for the publicarp mode ). In publicarp mode, ARP responses are sent in broadcast mode. However, if ettercap has a complete host table (scanning the LAN at startup ), the etercap automatically selects the smartarp method. The ARP response is sent to all hosts other than the controlled host, and a hash table is created, in this way, packets can be sent from the listener host to customers intercepted in man-in-the-middle attacks under full duplex conditions in the future.
Note: If you use the smartarp Method for ARP spoofing, you must set the IP address (gwip option) of the Gateway in the configuration file and load the file using the-e option. Otherwise, the customer will not be able to connect to the remote host. The packet filtering function that requires packet replacement or discarding can only be used in the arpbased mode, because the TCP serial number of the packet must be adjusted to maintain the connection.

-S, -- sniff

IP-based listeners.
This is the earliest way to listen. It is applicable to the Hub environment, but it does not work in the exchange network. You can only specify the source or target IP address, or do not specify the port, or simply do nothing, which means to listen to all hosts on the Internet. "Any" can be used to represent the IP address, which means that the IP address comes from or to each host.

-M,-macsniff

Mac-based listeners
Suitable for listening for remote TCP communication. In the hub environment, if you want to monitor the connection through the gateway, it is impossible to specify the IP address of the host to be monitored and the IP address of the gateway, because the data packet is sent from the external host, instead of sending messages from the gateway, you cannot specify an IP address. To monitor internal and external communication, you only need to specify the MAC address of the monitored host and the MAC address of the gateway, so that you can monitor all Internet communication of the monitored host.

<2> offline sniffing:

-T, -- readpcapfile <File>

Offline sniffing.
If this parameter is enabled, ettercap listens to network data packets stored in a pcap-compatible file instead of directly listening to network data packets. This option is ideal if you have tcpdump or etereal dump data files and want to analyze these files.

-Y, -- writepcapfile <File>
Dump data packets to a file in pcap format.
If you have to use an active sniffing (through ARP spoofing) method to listen on an switched LAN, but want to use tcpdump or etereal to analyze intercepted packets, you can choose this option. You can use this option to dump the monitored data packets into a file and then load them to the appropriate application.Program.

<3> General options

-N, -- simple

Non-interactive mode.
If you want to submit ettercap from a script, or you already know some target information, or you want to submit ettercap in the background for it to collect data or password information (used with the-quite option) you can use this option. In this way, some functions of ettercap cannot be implemented, such as character injection and other functions that require interactive processing. However, other functions are still fully supported, such as the filter function. Therefore, ettercap can perform ARP spoofing on two hosts (one monitored host and Its gateway), filter all its connections on port 80, and replace them with some strings, then, all the communication between it and the Internet will change according to your requirements.

-Z, -- silent

Start in mute mode (there is no ARP storm at startup ).
If you want to start ettercap in non-attack mode (some NIDs will generate an alarm when detecting too many ARP requests ). To use this option, you must understand all necessary information about the target system. For example, if you want to cheat two hosts, you need to know the IP addresses and MAC addresses of these two hosts. If you select IP or Mac listeners, this option is automatically selected because you do not need to know the host list on the LAN. If you want to know all the host information and use the "ettercao-nl" option, note that this is an aggressive method.

-O, -- passive

Collect information passively.
This method does not send any data packets to the Internet. It places the network adapter in the full accept mode and views the data packets that flow through. It analyzes every data packet (SYN and SYN + ACK) that needs to be followed and uses this information to build a complete LAN host ing diagram. The collected information includes the IP address and MAC address of the host, the NIC manufacturer, the operating system type (passive OS fingerprint), and the running service. The List also contains other information, such as "GW". If the host is a gateway, "NL". If this IP address does not belong to this segment, and "RT", if the host has used the vro function. Select this option if you need to create a complete host list passively. When you are satisfied with the collected information, you can press the "c" key to convert the collected information to the host list and then work as usual. In the next section, we will explain the role of this option in the sample mode.

-B, -- broadping

When starting, broadcast Ping is used instead of ARP storms to obtain network host information.
This method has low reliability and accuracy. Some hosts do not respond to broadcast Ping (such as Windows). In this mode, these hosts are invisible. This option is useful if you want to scan Linux Hosts on the LAN. You can usually use this option -- list option to obtain the host list "ettercap-NLB"

-D, -- delay <n sec>

If you select the ARP spoofing mode, you can use this option to control the delay seconds between ARP responses. This option is helpful if you want to avoid too concentrated data streams. In most operating systems, the default ARP cache validity interval exceeds one minute (1200 seconds in FreeBSD system ). The default latency is 30 seconds.

-Z, -- stormdelay <n u sec>

The number of milliseconds between ARP requests after an ARP storm starts. You can use this option if you want to avoid too concentrated scanning. Many IDs generate alarm information for too many ARP requests, but if you send ARP packets at a lower rate, IDs will not report any exception events. The default latency is 1500 microseconds.

-S, -- spoof <ip>

If you want to cheat IDs, you can use a forged IP address for lan arp scanning. However, we cannot forge the source MAC address, because a well-configured switch will block your request packet.

-H, -- hosts <IP1 [, ip2] [, IP3] [,…]>

Specify that only these hosts are scanned at startup.
You can select this option if you only want to perform ARP scanning on some IP addresses. In this way, you can gain benefits from ARP scanning and keep your attacks as low as possible. This option is useful even when you want to use the public ARP method but want to cheat only a few hosts. The public ARP mode is automatically converted to the smartarp mode when you have a host list. Only these hosts are spoofed, so that the ARP cache of other hosts is not affected. The IP address table is expressed as an IP address in the dot-segmentation mode. IP addresses are separated by semicolons (there is no space between them ), you can also use a hyphen to indicate an IP address range or an IP address table (using commas ).
Example:
192.168.0.2-25: from 2 to 25
192.168.0.1, 3, 5: HOST 1, 3, and 5.
192.168.0.-3.1-10; 192.168.4, 5, 7: Scan HOST 1 to 10 in subnet 192.168.0, 192.168.1, 192.168.2, 192.168.3, and scan host 5 and 7 in subnet 192.168.4.

-D, -- dontresolve

The IP address is not resolved at startup.
If you encounter crazy "Resolving n hostnames…" when starting the program ..." Message, this option will be helpful. This is caused by the slow DNS in your network.

-I, -- iface <iface>

Network Interfaces used for all operations.
You can even specify a network alias to scan subnets that are different from your current IP address.

-N, -- netmask <netmask>

The network mask used to scan the Local Area Network (expressed in dot notation ).
The default network mask is the mask defined in the current ifconfig. However, if your mask is, for example, 255.255.0.0, you are encouraged to specify a more restrictive mask if you want to perform ARP scanning at startup.

-E, -- etterconf <FILENAME>

Use the configuration file instead of the command line parameter.
There is an etter. conf file in the TAR package of the software, which contains some configuration examples. refer to these examples to learn how to compile the configuration file. All the instructions are provided in these examples. Through the configuration file, you can selectively disable a protocol analysis or transfer it to another port. The command line options and configuration files can be used in a very flexible manner. Remember that the options in the configuration file overwhelm the command line options. conf specifies iface: eth0, And you specify "ettercap-I eth1-e etter when starting the program. conf ", then the final selection result is eth0.
Note: The "-e etter. conf" option must appear after all options, that is, it must be the last option.

-G, -- linktype

This sign has two complementary functions, so pay attention to it.
If this flag is used in interactive mode, it does not check the LAN type. On the other hand, if used with the command line method (-N), it needs to check the LAN to see if it is a switching network. Sometimes, if there are only two hosts in the LAN, this discovery method may fail.

-J, -- loadhosts <FILENAME>

Used to load host tables from a specified file. This file is created using the-K option.

-K, -- savehosts

Save the host list to a file.
This option is helpful when there are many hosts in the target network and you do not want to perform an ARP storm at every startup. You only need to specify this option and dump the list to a file. Load the information from the file using the-j <FILENAME> option. The file name is in the format of "netaddress_neymask.etl"

-V, -- version

Check the latest ettercap version.
All operations are under your control. User confirmation is required for each step. Using this option ettercap will connect to the http://ettercap.sourceforge.net: 80 web site and request/latest. php, then analyze the query results and compare them with your current version. If an updated version is available, ettercap will ask if you need wget (which must be in the path ). If you want to automatically answer yes to all questions, add option-y.

-H, -- Help

The help information is displayed on the screen and each option is briefly described.

<4> mute mode option (can only be used with the-n option)

-T,-Proto <proto>

Only listen to proto packets (TCP + udp by default ).
This option is only useful in simple mode. If you start ettercap in interactive mode, both TCP and UDP packets will be monitored. PROTO can be TCP, UDP, or all.

-J, -- onlypoison

This option prevents ettercap from listening to any data streams, but only spoofing the target. If you need to use ettercap for spoofing and other software tcpdump or Ethereal for listening, you can use this option (note that ip_forwarding should be enabled in this way ).
Another method is multi-target listening. As you know, you can use ettercap to listen to the connection information (arpbased) between two targets, or the entry and exit information (smart ARP) of a target ). With this option, you can monitor multiple targets at the same time (because multiple programs are started at the same time ). Use smart ARP when starting the first program, and use the-H option to restrict the smart function to only target the host you want to cheat (remember that if the gateway is involved in spoofing, must be specified in an instance running in smart mode ). Then start other "ettercap-J ".

-R, -- reverse

Listen to all connections except the selected connections. If you use ettercap on a remote host and want to listen to all other connections except your local and remote connections, you can select this option. If such a connection is included, ettercap will listen to its own output and add the output continuously.

-O, passive

Collect information passively. In simple mode, we can select this option in many ways. "Ettercap-no" starts ettercap in semi-interactive mode and enters "H" to obtain help information. You can view the collected information, record them to a log file, or simply browse the analyzed data packets. "Ettercap-nol" is similar to the above method, but it will automatically record the data to the file, and the record interval is 5 minutes. "Ettercap-noscsi" enables ettercap to write logs to files every 5 minutes. You can walk away, smoke a cigarette, and there will be a complete report on the LAN waiting for you... J

-P, -- plugin <Name>

Run the external plug-in "name"
Most plug-ins require a target host. You only need to specify the target host after the plug-in name. In fact, in host parsing on the command line, the first host is DEST, and the source is the same. To obtain the list of available external plug-ins, use "list" (excluding quotation marks) as the plug-in name. Because ettercap 0.6.2 provides a hook plug-in system, some plug-ins are not run independently. They can interact with ettercap and can be enabled or disabled through interfaces or configuration files. For more information about plug-ins and how to compile your own plug-ins, see the readme. pluging file.

-L, -- list

List all hosts in the LAN and report each MAC address.
It is usually used with the-B (Ping broadcast) option and the-D (do not resolve the Host Name) option.

-C, -- collect

Collects all user and password information of the hosts specified on the command line.
Configure the password collector in the configuration file (etter. conf). If necessary, you can selectively disable them or transfer them to another port. This option is useful if you do not want to collect SSH connection information but collect data from all other protocols. If you know that a host provides the telnet service on port 4567, you only need to move the Telnet decoding to 4567/TCP.

-F, -- fingerprint

Collects OS fingerprints of hosts.
This option utilizes the same method and database as NMAP: Fyodor fyodor@insecure.org, so reference a section on its man manual page:
This option identifies the remote host through TCP/IP fingerprint. In other words, it uses a set of technologies to detect the characteristics of the network protocol stack of the host to be scanned. It uses this information to create a fingerprint, which will be compared with the known OS fingerprint library to determine the system type of the host to be scanned.
The-F option can even provide you with the manufacturer of network adapters used by the scanned host. The information is stored in the Mac-fingerprints database.

-X, -- hexview

Dump data in hexadecimal notation.
Tip: when listening, you can change the display effect. You only need to press the "X" or "H" key to display it in hexadecimal notation or ASCII characters.

-L, -- logtofile

If this parameter is used independently, all data is saved to a specific file. It creates a separate file for each connection, in a UNIX system file named YYYYMMDD-P-IP: PORT-IP: port. log,
In Windows, the file name is P-IP [port]-IP [port]. log. If used with the c parameter, it creates a file named YYYYMMDD-collected-pass.log, which records all the password information that was listened.

-Q, -- quiet

Devil ettercap.
You can use this option if you want to record all data in the future mode. This option disconnects ettercap from the current TTY and sets it as a daemon. This option must be used with the-nl (or-NCL) option; otherwise, it does not work. Obviously, you also need to specify a listening method. Therefore, this option must be used with an option that indicates the listening method.

-W, -- newcert

Create a new cert file for the HTTPS mediation attack mode.
If you want to create a cert file using the information obtained through social engineering, you can use this option. The newly created file is saved in the current working directory. To replace the default cert file (etter. SSL. CRT) for a long time, you must rewrite/usr. Local/share/etter. SSL. CRT.

-F, -- filter <FILENAME>

Load the filter chain from the file filename.
The link filter file is written in pseudo XML format. You can manually rewrite the file or use the ettercap user interface to create the file (press the 'F' key on the connection Table Interface ). If you are familiar with XML language analysis, you can write your own program to create a filter link file.

Filtering rules are simple:
If the Protocol <proto> source port <source> destination port <DEST> data stream <Search> matches the rule, after the filter completes its response <action>, jump to the filter ID defined in the <goto> domain. Otherwise, it jumps to <elsegoto>. If these domains are empty, the chain will be interrupted. If the source port and destination port are 0, it means any port. Wildcard characters can be used in the search string (for details, see Readme ).

Note: This option enables a filter. If you want to disable it, press "S" (source) or "D" (destination) during the listening process ).

Note: On the command line, the host is parsed as ettercap-F etter. Filter DEST source. Therefore, the first host is bound to the destination chain, and the second host is bound to the source chain.
Important: The Source chain rule is applied to the data sent from the source, rather than the data sent to the source. Please remember !!! The same is true for the destination address.

-C, -- check

Check whether you are cheated by other targets in the LAN.
Parsing the target host on the command line is reverse. The first host is DEST, and the second host is source. If you listen in IP-based mode, this order does not matter because the source and destination are ignored. However, if you are filtering connections, this order is very important for binding to the relevant filter chain.
This reverse order is due to more flexible interfaces with the plug-in. Because some plug-ins need to specify the target host, the ettercap-NP ooze victim format is simpler than ettercap-NP ooze noone victim.
You can enter the target (192.168.0.1) in the dot-based format or the target (victim.mynet.org) in the domain name format ). Wildcard characters can only be used in the-H option.

<5> Interaction Mode

If the-n option is not specified when ettercap is started, the interactive mode is automatically selected. If you do not know what to do in some cases, you only need to type 'H' to pop up the help screen. The list of messages that can be executed is displayed.

<6> working offline

If you want to analyze libpcap files saved by tcpdump or ethereal, you can use the script plug-in. You can use it to reconstruct the connection list for password collection or passive OS fingerprint collection. To achieve this, you only need to specify the-T option and then use ettercap in the same way as collecting network data. To save the tcpdump file for further analysis, use the-Y option.