ettercap

ettercap [OPTIONS] [TARGET1] [TARGET2]

Common usage examples:
ettercap -G (Starts the GUI mode)
ettercap -T -M arp:remote // // (Starts text mode, ARP poisons all hosts on the LAN)
ettercap -T -M arp:remote /192.168.1.10/ /192.168.1.1/ (ARP poisons a specific target and gateway)
ettercap -T -i eth0 -P dns_spoof (Starts text mode on eth0 and loads the dns_spoof plugin)

-G
    Starts ettercap in graphical (GTK+) mode.

-T
    Starts ettercap in text-only mode (console mode).

-C
    Starts ettercap in curses-based GUI mode (legacy terminal GUI).

-Q
    Quiet mode. Suppresses informational messages.

-i
    Specifies the network interface to use. If not specified, ettercap tries to find the default interface.

-f
    Sniffs packets from a PCAP file instead of a live interface.

-r
    Reads a previously saved PCAP file to re-dissect data.

-w
    Writes all captured packets to a PCAP file.

-p
    Disables promiscuous mode. Only packets destined for the host will be captured.

-M :
    Specifies the MITM attack method. Common methods include arp:remote (ARP poisoning), dhcp:discover, icmp6:router, etc.

-P
    Loads a plugin. Multiple plugins can be loaded (e.g., dns_spoof, fraggle, strip_ssl).

-L
    Logs all captured packets to the specified file, similar to Wireshark/tcpdump.

-D
    Daemonizes ettercap, running it in the background.

-u
    Drops privileges to the specified user after initialization (usually after binding to ports).

-z
    Does not flush data to disk. Useful for debugging.

-v
    Increases verbosity level for debugging.

-V
    Displays the version information and exits.

-h
    Displays the help message and exits.

ettercap is a powerful suite for Man-in-the-Middle (MITM) attacks on LANs. It features live connections sniffing, content filtering on the fly, and many other interesting active and passive network audit capabilities. It supports active and passive dissection of many protocols and includes features for network host analysis.

The tool offers two main user interfaces: a graphical user interface (GUI) and a text-based console interface, allowing flexibility in usage. It's widely used by network security professionals and penetration testers to simulate real-world attacks, identify vulnerabilities, and audit network configurations. Its capabilities include ARP poisoning, DNS spoofing, passive OS fingerprinting, sniffing passwords, and injecting custom data into network connections.

Using ettercap often requires root privileges for network interface manipulation and raw socket operations. Improper use can lead to network disruptions, performance degradation, or even complete network outages. It is a powerful tool capable of intercepting sensitive data, and its use should always be ethical, legal, and with explicit permission from network owners. Many Intrusion Detection/Prevention Systems (IDS/IPS) can detect common MITM attacks like ARP poisoning, potentially alerting administrators.

ettercap supports various MITM methods. The most common is ARP poisoning (e.g., -M arp:remote), which manipulates the ARP tables of target hosts to redirect traffic through the attacker's machine. Other methods include DNS spoofing (often with the dns_spoof plugin), DHCP spoofing, and ICMP redirection, allowing attackers to control or intercept different types of network traffic.

One of ettercap's key strengths is its extensibility via plugins. These are small modules that extend ettercap's functionality, allowing for specialized tasks like filtering SSL connections (strip_ssl), injecting content (inject), performing Denial of Service (DoS) attacks (fraggle), or even actively fingerprinting operating systems and open ports. Plugins significantly enhance the tool's versatility for both offensive and defensive network security tasks.

ettercap was originally developed by Alberto Ornaghi (ALoR) and Marco Valleri (NaGA), with initial releases around 2001. It quickly gained popularity as one of the first comprehensive and user-friendly tools for Man-in-the-Middle attacks and network sniffing. Written primarily in C, its modular design, particularly through its plugin system, allowed for extensibility and adaptation to various network attack scenarios. Over the years, it has been maintained and updated by the community, remaining a staple in network security auditing toolkits.

arpspoof(8), dsniff(8), tcpdump(1), wireshark(1), nmap(1)