[开发参考]Ettercap 帮助文档
Ettercap(8)帮助
(翻译来自百度翻译,原文附于文后,个人润色)
1.概述
Ettercap-多用途嗅探器/内容过滤器,用于中间人攻击
重要提示
自Ettercap Ng(以前为0.7.0)以来,所有选项都已更改。甚至目标规范也发生了变化。请仔细阅读本手册。
2.基本用法
Ettercap [选项] [目标1] [目标2]
如果启用了IPv6:目标的格式为 mac/ips/ipv6/ports
否则,目标的格式为 mac/ips/ports
其中,IP和端口可以是范围(例如/192.168.0.1-30,40,50/20,22,25)
3.描述
Ettercap是作为交换局域网的嗅探器而诞生的(很明显,甚至是“hubbed”的),但在开发过程中,它获得了越来越多的特性,使它成为中间人攻击的一个强大而灵活的工具。它支持许多协议(甚至是加密协议)的主动和被动分离,并包含许多网络和主机分析功能(如操作系统指纹)。
它有两个主要的嗅探选项:
UNIFIED,这个方法嗅探通过电缆的所有数据包。你可以选择是否将接口置于promisc模式(-p选项)。未定向到运行ettercap的主机的数据包将使用第3层路由自动转发。因此,您可以使用另一个工具发起的MITM攻击,并让EtterCap修改数据包并为您转发它们。Ettercap始终禁用内核IP_转发。这样做是为了防止转发一个数据包两次(一次由EtterCap转发,一次由内核转发)。这是一种侵入性行为。因此,我们建议您仅在启用了无影响模式的情况下在网关上使用EtterCap。由于ettercap只在一个网络接口上侦听,因此以攻击性模式在网关上启动它将不允许从第二个接口重新路由数据包。
BRIDGED,它使用两个网络接口,在执行嗅探和内容过滤的同时将流量从一个转发到另一个。这种嗅探方法是完全隐蔽的,因为没有办法发现有人在电缆的中间。您可以将此方法视为第1层的MITM攻击。您将处于两个实体之间的电缆中间。不要在网关上使用它,否则它会将您的网关转换为网桥。提示:您可以使用内容筛选引擎删除不应通过的数据包。这样,EtterCap将作为内联IP工作;)
您还可以在使用统一嗅探的同时执行中间人攻击。你可以选择你喜欢的MITM攻击。MITM攻击模块独立于嗅探和过滤过程,因此您可以同时发起多个攻击或使用自己的工具进行攻击。关键的一点是,数据包必须以正确的MAC地址和不同的IP地址(只有这些数据包才会被转发)到达ETERCAP。
相关的EtterCap功能包括:
SSH1支持:您可以嗅探用户并传递,甚至是ssh1连接的数据。Ettercap是第一个能够全双工嗅探ssh连接的软件。
SSL支持:您可以嗅探SSL安全数据…向客户机提供了一个假证书,并对会话进行了解密。
已建立连接中的字符注入:您可以将字符注入到服务器(模拟命令)或客户端(模拟回复),以保持连接活动!!
包过滤/删除:您可以设置一个过滤脚本,在TCP或UDP负载中搜索特定的字符串(甚至十六进制),并将其替换为您的字符串或删除整个包。过滤引擎可以匹配网络协议的任何字段,并修改您想要的任何内容(请参阅etterfilter(8))。
通过隧道和路由管理进行远程流量嗅探:您可以使用Linux烹饪的接口或使用集成插件嗅探隧道或路由管理的远程连接,并对它们执行MITM攻击。
插件支持:您可以使用EtterCap的API创建自己的插件。
密码收集器:TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG (其他即将推出...)
被动操作系统指纹:被动扫描局域网(不发送任何数据包)并收集局域网中主机的详细信息:操作系统、运行服务、开放端口、IP、MAC地址和网络适配器供应商。
终止连接:从连接列表中,您可以终止所需的所有连接。
4.目标
目标没有发送方和接收方之分。这两个目标旨在过滤从一个目标到另一个目标的流量,反之亦然(因为连接是双向的)。
目标的格式为mac/ips/ports。
注意:如果启用了IPv6,则目标的格式为mac/ips/ipv6/ports。如果你愿意,你可以省略它的任何部分,这将代表该部分的任何部分。
例如
“//80”表示任何MAC地址、任何IP和唯一端口80
“/10.0.0.1/”表示任何MAC地址,仅IP 10.0.0.1和任何端口
MAC必须是唯一的,格式为 00:11:22:33:44:55
ips是以点符号表示的IP范围。您可以用(连字符)指定范围,用(逗号)指定单个IP。您还可以使用;(分号)表示不同的IP地址。
例如 “10.0.0.1-5;10.0.1.33”扩展为IP 10.0.0.1, 2, 3, 4, 5和10.0.1.33。
端口是一系列端口。您可以用(连字符)指定范围,用(逗号)指定单端口。
例如“20-25,80,110”扩展到端口20,21,22,23,24,25,80和110
注:您可以通过将-r选项添加到命令行来反转目标的匹配。因此,如果您想嗅探除10.0.0.1的流量之外的所有流量,可以指定“./ettercap-r/10.0.0.1/”
注:目标还负责局域网的初始扫描。您可以使用它们将扫描限制为网络掩码中主机的一个子集。将扫描两个目标之间的合并结果。记住,不指定目标意味着“没有目标”,但是指定“/”意味着“子网中的所有主机”。
5.删除权限
EtterCap需要根权限才能打开链接层套接字。在初始化阶段之后,不再需要根目录特权,因此ettercap将它们放到uid=65535(无人)中。由于ettercap必须写入(创建)日志文件,因此必须在具有正确权限的目录(例如/tmp/)中执行。如果要将privs删除到不同的uid,可以使用要将privs删除到的uid值导出环境变量ec uid(例如export ec uid=500),或者在etter.conf文件中设置正确的参数。
6.密闭攻击
在执行ssl mitm攻击时,ettercap用自己的证书替换真实的ssl证书。假证书是动态创建的,所有字段都是根据服务器提供的真实证书填写的。只有颁发者被修改并使用“etter.ssl.crt”文件中包含的私钥签名。如果要使用其他私钥,必须重新生成此文件。要重新生成cert文件,请使用以下命令:
openssl genrsa -out etter.ssl.crt 1024 openssl req -new -key etter.ssl.crt -out tmp.csr openssl x509 -req -days 1825 -in tmp.csr -signkey etter.ssl.crt -out tmp.new cat tmp.new >> etter.ssl.crt rm -f tmp.new tmp.csr
注意:在桥接模式下,SSL MITM暂时不可用。
注意:如果要指定其他文件而不是etter.ssl.crt文件,则可以使用--certificate/--private key long选项。
选项组合起来的选择通常是有意义的。EtterCap将警告用户不支持的选项组合。
7.嗅探和攻击选项
Ettercap-Ng有一种新的统一嗅探方法。这意味着内核中的IP_转发总是被禁用的,并且转发是由EtterCap完成的。对于绑定到iface的每个数据包,目标MAC地址等于主机的MAC地址和不同的目标IP地址的数据包都将由ettercap转发。在转发之前,Ettercap可以过滤、嗅探、记录或删除内容。不管这些包是如何被劫持的,EtterCap都会处理它们。您甚至可以使用外部程序来劫持数据包。您可以完全控制应接收的内容。您可以使用内部MITM攻击,将接口设置为promisc模式,使用插件或使用您想要的任何方法。
重要提示:如果在网关上运行ettercap,请记住在杀死ettercap后重新启用IP_转发。由于ettercap放弃了它的特权,它无法恢复IP_转发。
-M, --mitm <METHOD:ARGS>
MITM攻击
此选项将激活中间人攻击。MIMT攻击完全独立于嗅探。攻击的目的是劫持数据包并将其重定向到EtterCap。如有必要,嗅探引擎会将它们向前移动。您可以选择您喜欢的MITM攻击,也可以将其中一些攻击组合起来,同时执行不同的攻击。如果mitm方法需要一些参数,可以在冒号后指定它们。(例如-m dhcp:ip_pool、netmask等)
以下MITM攻击可用:
arp ([remote],[oneway])
该方法实现了ARP中毒的MITM攻击。ARP请求/回复会发送给受害者,毒害他们的ARP缓存。一旦缓存中毒,受害者将把所有数据包发送给攻击者,然后攻击者可以修改并转发到真正的目的地。
在静默模式下(-z选项)仅选择第一个目标,如果要在静默模式下毒害多个目标,请使用-j选项从文件加载列表。
您可以选择空目标,它们将扩展为“任意”(LAN中的所有主机)。目标列表与主机列表(由ARP扫描创建)结合在一起,结果用于确定攻击的受害者。
参数“remote”是可选的,如果要嗅探网关中毒的远程IP地址,必须指定它。实际上,如果您在目标中指定了一个受害者和gw,那么ettercap将只嗅探它们之间的连接,但是为了使ettercap能够嗅探通过gw的连接,您必须使用这个参数。
参数“oneway”将强制EtterCap仅从Target1中毒到Target2。如果你只想毒害客户机而不是路由器(在那里可以有一个ARP观察器),这是很有用的。
例子:
目标为:10.0.0.1-5//10.0.0.15-20/主机列表为:10.0.0.1 10.0.0.3 10.0.0.16 10.0.0.18
受害者之间的联系是:1和16,1和18,3和16,3和18
如果目标彼此重叠,将跳过具有相同IP地址的关联。
注意:如果您试图毒害一个客户机,您必须在内核中设置正确的路由表,指定gw。如果路由表不正确,中毒的客户机将无法在Internet上导航。
icmp (MAC/IP)
此攻击实现ICMP重定向。它向局域网中的主机发送一个欺骗的ICMP重定向消息,假装是一个更好的因特网路由。所有到Internet的连接都将重定向到攻击者,而攻击者又将把它们转发到真正的网关。由此产生的攻击是半双工的MITM。只有客户端被重定向,因为网关不会接受直接连接网络的重定向消息。确保不要使用修改有效负载长度的过滤器。可以使用筛选器修改数据包,但长度必须相同,因为TCP序列不能以两种方式更新。您必须将局域网的实际网关的MAC和IP地址作为参数传递。显然,你必须能够嗅探所有的交通。如果你在一个开关上,你必须使用不同的MITM攻击,如ARP中毒。
注意:要限制重定向到给定目标,请将其指定为目标
例子:
-M icmp:00:11:22:33:44:55/10.0.0.1 将重定向通过该网关的所有连接。
dhcp (ip_pool/netmask/dns)
此攻击执行DHCP欺骗。它假装是一个DHCP服务器,试图用真实的服务器赢得竞争条件,迫使客户端接受攻击者的回复。这样,Ettercap就能够操纵gw参数并劫持客户端生成的所有传出流量。由此产生的攻击是半双工的MITM。所以一定要使用适当的过滤器(参见上面的ICMP部分)。您必须通过要使用的IP池、网络掩码和DNS服务器的IP。由于ettercap试图赢得与真实服务器的竞争,因此它不会检查是否已分配IP。您必须指定一个包含可用地址的IP池。IP池的形式与目标规范相同。如果客户机发送一个DHCP请求(建议IP地址),那么Ettercap将在该IP上确认,并且只修改gw选项。如果客户机进行了一次DHCP发现,那么ettercap将使用您在命令行上指定的列表的第一个未使用的IP地址。每个发现都使用一个IP地址。当列表结束时,EtterCap将停止提供新的IP地址,并只答复DHCP请求。如果您不想提供任何IP地址,而只想更改dhcp request/ack的路由器信息,可以指定一个空的IP_池。
警告:如果您指定一个正在使用的IP列表,您将破坏您的网络!一般来说,小心使用这种攻击。它真的会把事情搞砸!当你停止攻击时,所有的受害者仍然会相信,在租约到期之前,EtterCap是一个代理…
例子:
-M dhcp:192.168.0.30,35,50-60/255.255.255.0/192.168.0.1 reply to DHCP offer and request.
-M dhcp:/255.255.255.0/192.168.0.1 reply only to DHCP request.
port ([remote],[tree])
此攻击实施端口窃取。当ARP中毒无效时(例如使用静态映射的ARP),这种技术对于在交换环境中进行嗅探很有用。
它用ARP包淹没局域网(基于etter.conf中的端口窃取延迟选项)。如果不指定“树”选项,则每个“窃取”数据包的目标MAC地址与攻击者的相同(其他NIC看不到这些数据包),则源MAC地址将是主机列表中的一个MAC。这个过程“窃取”主机列表中每个受害者主机的交换机端口。利用低延迟,攻击者将接收发送到“被盗”MAC地址的数据包,从而赢得与真正的端口所有者的竞争条件。当攻击者收到“被盗”主机的数据包时,它会停止泛洪过程,并对数据包的实际目的地执行ARP请求。当它收到ARP回复时,它确定受害者已经“收回”了他的端口,因此,Ettercap可以按原样将数据包重新发送到目的地。现在我们可以重新启动泛洪过程,等待新的包。如果使用“tree”选项,则每个窃取数据包的目标MAC地址都将是假的,因此这些数据包将传播到其他交换机(而不仅仅是直接连接的交换机)。这样,您就可以窃取树中其他交换机上的端口(如果有的话),但会产生大量的流量(根据端口窃取延迟)。“远程”选项的含义与“arp”mitm方法中的含义相同。
当你停止攻击时,EtterCap会向每台被盗主机发送一个ARP请求,并返回它们的交换机端口。
您可以根据目标选择执行半双工或全双工MITM。
注意:仅在以太网交换机上使用此MITM方法。小心使用,会造成性能损失或大破坏。
注意:不能只在mitm模式下使用这个方法(-o标志),因为它钩住了嗅探引擎,并且不能使用交互式数据注入。
注意:与其他MITM方法结合使用可能会很危险。
注意:由于lipcap和libnet设计以及缺少某些ioctl(),此mitm方法在Solaris和Windows上不起作用。(如果有人请求,我们将在这些操作系统上使用此方法…)
例子:
目标是:/10.0.0.1//10.0.0.15/
您将截获和可视化10.0.0.1和10.0.0.15之间的流量,但您也将收到10.0.0.1和10.0.0.15之间的所有流量。
目标是:/10.0.0.1/您将截获并可视化10.0.0.1的所有流量。
ndp ([remote],[oneway])
注意:只有启用了IPv6支持时,才支持此MITM方法。
该方法实现了用于IPv6连接的MITM的NDP中毒攻击。向受害者发送ND请求/回复,毒害他们的邻居缓存。一旦缓存中毒,受害者将向攻击者发送所有的IPv6数据包,然后攻击者可以修改这些数据包并将其转发到真正的目的地。
在静默模式下(-z选项)仅选择第一个目标,如果要在静默模式下毒害多个目标,请使用-j选项从文件加载列表。
您可以选择空目标,它们将扩展为“任意”(LAN中的所有主机)。目标列表与主机列表(由ARP扫描创建)结合在一起,结果用于确定攻击的受害者。
参数“remote”是可选的,如果要嗅探网关中毒的远程IP地址,必须指定它。实际上,如果您在目标中指定了一个受害者和gw,那么ettercap将只嗅探它们之间的连接,但是为了使ettercap能够嗅探通过gw的连接,您必须使用这个参数。
参数“oneway”将强制EtterCap仅从Target1中毒到Target2。如果您只想毒害客户机而不是路由器(在那里可以有一个ARP观察器),那么这很有用。
例子:
目标是://fe80::260d:afff:fe6e:f378//2001:db8::2:1/尚未支持IPv6地址范围。
注意:如果您试图毒害一个客户机,您必须在内核中设置正确的路由表,指定gw。如果路由表不正确,中毒的客户机将无法在Internet上导航。
注意:在ipv6中,路由器的链路本地地址通常被用作网关地址。因此,您需要将路由器的链路本地地址设置为一个目标,将受害者的全局单播地址设置为另一个目标,以便使用ndp中毒设置成功的ipv6-mitm攻击。
-o, --only-mitm
此选项禁用嗅探线程并仅启用MITM攻击。如果您想使用ettercap执行MITM攻击,以及使用另一个嗅探器(如wireshark)嗅探流量,则非常有用。请记住,这些数据包不是由ettercap转发的。内核将负责转发。记住激活内核中的“IP转发”功能。
-f, --pcapfilter <FILTER>
在PCAP库中设置捕获筛选器。格式与tcpdump(1)相同。记住,这种过滤器不会嗅出网络中的数据包,所以如果你想执行MITM攻击,那么Ettercap将无法转发被劫持的数据包。这些滤波器有助于降低进入EtterCap解码模块的网络负载影响。
-B, --bridge <IFACE>
桥接嗅探。您需要两个网络接口。Ettercap将看到的所有流量从一个转发到另一个。它对处于物理层中间的人很有用。它是完全隐形的,因为它是被动的,用户无法看到攻击者。您可以内容过滤所有流量,因为您是“电缆”的透明代理。
-r, --read <FILE>
离线嗅探。启用此选项后,Ettercap将从PCAP兼容文件中嗅探数据包,而不是从线路中捕获。如果您有一个从tcpdump或Wire-Shark转储的文件,并且您希望对其进行分析(搜索密码或被动指纹),那么这非常有用。显然,在从文件进行嗅探时,不能使用“主动”嗅探(ARP中毒或桥接)。
-w, --write <FILE>
将数据包写入PCAP文件。如果您必须在交换的LAN上使用“主动”嗅探(ARP中毒),但您希望使用TCP-Dump或Wireshark分析数据包,那么这非常有用。您可以使用此选项将数据包转储到文件,然后将其加载到您最喜欢的应用程序中。
注意:转储文件收集所有数据包,忽略目标。这样做是因为您可能希望记录甚至是不受EtterCap支持的协议,因此您可以使用其他工具分析它们。
提示:您可以将-w选项与-r选项结合使用。通过这种方式,您将能够过滤转储数据包的有效负载或解密WEP加密的WiFi流量,并将其转储到另一个文件。
8.用户界面选项
-T, --text
只显示文本的界面,只显示printf();可以交互,随时按“h”以获取有关您可以执行的操作的帮助。
-q, --quiet
安静模式。它只能与控制台接口一起使用。它不打印数据包内容。如果要将PCAP文件转换为EtterCap日志文件,这很有用。
例子:
ettercap -Tq -L dumpfile -r pcapfile
-s,-script<commands>
使用此选项,您可以在用户在键盘上键入命令时向ettercap输入命令。这样,您就可以在您喜欢的脚本中使用ettercap。您可以通过以下命令发出一个特殊命令:s(x)。此命令将休眠x秒。
例子:
ettercap -T -s 'lq' will print the list of the hosts and exit
ettercap -T -s 's(300)olqq' will collect the infos for 5 minutes, print the list of the local profiles and exit
-C, --curses
基于ncurses的图形用户界面。完整描述见Ettercap诅咒(8)。
-G, --gtk
好的GTK2接口(感谢Daten)。
-D, --daemonize
监控EtterCap。此选项将从当前控制终端上分离ettercap,并将其设置为守护进程。您可以将此功能与“日志”选项结合起来,在后台记录所有流量。如果守护进程由于任何原因失败,它将创建文件“./ettercap”daemonized.log“,在该文件中报告ettercap捕获的错误。此外,如果希望对守护进程进行完整的调试,建议您在调试模式下重新编译ettercap。
9.一般选项
-b, --broadcast
告诉EtterCap处理来自广播地址的数据包。
-i, --iface <IFACE>
使用此<IFACE>而不是默认值。接口可以取消配置(需要libnet>=1.1.2),但在这种情况下,您不能使用mitm攻击,您应该设置无恶意标志。
-I, --iflist
此选项将打印可在Ettercap中使用的所有可用网络接口的列表。该选项在Windows下特别有用,因为在Windows中,接口的名称不如在*nix下那么明显。
-Y, --secondary <interface list>
指定从中捕获数据包的(或单个)辅助接口的列表。
-A, --address <ADDRESS>
使用此<address>代替当前iface的自动检测。如果您有一个具有多个IP地址的接口,则此选项非常有用。
-n, --netmask <NETMASK>
使用此<netmask>而不是与当前iface关联的。如果您的网卡关联的网络掩码为B类,并且您只想扫描(使用ARP扫描)C类,则此选项非常有用。
-R, --reversed
反转目标选择中的匹配。这意味着没有(焦油)。除了选定的目标。
-t, --proto <PROTO>
仅嗅探协议数据包(默认为TCP+UDP)。如果您希望通过目标规范选择端口,但希望区分TCP或UDP,则此功能非常有用。proto可以是“tcp”、“udp”或“all”。
-6, --ip6scan
发送ICMPv6探测以发现链接上的活动IPv6节点。此选项向所有节点地址发送ping请求,以激励活动的IPv6主机响应。如果你试图隐藏自己,就不应该使用这个选项。因此,此选项是可选的。
注意:此选项仅在启用了IPv6支持时可用。
-z, --silent
不要对局域网进行初始的ARP扫描。
注意:您将没有主机列表,因此不能使用多操作功能。您只能为一个ARP中毒攻击选择两个主机,通过目标指定它们
-p, --nopromisc
通常,ettercap会将接口置于promisc模式,以嗅探网络上的所有流量。如果只想嗅探您的连接,请使用此标志不启用promisc模式。
-S, --nosslmitm
通常,为了拦截HTTPS流量,EtterCap会伪造SSL证书。此选项禁用该行为。
-u, --unoffensive
每次EtterCap启动时,它都会禁用内核中的IP转发,并开始转发数据包本身。这个选项阻止这样做,所以IP转发的责任留给内核。如果要运行多个EtterCap实例,此选项非常有用。您将有一个实例(不带-u选项的实例)转发数据包,而所有其他实例在不转发数据包的情况下进行工作。否则,您将得到数据包副本。它还禁止为每个连接内部创建会话。它提高了性能,但您将无法在运行中修改数据包。如果要使用MITM攻击,必须使用单独的实例。如果接口未配置(没有IP地址),则必须使用此选项。如果要在网关上运行ettercap,此选项也很有用。它不会禁用转发,并且网关将正确路由数据包。
-j, --load-hosts <FILENAME>
它可以用于从-k选项创建的文件中加载主机列表。(见下文)
-k, --save-hosts <FILENAME>
将主机列表保存到文件中。当你有很多主机,并且你不想在启动时在任何时候使用EtterCap时进行ARP风暴时,这是很有用的。只需使用这个选项并将列表转储到一个文件,然后使用-j<filename>选项从中加载信息。
-P, --plugin <PLUGIN>
运行所选插件。许多插件需要目标规范,总是使用目标。使用此参数的多次出现来选择多个插件。在控制台模式下(-c选项),执行独立插件,然后退出应用程序。钩子插件被激活,并执行正常的嗅探。要获得可用外部插件的列表,请使用“list”(不带引号)作为插件名称(例如/ettercap-p list)。
注意:您也可以直接从接口激活插件(按“h”以获得内联帮助)
关于插件和如何编写自己的插件的更多详细信息,请参见手册页的ettercap_plugin(8)。
-F, --filter <FILE>
从文件加载过滤器。过滤器必须与ETERFILTER(8)一起堆放。该实用程序将编译过滤器脚本并生成一个符合EtterCap的二进制过滤器文件。阅读EtterFilter(8)手册页,以获取可在筛选脚本中使用的函数列表。通过多次指定选项,可以加载任意数量的过滤器;数据包按命令行上指定的顺序通过每个过滤器。您也可以通过将:0附加到文件名来加载脚本而不启用它。注意:这些过滤器不同于使用--pcapfil-ter设置的过滤器。Ettercap筛选器是内容筛选器,可以在转发数据包之前修改其有效负载。PCAP过滤器仅用于捕获某些数据包。注意:您可以使用pcapfile上的过滤器来修改它们并保存到另一个文件,但是在这种情况下,您必须注意您正在做什么,因为ettercap不会重新计算校验和,也不会拆分超过mtu(snaplen)的数据包或类似的数据包。
-W, --wifi-key <KEY>
您可以指定一个密钥来解密WiFi数据包(WEP或WPA)。只有成功解密的数据包才会传递到解码器堆栈,其他数据包将被跳过并显示一条消息。参数具有以下语法:type:bits:t:string。其中“type”可以是:wep、wpa pws或wpa psk,“bit s”是密钥的位长度(64、128或256),“t”是字符串的类型(“s”是字符串,“p”是密码短语)。字符串“”可以是字符串或转义的十六进制序列。
例子:
--wifi-key wep:128:p:secret --wifi-key wep:128:s:ettercapwep0 --wifi-key 'wep:64:s:\x01\x02\x03\x04\x05' --wifi-key wpa:pwd:ettercapwpa:ssid --wifi-key wpa:psk: 663eb260e87cf389c6bd7331b28d82f5203b0cae4e315f9cbb7602f3236708a6 -a, --config <CONFIG>
加载可选配置文件而不是/etc/etter.conf中的默认配置文件。如果您有许多针对不同情况的预配置文件,则此选项非常有用。
--certificate <FILE>
告诉Ettercap使用指定的证书文件进行ssl-mitm攻击。
--private-key <FILE>
告诉Ettercap使用指定的私钥文件进行ssl-mitm攻击。
10.可视化(GUI)选项
-e, --regex <REGEX>
只处理与regex匹配的数据包。
此选项与-l一起使用非常有用。它只记录与posix regex regex匹配的包。
它甚至影响嗅探数据包的可视化。如果设置了它,则只显示与regex匹配的数据包。
-V, --visual <FORMAT>
使用此选项设置要显示的数据包的可视化方法。
FORMAT可以是以下之一:
hex 以hex格式打印数据包。
例子:
字符串“http/1.1 304 not modified”变为:
0000:4854 5450 2F31 2E31 2033 3034 204E 6F74 HTTP/1.1 304 not
0010:204D 6F64 6966 6965 64 modified
ascii 只打印“可打印”字符,其他字符显示为点“.”
text 只打印“可打印”字符,而忽略其他字符。
ebcdic 将EBCDIC文本转换为ASCII。
html 从文本中删除所有HTML标记。标记是< >之间的每个字符串。
例子:
<title>This is the title.<title>,但<title>等将不显示。
这是标题,但不会显示以下内容。
utf8 以utf-8格式打印数据包。执行转换时使用的编码在etter.conf(5)文件中声明。
-d, --dns
将IP地址解析为主机名。
注意:在记录重要信息时,这可能会严重降低ETERCAP的速度。每次找到新主机时,都会执行对DNS的查询。EtterCap为已解析的主机保留缓存以提高速度,但新主机需要新的查询,DNS可能需要2或3秒来响应未知主机。
提示:Ettercap收集它在资源表中嗅探的DNS答复,因此即使您指定不解析主机名,也会解析其中一些主机名,因为答复以前被嗅探过。把它当作一个免费的被动DNS解析…;)
-E, --ext-headers
打印每个显示的数据包的扩展头。(例如,MAC地址)
-Q, --superquiet
超静音模式。不要在收集用户和密码时打印它们。只存储在配置文件中。在纯文本模式下运行EtterCap可能很有用,但您不希望被解剖信息淹没。当使用插件时很有用,因为嗅探过程始终处于活动状态,它将打印所有列选择的信息,使用此选项可以禁止显示这些消息。注意:此选项自动设置-q选项。
例子:
ettercap -TzQP finger /192.168.0.1/22
11.记录到文件选项
-L, --log <LOGFILE>
将所有数据包记录到二进制文件中。这些文件可以由EtterLog(8)解析,以提取人类可读的数据。使用此选项,将记录由EtterCap嗅探的所有数据包,以及它可以收集的所有被动信息(主机信息+用户和密码)。给定一个日志文件,ettercap将创建logfile.ecp(用于数据包)和logfile.eci(用于信息)。
注意:如果在命令行上指定此选项,则不必考虑特权,因为日志文件是在启动阶段打开的(具有高权限)。但是,如果在EtterCap已经启动时启用日志选项,则必须位于uid=65535或uid=ec-uid可以写入的目录中。
注意:日志文件可以使用deflate算法使用-c选项进行压缩。
-l, --log-info <LOGFILE>
与-l非常相似,但它只记录每个主机的被动信息+用户和密码。文件名为logfile.eci
-m, --log-msg <LOGFILE>
它存储在由Ettercap打印的所有用户消息中。当您在守护进程模式下使用ettercap或如果您想跟踪所有消息,这可能很有用。事实上,有些解剖者打印信息,但信息不存储在任何地方,因此这是跟踪信息的唯一方法。
-c, --compress
在转储日志文件时,使用gzip算法对其进行压缩。EtterLog(8)能够处理压缩和未压缩的日志文件。
-o, --only-local
存储仅属于LAN主机的配置文件信息。
注意:此选项仅对内存中选择的配置文件有效。当登录到一个文件时,所有主机都会被记录。如果要拆分它们,请使用相关的etterlog(8)选项。
-O, --only-remote
存储仅属于远程主机的配置文件信息。
12.标准选项
-v, --version
打印版本并退出。
-h, --help
打印帮助屏幕,其中包含可用选项的简短摘要。
13.实例
下面是一些使用EtterCap的示例。
1 ettercap -Tp
使用控制台界面,不要将界面置于promisc模式。你只能看到你的交通。
1 ettercap -Tzq
使用控制台界面,不要ARP扫描网络,保持安静。不会显示包内容,但会显示用户和密码以及其他消息。
1 ettercap -T -j /tmp/victims -M arp /10.0.0.1-7/ /10.0.0.10-20/
将从/tmp/受害者加载主机列表,并对两个目标执行ARP中毒攻击。列表将与目标连接,结果列表用于ARP中毒。
1 ettercap -T -M arp // //
对局域网中的所有主机执行ARP中毒攻击。小心!!
ettercap -T -M arp:remote /192.168.1.1/ /192.168.1.2-10/
在2到10之间对网关和局域网中的主机执行ARP中毒。“远程”选项需要能够嗅探主机通过网关进行的远程通信。
1 ettercap -Tzq //110
只从每个主机嗅探pop3协议。
1 ettercap -Tzq /10.0.0.1/21,22,23
嗅探telnet、ftp和ssh到10.0.0.1的连接。
ettercap -P list
打印所有可用插件的列表文件
~/.config/ettercap_gtk
在会话之间存储持久信息(例如窗口位置)。
14.其他内容
原作者
Alberto Ornaghi (ALoR) <alor@users.sf.net>
Marco Valleri (NaGA) <naga@antifork.org>
项目负责人
Emilio Escobar(exfil)<eescobar@gmail.com>
Eric Milam(brav0hax)<jbrav.hax@gmail.com>
官方开发商
Mike Ryan (justfalter) <falter@gmail.com>
Gianfranco Costamagna (LocutusOfBorg) <costamagnagianfranco@yahoo.it>
Antonio Collarino (sniper) <anto.collarino@gmail.com>
Ryan Linn <sussuro@happypacket.net>
Jacob Baines <baines.jacob@gmail.com>
贡献者
Dhiru Kholia (kholia) <dhiru@openwall.com>
Alexander Koeppe (koeppea) <format_c@online.de>
Martin Bos (PureHate) <purehate@backtrack.com>
Enrique Sanchez
Gisle Vanem <giva@bgnett.no>
Johannes Bauer <JohannesBauer@gmx.de>
Daten (Bryan Schneiders) <daten@dnetc.org>
参见
etter.conf(5) ettercap_curses(8) ettercap_plugins(8) etterlog(8) etter‐
filter(8) ettercap-pkexec(8)
Github下载
https://github.com/Ettercap/ettercap/downloads
Git
git clone git://github.com/Ettercap/ettercap.git 或 git clone https://github.com/Ettercap/ettercap.git
漏洞
我们的软件从来没有漏洞。
。
。
它只是发展出随机的特征。qwq
已知错误
-Ettercap不处理碎片数据包…嗅探器只显示第一段。然而,所有片段都是正确转发的。
+请将错误报告、补丁或建议发送至ettercap-betatesting@lists.sourceforge.net> 或访问 https://github.com/Ettercap/etter‐ cap/issues.
+要报告错误,请按照readme.bugs文件中的说明进行操作。
哲学的取名
"Even if blessed with a feeble intelligence, they are cruel and smart..." this is the description of Ettercap, a monster of the RPG Advanced Dungeons & Dragon.
之所以选择“Ettercap”这个名字,是因为它与“Ethernet Cap”有关联,这意味着“Ethernet Capture”(Ethernet Capture)(Ettercap实际上是这样做的),还因为这些怪物有强大的毒害……你知道,ARP中毒…;)
The Lord Of The (Token)Ring
(the fellowship of the packet)
"One Ring to link them all, One Ring to ping them, one Ring to bring them all and in the darkness sniff them."
最后的话
“今天的编程是一场软件工程师之间的竞赛,他们致力于构建更大更好的防白痴程序,而宇宙则致力于制造更大更好的白痴。到目前为止,宇宙正在取胜。
Manual Reference Pages - ETTERCAP (8)
NAME
ettercap NG-0.7.3 - A multipurpose sniffer/content filter for man in the middle attacks
CONTENTS
Synopsis
Description
Target Specification
Privileges Dropping
Ssl Mitm Attack
Options
Examples
Authors
Availability
Cvs
Bugs
Philological History
The Lord Of The (Token)Ring
Last words
***** IMPORTANT NOTE ******
Since ettercap NG (formerly 0.7.0), all the options have been changed. Even the target specification has been changed. Please read carefully this man page.
SYNOPSIS
ettercap [OPTIONS] [TARGET1] [TARGET2]TARGET is in the form MAC/IPs/PORTs
where IPs and PORTs can be ranges (e.g. /192.168.0.1-30,40,50/20,22,25)
DESCRIPTION
Ettercap was born as a sniffer for switched LAN (and obviously even "hubbed" ones), but during the development process it has gained more and more features that have changed it to a powerful and flexible tool for man-in-the-middle attacks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many features for network and host analysis (such as OS fingerprint).It has two main sniffing options:
UNIFIED, this method sniffs all the packets that pass on the cable. You can choose to put or not the interface in promisc mode (-p option). The packet not directed to the host running ettercap will be forwarded automatically using layer 3 routing. So you can use a mitm attack launched from a different tool and let ettercap modify the packets and forward them for you.
The kernel ip_forwarding is always disabled by ettercap. This is done to prevent to forward a packet twice (one by ettercap and one by the kernel). This is an invasive behaviour on gateways. So we recommend you to use ettercap on the gateways ONLY with the UNOFFENSIVE MODE ENABLED. Since ettercap listens only on one network interface, launching it on the gateway in offensive mode will not allow packets to be rerouted back from the second interface.BRIDGED, it uses two network interfaces and forward the traffic from one to the other while performing sniffing and content filtering. This sniffing method is totally stealthy since there is no way to find that someone is in the middle on the cable. You can look at this method as a mitm attack at layer 1. You will be in the middle of the cable between two entities. Don’t use it on gateways or it will transform your gateway into a bridge. HINT: you can use the content filtering engine to drop packets that should not pass. This way ettercap will work as an inline IPS ;)
You can also perform man in the middle attacks while using the unified sniffing. You can choose the mitm attack that you prefer. The mitm attack module is independent from the sniffing and filtering process, so you can launch several attacks at the same time or use your own tool for the attack. The crucial point is that the packets have to arrive to ettercap with the correct mac address and a different ip address (only these packets will be forwarded).
The most relevant ettercap features are:
SSH1 support : you can sniff User and Pass, and even the data of an SSH1 connection. ettercap is the first software capable to sniff an SSH connection in FULL-DUPLEX
SSL support : you can sniff SSL secured data... a fake certificate is presented to the client and the session is decrypted.
Characters injection in an established connection : you can inject characters to the server (emulating commands) or to the client (emulating replies) maintaining the connection alive !!
Packet filtering/dropping: You can set up a filter script that searches for a particular string (even hex) in the TCP or UDP payload and replace it with yours or drop the entire packet. The filtering engine can match any field of the network protocols and modify whatever you want (see etterfilter(8)).
Remote traffic sniffing through tunnels and route mangling: You can play with linux cooked interfaces or use the integrated plugin to sniff tunneled or route-mangled remote connections and perform mitm attacks on them.
Plug-ins support : You can create your own plugin using the ettercap’s API.
Password collector for : TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG (other protocols coming soon...)
Passive OS fingerprint: you scan passively the lan (without sending any packet) and gather detailed info about the hosts in the LAN: Operating System, running services, open ports, IP, mac address and network adapter vendor.
Kill a connection: from the connections list you can kill all the connections you want
TARGET SPECIFICATION
There is no concept of SOURCE nor DEST. The two targets are intended to filter traffic coming from one to the other and vice-versa (since the connection is bidirectional).TARGET is in the form MAC/IPs/PORTs. If you want you can omit any of its parts and this will represent an ANY in that part.
e.g.
"//80" means ANY mac address, ANY ip and ONLY port 80
"/10.0.0.1/" means ANY mac address, ONLY ip 10.0.0.1 and ANY portMAC must be unique and in the form 00:11:22:33:44:55
IPs is a range of IP in dotted notation. You can specify range with the - (hyphen) and single ip with , (comma). You can also use ; (semicolon) to indicate different ip addresses.
e.g.
"10.0.0.1-5;10.0.1.33" expands into ip 10.0.0.1, 2, 3, 4, 5 and 10.0.1.33PORTs is a range of PORTS. You can specify range with the - (hyphen) and single port with , (comma).
e.g.
"20-25,80,110" expands into ports 20, 21, 22, 23, 24, 25, 80 and 110NOTE:
you can reverse the matching of the TARGET by adding the -R option to the command line. So if you want to sniff ALL the traffic BUT the one coming or going to 10.0.0.1 you can specify "./ettercap -R /10.0.0.1/"NOTE:
TARGETs are also responsible of the initial scan of the lan. You can use them to restrict the scan to only a subset of the hosts in the netmask. The result of the merging between the two targets will be scanned. remember that not specifying a target means "no target", but specifying "//" means "all the hosts in the subnet.
PRIVILEGES DROPPING
ettercap needs root privileges to open the Link Layer sockets. After the initialization phase, the root privs are not needed anymore, so ettercap drops them to UID = 65535 (nobody). Since ettercap has to write (create) log files, it must be executed in a directory with the right permissions (e.g. /tmp/). If you want to drop privs to a different uid, you can export the environment variable EC_UID with the value of the uid you want to drop the privs to (e.g. export EC_UID=500) or set the correct parameter in the etter.conf file.
SSL MITM ATTACK
While performing the SSL mitm attack, ettercap substitutes the real ssl certificate with its own. The fake certificate is created on the fly and all the fields are filled according to the real cert presented by the server. Only the issuer is modified and signed with the private key contained in the ’etter.sll.crt’ file. If you want to use a different private key you have to regenerate this file. To regenerate the cert file use the following commands:openssl genrsa -out etter.ssl.crt 1024
openssl req -new -key etter.ssl.crt -out tmp.csr
openssl x509 -req -days 1825 -in tmp.csr -signkey etter.ssl.crt -out tmp.new
cat tmp.new >> etter.ssl.crt
rm -f tmp.new tmp.csr NOTE: SSL mitm is not available (for now) in bridged mode.
OPTIONS
Options that make sense together can generally be combined. ettercap will warn the user about unsupported option combinations.
SNIFFING AND ATTACK OPTIONS ettercap NG has a new unified sniffing method. This implies that ip_forwarding in the kernel is always disabled and the forwarding is done by ettercap. Every packet with destination mac address equal to the host’s mac address and destination ip address different for the one bound to the iface will be forwarded by ettercap. Before forwarding them, ettercap can content filter, sniff, log or drop them. It does not matter how these packets are hijacked, ettercap will process them. You can even use external programs to hijack packet.
You have full control of what ettercap should receive. You can use the internal mitm attacks, set the interface in promisc mode, use plugins or use every method you want.IMPORTANT NOTE: if you run ettercap on a gateway, remember to re-enable the ip_forwarding after you have killed ettercap. Since ettercap drops its privileges, it cannot restore the ip_forwarding for you.
-M, --mitm <METHOD:ARGS> MITM attack
This option will activate the man in the middle attack. The mimt attack is totally independent from the sniffing. The aim of the attack is to hijack packets and redirect them to ettercap. The sniffing engine will forward them if necessary.
You can choose the mitm attack that you prefer and also combine some of them to perform different attacks at the same time.
If a mitm method requires some parameters you can specify them after the colon. (e.g. -M dhcp:ip_pool,netmask,etc )The following mitm attacks are available:
arp ([remote],[oneway]) This method implements the ARP poisoning mitm attack. ARP requests/replies are sent to the victims to poison their ARP cache. Once the cache has been poisoned the victims will send all packets to the attacker which, in turn, can modify and forward them to the real destination. In silent mode (-z option) only the first target is selected, if you want to poison multiple target in silent mode use the -j option to load a list from a file.
You can select empty targets and they will be expanded as ’ANY’ (all the hosts in the LAN). The target list is joined with the hosts list (created by the arp scan) and the result is used to determine the victims of the attack.
The parameter "remote" is optional and you have to specify it if you want to sniff remote ip address poisoning a gateway. Indeed if you specify a victim and the gw in the TARGETS, ettercap will sniff only connection between them, but to enable ettercap to sniff connections that pass thru the gw, you have to use this parameter.
The parameter "oneway" will force ettercap to poison only from TARGET1 to TARGET2. Useful if you want to poison only the client and not the router (where an arp watcher can be in place).
Example:
the targets are: /10.0.0.1-5/ /10.0.0.15-20/
and the host list is: 10.0.0.1 10.0.0.3 10.0.0.16 10.0.0.18the associations between the victims will be:
1 and 16, 1 and 18, 3 and 16, 3 and 18if the targets overlap each other, the association with identical ip address will be skipped.
NOTE: if you manage to poison a client, you have to set correct routing table in the kernel specifying the GW. If your routing table is incorrect, the poisoned clients will not be able to navigate the Internet.
icmp (MAC/IP) This attack implements ICMP redirection. It sends a spoofed icmp redirect message to the hosts in the lan pretending to be a better route for internet. All connections to internet will be redirected to the attacker which, in turn, will forward them to the real gateway. The resulting attack is a HALF-DUPLEX mitm. Only the client is redirected, since the gateway will not accept redirect messages for a directly connected network. BE SURE TO NOT USE FILTERS THAT MODIFY THE PAYLOAD LENGTH. you can use a filter to modify packets, but the length must be the same since the tcp sequences cannot be updated in both ways.
You have to pass as argument the MAC and the IP address of the real gateway for the lan.
Obviously you have to be able to sniff all the traffic. If you are on a switch you have to use a different mitm attack such as arp poisoning.NOTE: to restrict the redirection to a given target, specify it as a TARGET
Example:
-M icmp:00:11:22:33:44:55/10.0.0.1
will redirect all the connections that pass thru that gateway.
dhcp (ip_pool/netmask/dns) This attack implements DHCP spoofing. It pretends to be a DHCP server and tries to win the race condition with the real one to force the client to accept the attacker’s reply. This way ettercap is able to manipulate the GW parameter and hijack all the outgoing traffic
Generated by the clients.
The resulting attack is a HALF-DUPLEX mitm. So be sure to use appropriate filters (see above in the ICMP section).You have to pass the ip pool to be used, the netmask and the ip of the dns server. Since ettercap tries to win the race with the real server, it DOES NOT CHECK if the ip is already assigned. You have to specify an ip pool of FREE addresses to be used. The ip pool has the same form of the target specification.
If the client sends a dhcp request (suggesting an ip address) ettercap will ack on that ip and modify only the gw option. If the client makes a dhcp discovery, ettercap will use the first unused ip address of the list you have specified on command line. Every discovery consumes an ip address. When the list is over, ettercap stops offering new ip addresses and will reply only to dhcp requests.
If you don’t want to offer any ip address, but only change the router information of dhcp request/ack, you can specify an empty ip_pool.BIG WARNING: if you specify a list of ip that are in use, you will mess your network! In general, use this attack carefully. It can really mess things up! When you stop the attack, all the victims will be still convinced that ettercap is the gateway until the lease expires...
Example:
-M dhcp:192.168.0.30,35,50-60/255.255.255.0/192.168.0.1
reply to DHCP offer and request.-M dhcp:/255.255.255.0/192.168.0.1
reply only to DHCP request.
port ([remote],[tree]) This attack implements Port Stealing. This technique is useful to sniff in a switched environment when ARP poisoning is not effective (for example where static mapped ARPs are used). It floods the LAN (based on port_steal_delay option in etter.conf) with ARP packets. If you don’t specify the "tree" option, the destination MAC address of each "stealing" packet is the same as the attacker’s one (other NICs won’t see these packets), the source MAC address will be one of the MACs in the host list. This process "steals" the switch port of each victim host in the host list. Using low delays, packets destined to "stolen" MAC addresses will be received by the attacker, winning the race condition with the real port owner. When the attacker receives packets for "stolen" hosts, it stops the flooding process and performs an ARP request for the real destination of the packet. When it receives the ARP reply it’s sure that the victim has "taken back" his port, so ettercap can re-send the packet to the destination as is. Now we can re-start the flooding process waiting for new packets.
If you use the "tree" option, the destination MAC address of each stealing packet will be a bogus one, so these packets will be propagated to other switches (not only the directly connected one). This way you will be able to steal ports on other switches in the tree (if any), but you will generate a huge amount of traffic (according to port_steal_delay). The "remote" option has the same meaning as in "arp" mitm method.
When you stop the attack, ettercap will send an ARP request to each stolen host giving back their switch ports.
You can perform either HALF or FULL DUPLEX mitm according to target selection.NOTE: Use this mitm method only on ethernet switches. Use it carefully, it could produce performances loss or general havoc.
NOTE: You can NOT use this method in only-mitm mode (-o flag), because it hooks the sniffing engine, and you can’t use interactive data injection.
NOTE: It could be dangerous to use it in conjunction with other mitm methods.
NOTE: This mitm method doesn’t work on Solaris and Windows because of the lipcap and libnet design and the lack of certain ioctl(). (We will feature this method on these OSes if someone will request it...)
Example:
The targets are: /10.0.0.1/ /10.0.0.15/
You will intercept and visualize traffic between 10.0.0.1 and 10.0.0.15, but you will receive all the traffic for 10.0.0.1 and 10.0.0.15 too.The target is: /10.0.0.1/
You will intercept and visualize all the traffic for 10.0.0.1.
-o, --only-mitm This options disables the sniffing thread and enables only the mitm attack. Useful if you want to use ettercap to perform mitm attacks and another sniffer (such as ethereal) to sniff the traffic. Keep in mind that the packets are not forwarded by ettercap. The kernel will be responsible for the forwarding. Remember to activate the "ip forwarding" feature in your kernel.
-f, --pcapfilter <FILTER> Set a capturing filter in the pcap library. The format is the same as tcpdump(1). Remember that this kind of filter will not sniff packets out of the wire, so if you want to perform a mitm attack, ettercap will not be able to forward hijacked packets.
These filters are useful to decrease the network load impact into ettercap decoding module.
-B, --bridge <IFACE> BRIDGED sniffing
You need two network interfaces. ettercap will forward form one to the other all the traffic it sees. It is useful for man in the middle at the physical layer. It is totally stealthy since it is passive and there is no way for an user to see the attacker.
You can content filter all the traffic as you were a transparent proxy for the "cable".
OFF LINE SNIFFING
-r, --read <FILE>OFF LINE sniffing
With this option enabled, ettercap will sniff packets from a pcap compatible file instead of capturing from the wire.
This is useful if you have a file dumped from tcpdump or ethereal and you want to make an analysis (search for passwords or passive fingerprint) on it.
Obviously you cannot use "active" sniffing (arp poisoning or bridging) while sniffing from a file.-w, --write <FILE> WRITE packet to a pcap file
This is useful if you have to use "active" sniffing (arp poison) on a switched LAN but you want to analyze the packets with tcpdump or ethereal. You can use this option to dump the packets to a file and then load it into your favourite application.NOTE: dump file collect ALL the packets disregarding the TARGET. This is done because you may want to log even protocols not supported by ettercap, so you can analyze them with other tools.
TIP: you can use the -w option in conjunction with the -r one. This way you will be able to filter the payload of the dumped packets or decrypt WEP-encrypted WiFi traffic and dump them to another file.
USER INTERFACES OPTIONS
-T, --textThe text only interface, only printf ;)
It is quite interactive, press ’h’ in every moment to get help on what you can do.
-q, --quiet Quiet mode. It can be used only in conjunction with the console interface. It does not print packet content. It is useful if you want to convert pcap file to ettercap log files. example:
ettercap -Tq -L dumpfile -r pcapfile
-s, --script <COMMANDS> With this option you can feed ettercap with command as they were typed on the keyboard by the user. This way you can use ettercap within your favourite scripts. There is a special command you can issue thru this command: s(x). this command will sleep for x seconds. example:
ettercap -T -s ’lq’ will print the list of the hosts and exit
ettercap -T -s ’s(300)olqq’ will collect the infos for 5 minutes, print the list of the local profiles and exit
-C, --curses Ncurses based GUI. See ettercap_curses(8) for a full description.
-G, --gtk The nice GTK2 interface (thanks Daten...).
-D, --daemonize Daemonize ettercap. This option will detach ettercap from the current controlling terminal and set it as a daemon. You can combine this feature with the "log" option to log all the traffic in the background. If the daemon fails for any reason, it will create the file "./ettercap_daemonized.log" in which the error caught by ettercap will be reported. Furthermore, if you want to have a complete debug of the daemon process, you are encouraged to recompile ettercap in debug mode.
GENERAL OPTIONS
-i, --iface <IFACE>Use this <IFACE> instead of the default one. The interface can be unconfigured (requires libnet >= 1.1.2), but in this case you cannot use MITM attacks and you should set the unoffensive flag.
-I, --iflist This option will print the list of all available network interfaces that can be used within ettercap. The option is particulary usefull under windows where the name of the interface is not so obvious as under *nix.
-n, --netmask <NETMASK> Use this <NETMASK> instead of the one associated with the current iface. This option is useful if you have the NIC with an associated netmask of class B and you want to scan (with the arp scan) only a class C.
-R, --reversed Reverse the matching in the TARGET selection. It means not(TARGET). All but the selected TARGET.
-t, --proto <PROTO> Sniff only PROTO packets (default is TCP + UDP).
This is useful if you want to select a port via the TARGET specification but you want to differentiate between tcp or udp.
PROTO can be "tcp", "udp" or "all" for both.
-z, --silent Do not perform the initial ARP scan of the LAN. NOTE: you will not have the hosts list, so you can’t use the multipoison feature. you can only select two hosts for an ARP poisoning attack, specifying them through the TARGETs
-p, --nopromisc Usually, ettercap will put the interface in promisc mode to sniff all the traffic on the wire. If you want to sniff only your connections, use this flag to NOT enable the promisc mode.
-u, --unoffensive Every time ettercap starts, it disables ip forwarding in the kernel and begins to forward packets itself. This option prevent to do that, so the responsibility of ip forwarding is left to the kernel.
This options is useful if you want to run multiple ettercap instances. You will have one instance (the one without the -u option) forwarding the packets, and all the other instances doing their work without forwarding them. Otherwise you will get packet duplicates.
It also disables the internal creation of the sessions for each connection. It increases performances, but you will not be able to modify packets on the fly.
If you want to use a mitm attack you have to use a separate instance.
You have to use this option if the interface is unconfigured (without an ip address.)
This is also useful if you want to run ettercap on the gateway. It will not disable the forwarding and the gateway will correctly route the packets.
-j, --load-hosts <FILENAME> It can be used to load a hosts list from a file created by the -k option. (see below)
-k, --save-hosts <FILENAME> Saves the hosts list to a file. Useful when you have many hosts and you don’t want to do an ARP storm at startup any time you use ettercap. Simply use this options and dump the list to a file, then to load the information from it use the -j <filename> option.
-P, --plugin <PLUGIN> Run the selected PLUGIN. Many plugins need target specification, use TARGET as always.
In console mode (-C option), standalone plugins are executed and then the application exits. Hook plugins are activated and the normal sniffing is performed.
To have a list of the available external plugins use "list" (without quotes) as plugin name (e.g. ./ettercap -P list).NOTE: you can also activate plugins directly from the interfaces (always press "h" to get the inline help)
More detailed info about plugins and about how to write your own are found in the man page ettercap_plugin(8)
-F, --filter <FILE> Load the filter from the file <FILE>. The filter must be compiled with etterfilter(8). The utility will compile the filter script and produce an ettercap-compliant binary filter file. Read the etterfilter(8) man page for the list of functions you can use inside a filter script.
NOTE: these filters are different from those set with --pcapfilter. An ettercap filter is a content filter and can modify the payload of a packet before forwarding it. Pcap filter are used to capture only certain packets.
NOTE: you can use filters on pcapfile to modify them and save to another file, but in this case you have to pay attention on what you are doing, since ettercap will not recalculate checksums, nor split packets exceeding the mtu (snaplen) nor anything like that.
-W, --wep-key <KEY> You can specify a WEP key to decrypt WiFi packets. Only the packets decrypted successfully will be passed to the decoders stack, the others will be skipped with a message.
The parameter has the following syntax: N:T:KEY. Where N is the bit length of the wep key (64, 128 or 256), T is the type of the string (’s’ for string and ’p’ for passphrase). KEY can be a string or an escaped hex sequences.example:
--wep-key 128:p:secret
--wep-key 128:s:ettercapwep0
--wep-key ’64:s:\x01\x02\x03\x04\x05’
-a, --config <CONFIG> Loads an alternative config file instead of the default in /etc/etter.conf. This is useful if you have many preconfigured files for different situations.
VISUALIZATION OPTIONS -e, --regex <REGEX> Handle only packets that match the regex.
This option is useful in conjunction with -L. It logs only packets that match the posix regex REGEX.
It impacts even the visualization of the sniffed packets. If it is set only packets matching the regex will be displayed.
-V, --visual <FORMAT> Use this option to set the visualization method for the packets to be displayed. FORMAT may be one of the following:
hex Print the packets in hex format. example:
the string "HTTP/1.1 304 Not Modified" becomes:
0000: 4854 5450 2f31 2e31 2033 3034 204e 6f74 HTTP/1.1 304 Not
0010: 204d 6f64 6966 6965 64 Modifiedascii Print only "printable" characters, the others are displayed as dots ’.’
text Print only the "printable" characters and skip the others.
ebcdic Convert an EBCDIC text to ASCII.
html Strip all the html tags from the text. A tag is every string between < and >. example:
<title>This is the title</title>, but the following <string> will not be displayed.
This is the title, but the following will not be displayed.
utf8 Print the packets in UTF-8 format. The encoding used while performing the conversion is declared in the etter.conf(5) file.
-d, --dns Resolve ip addresses into hostnames. NOTE: this may seriously slow down ettercap while logging passive information. Every time a new host is found, a query to the dns is performed. Ettercap keeps a cache for already resolved host to increase the speed, but new hosts need a new query and the dns may take up to 2 or 3 seconds to respond for an unknown host.
HINT: ettercap collects the dns replies it sniffs in the resolution table, so even if you specify to not resolve the hostnames, some of them will be resolved because the reply was previously sniffed. think about it as a passive dns resolution for free... ;)
-E, --ext-headers Print extended headers for every displayed packet. (e.g. mac addresses)
-Q, --superquiet Super quiet mode. Do not print users and passwords as they are collected. Only store them in the profiles. It can be useful to run ettercap in text only mode but you don’t want to be flooded with dissectors messages. Useful when using plugins because the sniffing process is always active, it will print all the collected infos, with this option you can suppress these messages.
NOTE: this options automatically sets the -q option.example:
ettercap -TzQP finger /192.168.0.1/22
LOGGING OPTIONS
-L, --log <LOGFILE>Log all the packets to binary files. These files can be parsed by etterlog(8) to extract human readable data. With this option, all packets sniffed by ettercap will be logged, together with all the passive info (host info + user & pass) it can collect. Given a LOGFILE, ettercap will create LOGFILE.ecp (for packets) and LOGFILE.eci (for the infos). NOTE: if you specify this option on command line you don’t have to take care of privileges since the log file is opened in the startup phase (with high privs). But if you enable the log option while ettercap is already started, you have to be in a directory where uid = 65535 or uid = EC_UID can write.
NOTE: the logfiles can be compressed with the deflate algorithm using the -c option.
-l, --log-info <LOGFILE> Very similar to -L but it logs only passive information + users and passwords for each host. The file will be named LOGFILE.eci
-m, --log-msg <LOGFILE> It stores in <LOGFILE> all the user messages printed by ettercap. This can be useful when you are using ettercap in daemon mode or if you want to track down all the messages. Indeed, some dissectors print messages but their information is not stored anywhere, so this is the only way to keep track of them.
-c, --compress Compress the logfile with the gzip algorithm while it is dumped. etterlog(8) is capable of handling both compressed and uncompressed log files.
-o, --only-local Stores profiles information belonging only to the LAN hosts. NOTE: this option is effective only against the profiles collected in memory. While logging to a file ALL the hosts are logged. If you want to split them, use the related etterlog(8) option.
-O, --only-remote Stores profiles information belonging only to remote hosts.
STANDARD OPTIONS
-U, --updateConnects to the ettercap website (ettercap.sf.net) and retrieve the latest databases used by ettercap.
If you want only to check if an update is available, prepend the -z option. The order does matter: ettercap -zUSECURITY NOTE: The updates are not signed so an attacker may poison your DNS server and force the updateNG.php to feed ettercap with fake databases. This can harm to your system since it can overwrite any file containing the string "Revision: ".
-v, --version Print the version and exit.
-h, --help prints the help screen with a short summary of the available options.
EXAMPLES
Here are some examples of using ettercap.
ettercap -Tp Use the console interface and do not put the interface in promisc mode. You will see only your traffic.
ettercap -Tzq Use the console interface, do not ARP scan the net and be quiet. The packet content will not be displayed, but user and passwords, as well as other messages, will be displayed.
ettercap -T -j /tmp/victims -M arp /10.0.0.1-7/ /10.0.0.10-20/ Will load the hosts list from /tmp/victims and perform an ARP poisoning attack against the two target. The list will be joined with the target and the resulting list is used for ARP poisoning.
ettercap -T -M arp // // Perform the ARP poisoning attack against all the hosts in the LAN. BE CAREFUL !!
ettercap -T -M arp:remote /192.168.1.1/ /192.168.1.2-10/ Perform the ARP poisoning against the gateway and the host in the lan between 2 and 10. The ’remote’ option is needed to be able to sniff the remote traffic the hosts make through the gateway.
ettercap -Tzq //110 Sniff only the pop3 protocol from every hosts.
ettercap -Tzq /10.0.0.1/21,22,23 Sniff telnet, ftp and ssh connections to 10.0.0.1.
ettercap -P list Prints the list of all available plugins
AUTHORS
Alberto Ornaghi (ALoR) <alor@users.sf.net>
Marco Valleri (NaGA) <naga@antifork.org>
SEE ALSO
etter.conf(5) ettercap_curses(8) ettercap_plugins(8) etterlog(8) etterfilter(8)
AVAILABILITY
http://ettercap.sourceforge.net/download/
CVS
cvs -d:pserver:anonymous@cvs.ettercap.sf.net:/cvsroot/ettercap login
cvs -d:pserver:anonymous@cvs.ettercap.sf.net:/cvsroot/ettercap co ettercap_ng
BUGS
Our software never has bugs.
It just develops random features. ;)KNOWN-BUGS
- ettercap doesn’t handle fragmented packets... only the first segment will be displayed by the sniffer. However all the fragments are correctly forwarded.
+ please send bug-report, patches or suggestions to <alor@users.sourceforge.net> or visit http://ettercap.sourceforge.net/forum/ and post it in the BUGS section.
+ to report a bug, follow the instructions in the README.BUGS file
PHILOLOGICAL HISTORY
"Even if blessed with a feeble intelligence, they are cruel and smart..." this is the description of Ettercap, a monster of the RPG Advanced Dungeons & Dragon.The name "ettercap" was chosen because it has an assonance with "ethercap" which means "ethernet capture" (what ettercap actually does) and also because such monsters have a powerful poison... and you know, arp poisoning... ;)
The Lord Of The (Token)Ring
(the fellowship of the packet)"One Ring to link them all, One Ring to ping them,
one Ring to bring them all and in the darkness sniff them."
Last words
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning." - Rich Cook
版权信息:
英文原文来自Linux man,您可以在bash下键入
man ettercap
来获得英文版内容。
网页选取的格式化后的版本来自https://www.irongeek.com/i.php?page=backtrack-3-man/ettercap
中文版由BaiduFanyi翻译,个人润色并更改了几处错误。
作者发布、转载的任何文章中所涉及的技术、思路、工具仅供以安全目的的学习交流,并严格遵守《中华人民共和国网络安全法》、《中华人民共和国数据安全法》等网络安全法律法规。
任何人不得将技术用于非法用途、盈利用途。否则作者不对未许可的用途承担任何后果。
本文遵守CC BY-NC-SA 3.0协议,您可以在任何媒介以任何形式复制、发行本作品,或者修改、转换或以本作品为基础进行创作
您必须给出适当的署名,提供指向本文的链接,同时标明是否(对原文)作了修改。您可以用任何合理的方式来署名,但是不得以任何方式暗示作者为您或您的使用背书。
同时,本文不得用于商业目的。混合、转换、基于本作品进行创作,必须基于同一协议(CC BY-NC-SA 3.0)分发。
如有问题, 可发送邮件咨询.