Topic: HOWTO: Ettercap tips and tricks

ettercap is a great tool that is included on S-T-D and many Knoppix variants. ettercap 0.7.3 has a nice GUI, but in order to try to make these tips usable across the widest range of versions, i will stick to Text mode. the S-T-D version is older, but newer versions of S-T-D will include newer versions of ettercap.

ettercap -T  this is the text mode interface, hit h and you will see commands. it is fairly interactive. for this first tip, here is how to use the remote_browser command. this will let a netscape-based browser (Firebird, Mozilla, Firefox, Netscape, and probably others) on the attacking machine silently follow the web pages that a victim machine visits.

on the attacking machine, FIRST start your browser. on my test system, the attacking machine was tried both using a local squid proxy (blocks ads, makes everything HTTP faster) and without it. here's the one-liner that does it all:

ettercap -T -Q -M arp:remote -i wlan0 /10.10.10.23/ // -P remote_browser

the -T starts it in text mode.
the  -Q will make ettercap be superQuiet (not print raw packets in the terminal window)
the  -M starts man in the middle mode, and the arp:remote is the type of poisoning, and remote is a parameter for MITM.  these commands can be combined into one switch like -TQM  but for clarity i put them separately.
the -i wlan0 specifies the network interface and is optional, if you have only one network interface it is probably not needed. in this case, i was on a laptop using a wifi connection to my AP. this works just as good as a wired connection, and takes no other preparation other than being properly associated with the access point. yours may be eth0, or whatever is specified in ifconfig.
the /10.10.10.23/ is the victim ip and //  means 'the rest of the segment'. i tried it without the // in hopes that it wouldn't have to poison the whole segment, but it didn't seem to work. i know that using ettercap in other ways you can single out one machine without making a lot of noise on the network.
the -P remote_browser is the plugin to follow the victim browser.

NOTE: the victim IP must be in the same subnet as your PC.

start it up from a root terminal window with the command:

ettercap -T -Q -M arp:remote -i wlan0 /10.10.10.23/ // -P remote_browser

you will see some messages go by, about the version, the interface it is listening on along with your MAC, IP and subnet. after some information about ettercap's various dissectors and services, you will see the arp scan, "Scanning the whole netmask for 255 hosts".  this is definitely noisy to an IDS, and you probably should not be experimenting with this at work anyway, so wait till you get home or in your test lab...     ;^)

you will now see your browser follow along with the 10.10.10.23 browser. i tested using both Dillo and Firefox .91 and 1.0.6 be followed on both Damn Small Linux and Fedora 4.. this is not a 'windows trick', it works on basic TCP/IP communications. this will not work on an HTTPS/SSL page, although ettercap's other plugins can use HTTPS. sometimes i would just get a page of HTML. it was interesting to notice that when i trailed it to Slashdot it worked fine, but when i clicked a 'Read More' the trailing machine got hung up with a filename of '1x1 GIF', which is probably a web tracking bug.

when you are done, it is IMPORTANT to end ettercap properly with a q. this re-arps the victims, and restores the network to normal. be careful with ettercap, you have just potentially poisoned the ARP cache on 255 machines, if you just close the window, you may leave the network in a shambles, and IDS systems may easily point to your IP as a problem child.

have fun, and let us know of additions or corrections to this, it is by no means comprehensive.

Re: HOWTO: Ettercap tips and tricks

in the above example of using the remote_browser plugin, ettercap is much quieter on the network if we point it to only the victim IP and the gateway IP. assuming the victim is 10.10.10.23 and GW is 10.10.10.1

/10.10.10.23/ /10.10.10.1/

(there is a space between the two).  you probably know the IP of the gateway, but if you received your IP from DHCP, you can run the gateway discover plugin while ettercap is running in text mode. to run the plugin, just hit p and you will see a list of all the plugins. enter:

gw_discover

it will prompt you for a remote IP and a port. i wasn't clear what they meant by 'remote ip', so i kept trying different ways, and it appears to mean another IP that on your LAN segment. i chose 10.10.10.9 and you can use any port, not just one that there is a service running on:

Plugin name (0 to quit): gw_discover
Activating gw_discover plugin...

Insert remote IP:PORT : 10.10.10.9:1000

Remote target is 10.10.10.9:1000...

Sending the SYN packet to 10.10.10.1      [00:04:5A:57:37:57]
Sending the SYN packet to 10.10.10.23     [00:02:2D:01:6F:2F]
[00:04:5A:57:37:57] 10.10.10.1 is probably a gateway for the LAN

if you don't know any other IP's, you can either guess or use our old friend nmap. nmap's ping sweep will tell you what systems are active on your segment, and won't raise too many alarms:

root@box:~# nmap -sP 10.10.10.*

Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2005-11-19 14:46 CST
Host winme.inet (10.10.10.1) appears to be up.
MAC Address: 00:04:5A:57:37:57 (The Linksys Group)
Host 10.10.10.9 appears to be up.
MAC Address: 00:07:E9:0A:29:7B (Intel)
Host 10.10.10.10 appears to be up.
MAC Address: 00:13:10:62:B9:A2 (Cisco-Linksys)
Host 10.10.10.23 appears to be up.
MAC Address: 00:02:2D:01:6F:2F (Agere Systems)
Host 10.10.10.119 appears to be up.
Nmap finished: 256 IP addresses (5 hosts up) scanned in 5.974 seconds

here are five IP's on this segment of my LAN that are available. you should not use your own current IP, and don't use the IP that you are pointing remote_browser to. i am doing these tests on a wireless laptop, and by juggling the parameters a little bit, i can apparently also show my access point as a gateway, also.

Re: HOWTO: Ettercap tips and tricks

very nice!

look over the board and knoppix.net's board and faq and google search before posting :)

http://www.faqs.org/rfcs/rfc1392.html

Re: HOWTO: Ettercap tips and tricks

thanks corwin, it's really just the basics, but i have been spending time re-re-learning these things. i forgot to mention in above posts that the plugin of

chk_poison

must show success. i have tested on a dual NIC server, and it seems to work often when i point it to the outside NIC. sometimes it does not work, and i will continue to learn on that one.

Re: HOWTO: Ettercap tips and tricks

Great tutorial. Very good stuff.  big_smile
I didn't know you could do the web browser stuff from within ettercap. I had always selected (in the ncurses interface) the router IP, and the victim ip,
pressed "a" for arp-poisoning, then started webspy and opened the now defunct firebird. Pretty cool. I have just installed the new version of ettercap on my ubuntu box and will try it out soon.

Re: HOWTO: Ettercap tips and tricks

I found that I have to start Mozilla from a terminal window, or ettercap doesn't see it as "an open window", and fails to track with the remote computer.

Re: HOWTO: Ettercap tips and tricks

Gralfus, this could be that you are running mozilla (or firefox) as a different user than the user you are running ettercap under.

Example:

- You run your browser by click on an icon as the user 'gralfus'
- You run ettercap from the command line after su to 'root'

This will cause the behavior you describe.

Re: HOWTO: Ettercap tips and tricks

Ok... so I'm a few months behind the last post - but I'm having trouble with the commands here... I have googled this and can't seem to find much - and I searched the forum and skimmed through most posts regarding ettercap. I've just started out with S-T-D - though I have used knoppix in the past - and I'm familiar with the GUI of ettercap, though the commandline intreagues me.

So here's my problem:

I enter the command suggested in the first post (modifying it for my lan accordingly)  " ettercap -TQM arp:remote -i eth0 /192.168.2.5/ // -p remote_browser"

And I get an error saying

Invalid host address /192.168.2.5/!

So I read the man page - and decided to try adding -H to it and specify an ip range that my router and my windows box are both in.

" ettercap -H 192.168.2.0-10 -TQM arp:remote -i eth0 /192.168.2.5/ // -p remote_browser"

so it scans for the hosts in that range... then a moment later , same error

Invalid host address /192.168.2.5/!

Any ideas or suggestions would be helpful. Thank you for your time - it's greatly appreciated.

Re: HOWTO: Ettercap tips and tricks

hi theChittle,

it's been over a year since i posted that, but it should still work.

192.168.2.5=the IP of the machine that you are snooping on

is 192.168.2.5 an existing address on your network?

10 (edited by thechittle 14-02-2007 17:27:06)

Re: HOWTO: Ettercap tips and tricks

Hello there Picoshark

it is... I have no problems pinging it (192.168.2.5 - a windows server 2003 box with just AD, DNS and SQL) or the router (192.168.2.1 -  a half decent home router)

See... If I start it by just typing ettercap at the prompt... it scans for hosts... then gives me the txt based (for lack of a better term, "gui" but it's no gui lol) - I got as far as selecting my target (192.168.2.5 was listed) and my gateway (192.168.2.1 was listed), spoofing and now I'm reading the traffic with great success - however I press "p" and it tells me it couldn't find any plugins... am I missing something here? Do I need to install the plugins myself each time i boot the cd?

Thanks again.

Re: HOWTO: Ettercap tips and tricks

I just figured out that there's a comprehensive readme file in the rtfm directory! Great! - I'll give that a read next time I have a chance - I'm sure I'll have a more thorough understanding of ettercap afterwards - hopefully enough to figure out what's going on...

Re: HOWTO: Ettercap tips and tricks

i think what you are seeing is the Ncurses interface. the p keystroke was perhaps only correct if you started it in text mode with the -T switch. look through the readme and figure out how to use the Ncurses interface/menu system. later versions of ettercap have a nice GTK gui, but the Ncurses interface is very good also.

Re: HOWTO: Ettercap tips and tricks

Ncurses interface... i like it a lot - in fact I like it way better than the GTK gui... much more configurable and straight forward (though... I can't really compare the two - two different levels of knowledge and skill when I tried both).

I can't seem to find any of the plugins for ettercap anywhere on the cd - are they zipped and I need to install them or what? or do I need to download them and install them?

Thanks smile

Re: HOWTO: Ettercap tips and tricks

i think that the version of Ettercap on the CD has plugins. i won't be able to check until tomorrow evening, probably. there is a lot of information on Ettercap's forum. read/search a lot there before posting, they (like many) get tired of answering  the same n00b/RTFM questions.

Irongeek has some excellent ettercap tutorials as well, search for him.

Re: HOWTO: Ettercap tips and tricks

I assumed it would...

Not sure why  - but I never thought to look on Ettercap's forum! Thanks a bunch.

Well... I think everyone gets annoyed by people who won't put any effort into searching for an answer - "my time is worth more than yours" mentality. I know from experience that I have no problem helping someone who has already tried helping themselves.

Thanks for your time - I'm off to search the Ettercap forum.

16 (edited by thechittle 16-02-2007 17:30:59)

Re: HOWTO: Ettercap tips and tricks

Their forum, in terms of organization and keeping people and their posts in line... is brutal. Browsing through this forum is headachless - it's organized and you guys seem to make clean cuts to people who are asking questions that do not pertain to S-T-D tools. smile

So I booted up Knoppix 5.1 - and with a little bit of playing around (had to add remote_browser = "mozilla -remote openurl(http://%host%url)" to etter.conf) I got it working quite nicely. It's really not as great as I thought it'd be - doesn't run any script sites (like Wiki or even Google search) - I thought it'd almost act like a "client mirror" - sending all the information it sniffs to the browser - but it seems to almost just filters out the DNS queries and display those with limitations...

Knoppix 5.1 is also running the latest version of Ettercap... and it seems the Ncurses interface on that one is quite different from the one on the S-T-D CD.

Thanks again Picoshark

Re: HOWTO: Ettercap tips and tricks

ettercap is an amazing program, and i have only scratched the surface of it. to me, the Ncurses interface is very nice, but since there are so many options sometimes the text interface is a good way to definitely know what you are telling it.

remember that newer versions of ettercap have a special log format, and you need to use the program etterlog to read them. etterlog has it's own manpage, so look through that.

the ettercap forum has some great info, and there's some very detailed tutorials. there's also lots of people re-re-asking things that are explained in the FAQ, and anyone maintaining a forum gets tired of a bad signal/noise ratio.

Re: HOWTO: Ettercap tips and tricks

Although I do like the Ncurses interface - I ended up getting it to work through text mode.

I've heard of etterlog but haven't touched it yet. There's another one - etterfilter that I'd like to try out. I started playing with Nessus today - started with reading the man page, Nessus and Nmap are my next two programs to play with for a while. I find that I'm interested in a lot - but it takes a lot of time to become proficient in one application... never mind a whole suite of them. I guess that would be why experience is valued so much in this field.

I am enjoying this forum because of the great information and how well it is maintained. It's rare that  I even sign up for a forum and actually post things smile

Re: HOWTO: Ettercap tips and tricks

another fun one to experiment with is driftnet. it won't work across a switch like ettercap can, but is entertaining to display all the images on your network segment/hub. in a work environment, sometimes putting a box up with driftnet for all to see can be a good detriment to non work-related surfing.

ettercap can flatten a switch for rebroadcast, but you may need large I/O if there are many clients on the switch.

Re: HOWTO: Ettercap tips and tricks

That's interesting ... I wonder if you could use ettercap to arp spoof the network - then run driftnet? I've used ettercap to spoof the network and then used wireshark/ethereal to sniff at the same time with great success in the past.

Re: HOWTO: Ettercap tips and tricks

certainly can, i usually use some of the dsniff tools along with it..

Knoppix Cheat Codes
Registered Linux user# 366379

22 (edited by Colin 15-11-2007 04:49:15)

Re: HOWTO: Ettercap tips and tricks

I'm having the same problem Graflus mentions above.  I have verified that firefox (2.0.0.9) is running as the same user as ettercap (root for both).  I am running ettercap NG-0.7.3.

ettercap was launched using: "ettercap -TQM arp:remote -i eth0 /131.107.16.134/ /131.107.16.44/ -P remote_browser" where 131.107.16.134 is the PC being tracked and 131.107.16.44 is the gateway.

I see the captured URLs in the ettercap terminal window.  Each URL captured is in the format: REMOTE COMMAND: mozilla -remote openurl (<captured URL listed here>).

Attempting to launch mozilla from a terminal window (by typing 'mozilla') produces an error so I tried two different things:
1 - alias mozilla='firefox'.  While this does cause firefox to launch when I type 'mozilla' it does not change the lack of tracking in ettercap.
2 - I tried editing line 143 of the etter.conf.  I changed it from "remote_browser = "mozilla - remote openurl(http://%host%url)"" to  "remote_browser = "firefox - remote openurl(http://%host%url)"".

Attempt #2 caused the following error once I restarted ettercap:
(firefox-bin:5476): Gtk-WARNING **: cannot open display:
Xlib: connection to ":0:0" refused by server
Xlib: No protocol specified

(firefox-bin:5488): Gtk-WARNING **: cannot open display:

I'll be grateful for any insight or a suggestion on a way to get this working.

Thanks.


subcoder wrote:

Gralfus, this could be that you are running mozilla (or firefox) as a different user than the user you are running ettercap under.

Example:

- You run your browser by click on an icon as the user 'gralfus'
- You run ettercap from the command line after su to 'root'

This will cause the behavior you describe.

Re: HOWTO: Ettercap tips and tricks

Hey guys I am running ettercap on my new BT5, I am new to security and I am really interested. I am studying a degree in computers but doesn't touch on network security.

When I run:

ettercap -T -Q -M arp:remote -i wlan0 /192.168.1.11/ /192.168.1.1/ -P remote_browser

[.11] being target computer (my other computer) and [.1] being the router

When I run the above command it just sits on: Activating remote_browser plugin...

I then go onto the other computer [.11] and generate some http traffic (going to google etc) and still no joy.
When I quit ettercap I get the following errors:

iptables v1.4.4: can't initialize iptables table `nat': Permission denied (you must be root)

Am I missing something? (I am root btw tongue )

Thanks

24 (edited by merc 28-06-2011 10:06:42)

Re: HOWTO: Ettercap tips and tricks

## ALTERNATE etter.conf fix for remote_browser plugin ##

I had a problem getting the remote _browser plugin to work on OSX 10.4.11 using firefox 3.6.18 with ettercap-ng 0.7.3

Ettercap would execute fine, but the browser did not follow.

I tried changing the remote_brower line in the etter.conf from mozilla to firefox, but that didn´t help.

In the end I changed the following line in etter.conf     #located in /usr/local/etc/

from:
remote_browser = "mozilla -remote openurl(http://%host%url)"

to:
remote_browser = "open -a /Applications/Firefox.app http://%host%url"

I didn´t find this solution anywhere on the net, and it took me a while to figure this out,
but a lot of people seem to be having this same problem, if you are I hope this fix works for you too.

The only other change I made to etter.conf was changing the [privs] to;
ec_uid = 0
ec_gid = 0

Re: HOWTO: Ettercap tips and tricks

Thanks, It's interesting but also sometimes scary especially since these things are starting to show up in bathrooms in nightclubs and bars. You can't go anywhere without some type of stimulus coming at you but it's effective. but it  is very inportant topics for us.