Projects / Ettercap

Ettercap

Ettercap is a network sniffer/interceptor/logger for ethernet LANs. It supports active and passive dissection of many protocols (even ciphered ones, like SSH and HTTPS). Data injection in an established connection and filtering on the fly is also possible, keeping the connection synchronized. Many sniffing modes were implemented to give you a powerful and complete sniffing suite. Plugins are supported. It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.

Tags
Licenses
Operating Systems
Implementation

Recent releases

  •  05 Dec 2011 07:50

    Release Notes: Many long standing bugs were fixed: a resource depletion issue, buffer access out-of-bounds issues, DNS dissector not working on 64-bit systems, multiple buffer overflows, multiple memory leaks, multiple files with obsolete code, SEND L3 errors experienced by some users, and a compilation error under Mac OS X Lion. The build system was updated.

    •  29 May 2005 15:33

      Release Notes: Two new operators were added to the filter engine: INC (+=) and DEC (-=). The compilation of some plugins and an issue with the dhcp spoofing module against windows client were fixed. A serious security bug was eradicated from the curses GUI.

      •  21 Dec 2004 23:11

        Release Notes: The hosts scan can now be canceled by the user, and the netmask can be specified within the GUI. The checksum_check option was renamed to checksum_warning, and a new option to prevent the check was introduced. The dns_spoof plugin was greatly enhanced, and a new plugin was introduced. Many bugfixes were made, especially for the Windows port.

        •  20 Sep 2004 20:30

          Release Notes: An option to issue commands to the GUI (useful in scripts) and an option to show the list of NICs were added. The program compiles fine under Windows (mingw). A new plugin was developed and some minor bugs were fixed.

          •  05 Jul 2004 20:35

            Release Notes: A thread-safe strtok was implemented and the source code was prepared for a smooth mingw porting. Some bugs to the GTK interface and a problem compiling under older FreeBSD versions were fixed. This is a milestone release and can be considered stable enough to migrate from the 0.6.x series.

            Recent comments

            19 Apr 2002 09:10 WildThing

            Re: MIM not possible against secure (ie most) SSL
            Try to use ettercap with etter.filter.ssh filter.
            It tries to convince the client that the server only support ssh v1 (if it supports both). So if you run simply ssh it will look up on known_hosts keys (not known_hosts2). If you always use ssh with v2 by default you don't have the right key in known_hosts so no warning pop-up but a simple "do you want to add..."

            07 Apr 2002 04:52 alor

            Re: MIM not possible against secure (ie most) SSL

            > And I was wondering, will ssh sniffing
            > work at all against public key
            > authentication?


            During public key auth (like in SSH2) the keys are not exchanged on the wire... so you cannot do a m-i-t-m attach against it. The server already has your REAL public key and will not start the session if it doesn't match.

            06 Apr 2002 18:42 rcastell

            Re: MIM not possible against secure (ie most) SSL
            If you set up ssh right, it gives you a loud warning about man-in-the-middle attacks if the
            host's key fingerprint changes. If the user accepts anyway, the connection can be sniffed.
            And I was wondering, will ssh sniffing work at all against public key authentication?

            15 Dec 2001 08:41 alor

            Re: MIM not possible against secure (ie most) SSL

            > It will not work for
            > browser connections because the browser
            > itself checks the certificate for the
            > site name (and to fool that you have to
            > persuade Verisign or similar to sign a
            > certificate that says, for example, that
            > you are amazon.com - not likely).


            or to persuade the user to accept the false certificate... here the social engineering is crucial, if the user is prompted with a false certificate that is *very* similar to its favourite CA, he will accept it... obviously the weakest link of the chain is always the user as in SSH man-in-the-middle.

            bye

            15 Dec 2001 06:30 BelindaWoods

            MIM not possible against secure (ie most) SSL
            Even with SSL support in the code, it is not possible to crack SSL encrypted links. To complete an SSL
            handshake you must know the secret key for the certificate that you supply. If Ettercap supplies the server's
            certificate to the client, it will not be able to complete the handshake. If it supplies its own certificate,
            the client will see that the certificate is not the one expected.

            So the only hope this has of working is if certificates are not checked, which is only likely if people use ssh
            insecurely. It will not work for browser connections because the browser itself checks the certificate for the site
            name (and to fool that you have to persuade Verisign or similar to sign a certificate that says, for example, that
            you are amazon.com - not likely).

            Given all that, aren't you misprepesenting the abilities of this tool?

            [Apologies, I'm using an anon acct for obvious reasons]

            Screenshot

            Project Spotlight

            OpenStack4j

            A Fluent OpenStack client API for Java.

            Screenshot

            Project Spotlight

            TurnKey TWiki Appliance

            A TWiki appliance that is easy to use and lightweight.